APDU-Level Attacks in PKCS#11 Devices

  • Claudio Bozzato
  • Riccardo FocardiEmail author
  • Francesco Palmarini
  • Graham Steel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)


In this paper we describe attacks on PKCS#11 devices that we successfully mounted by interacting with the low-level APDU protocol, used to communicate with the device. They exploit proprietary implementation weaknesses which allow attackers to bypass the security enforced at the PKCS#11 level. Some of the attacks leak, as cleartext, sensitive cryptographic keys in devices that were previously considered secure. We present a new threat model for the PKCS#11 middleware and we discuss the new attacks with respect to various attackers and application configurations. All the attacks presented in this paper have been timely reported to manufacturers following a responsible disclosure process.


  1. 1.
    Anderson, R.: The correctness of crypto transaction sets. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 128–141. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Barbu, G., Giraud, C., Guerin, V.: Embedded eavesdropping on Java card. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 37–48. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Bond, M.: Attacks on cryptoprocessor transaction sets. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Bond, M., Anderson, R.: API level attacks on embedded systems. IEEE Comput. Mag. 34(10), 67–75 (2001)CrossRefGoogle Scholar
  5. 5.
    Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 260–269. ACM (2010)Google Scholar
  6. 6.
    Clulow, J.: On the Security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    De Cock, D., Wouters, K., Schellekens, D., Singelee, D., Preneel, B.: Threat modelling for security tokens in web applications. In: Chadwick, D., Preneel, B. (eds.) Communications and Multimedia Security, pp. 183–193. Springer, Cham (2005)CrossRefGoogle Scholar
  8. 8.
    de Koning, G., Gans, J., de Ruiter.: The smartlogic tool: analysing and testing smart card protocols. In: Fifth IEEE International Conference on Software Testing, Verification and Validation, ICST 2012, pp. 864–871 (2012)Google Scholar
  9. 9.
    Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11 and proprietary extensions. J. Comput. Secur. 18(6), 1211–1245 (2010)CrossRefGoogle Scholar
  10. 10.
    Gkaniatsou, A., McNeill, F., Bundy, A., Steel, G., Focardi, R., Bozzato, C.: Getting to know your card: reverse-engineering the smart-card application protocol data unit. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pp. 441–450. ACM (2015)Google Scholar
  11. 11.
    ISO, IEC 7816–4.: Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange (2013)Google Scholar
  12. 12.
    Longley, D., Rigby, S.: An automatic search for security flaws in key management schemes. Comput. Secur. 11(1), 75–89 (1992)CrossRefGoogle Scholar
  13. 13.
    Murdoch, S.J., Drimer, S., Anderson, R.J., Bond, M.: Chip and PIN is broken. In: 31st IEEE Symposium on Security and Privacy (S&P 2010), 16–19 May 2010, Berleley/Oakland, California, USA, pp. 433–446 (2010)Google Scholar
  14. 14.
    OASIS Standard: PKCS #11 Cryptographic Token Interface Base Specification Version 2.40.
  15. 15.
    RSA Laboratories: PKCS #11 v2.30: Cryptographic Token Interface Standard.
  16. 16.
    Schneier, B., Shostack, A., et al.: Breaking up is hard to do: modeling security threats for smart cards. In: USENIX Workshop on Smart Card Technology, Chicago, Illinois, USA (1999).
  17. 17.
    Shostack, A.: Experiences threat modeling at microsoft. In: Modeling Security Workshop. Department of Computing, Lancaster University, UK (2008)Google Scholar
  18. 18.
    Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond (2004)Google Scholar
  19. 19.
    Wang, L., Wong, E., Dianxiang, X.: A threat model driven approach for security testing. In: Proceedings of the Third International Workshop on Software Engineering for Secure Systems, SESS 2007, p. 10, Washington, D.C, USA. IEEE Computer Society (2007)Google Scholar
  20. 20.
    Youn, P., Adida, B., Bond, M., Clulow, J., Herzog, J., Lin, A., Rivest, R., Anderson, R.: Robbing the bank with a theorem prover. Technical Report UCAM-CL-TR-644, University of Cambridge, August 2005Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Claudio Bozzato
    • 1
  • Riccardo Focardi
    • 1
    • 2
    Email author
  • Francesco Palmarini
    • 1
  • Graham Steel
    • 2
  1. 1.Ca’ Foscari UniversityVeniceItaly
  2. 2.CryptosenseParisFrance

Personalised recommendations