A Generic Security API for Symmetric Key Management on Cryptographic Devices

Cortier, Véronique; Steel, Graham

doi:10.1007/978-3-642-04444-1_37

A Generic Security API for Symmetric Key Management on Cryptographic Devices

Véronique Cortier¹⁸ &
Graham Steel¹⁹

Conference paper

2883 Accesses
15 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 5789)

Abstract

Security APIs are used to define the boundary between trusted and untrusted code. The security properties of existing APIs are not always clear. In this paper, we give a new generic API for managing symmetric keys on a trusted cryptographic device. We state and prove security properties for our API. In particular, our API offers a high level of security even when the host machine is controlled by an attacker.

Our API is generic in the sense that it can implement a wide variety of (symmetric key) protocols. As a proof of concept, we give an algorithm for automatically instantiating the API commands for a given key management protocol. We demonstrate the algorithm on a set of key establishment protocols from the Clark-Jacob suite.

Keywords

Security Level
Secret Data
Replay Attack
Host Machine
Brute Force Attack

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

Council regulation (ec) no 2252/2004: on standards for security features and biometrics in passports and travel documents issued by member states (December 2004), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0001:0006:EN:PDF
Bond, M.: Attacks on cryptoprocessor transaction sets. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)
CrossRef Google Scholar
Carlsen, U.: Optimal privacy and authentication on a portable communications system. SIGOPS Oper. Syst. Rev. 28(3), 16–23 (1994)
CrossRef Google Scholar
CCA Basic Services Reference and Guide (October 2006), www.ibm.com/security/cryptocards/pdfs/bs327.pdf
Clark, J., Jacob, J.: A survey of authentication protocol literature: Version 1.0 (1997), http://www.cs.york.ac.uk/jac/papers/drareview.ps.gz
Clulow, J.: On the security of PKCS#11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)
CrossRef Google Scholar
Cortier, V., Keighren, G., Steel, G.: Automatic analysis of the security of XOR-based key management schemes. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 538–552. Springer, Heidelberg (2007)
CrossRef Google Scholar
Cortier, V., Steel, G.: Synthesising secure APIs. Research Report RR-6882, INRIA (March 2009)
Google Scholar
Courant, J., Monin, J.-F.: Defending the bank with a proof assistant. In: Proceedings of the 6th International Workshop on Issues in the Theory of Security (WITS 2006), Vienna, Austria, March 2006, pp. 87–98 (2006)
Google Scholar
Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), Pittsburgh, PA, USA, June 2008, pp. 331–344. IEEE Computer Society Press, Los Alamitos (2008)
CrossRef Google Scholar
Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P. (ed.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)
Google Scholar
IBM Comment on A Chosen Key Difference Attack on Control Vectors (January 2001), http://www.cl.cam.ac.uk/~mkb23/research.html
Longley, D., Rigby, S.: An automatic search for security flaws in key management schemes. Computers and Security 11(1), 75–89 (1992)
CrossRef Google Scholar
Perrig, A., Song, D.: Looking for diamonds in the desert. In: Proc. of the 13th Computer Security Foundations Workshop (CSFW 2000), pp. 64–76. IEEE Computer Society Press, Los Alamitos (2000)
CrossRef Google Scholar
Raya, M., Hubaux, J.-P.: Securing vehicular ad hoc networks. Journal of Computer Security 15(1), 39–68 (2007)
CrossRef Google Scholar
RSA Security Inc., v2.20. PKCS #11: Cryptographic Token Interface Standard (June 2004)
Google Scholar
Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: Proc. of the 14th Computer Security Foundations Workshop (CSFW 2001), Cape Breton, Nova Scotia, Canada, pp. 174–190. IEEE Computer Society Press, Los Alamitos (2001)
CrossRef Google Scholar

Download references

Author information

Authors and Affiliations

LORIA, Projet Cassis, CNRS & INRIA, France
Véronique Cortier
Laboratoire Spécification et Vérification, CNRS & INRIA & ENS de Cachan, France
Graham Steel

Authors

Véronique Cortier
View author publications
You can also search for this author in PubMed Google Scholar
Graham Steel
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Computer Science Department and MPI-SWS, Saarland University, Building E1.1, Campus, 66123, Saarbrücken, Germany
Michael Backes
Department of Computer Science, North Carolina State University, 3320 Engineering Building II, 27695-8206, Raleigh, NC, USA
Peng Ning

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Cortier, V., Steel, G. (2009). A Generic Security API for Symmetric Key Management on Cryptographic Devices. In: Backes, M., Ning, P. (eds) Computer Security – ESORICS 2009. ESORICS 2009. Lecture Notes in Computer Science, vol 5789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04444-1_37

Download citation

DOI: https://doi.org/10.1007/978-3-642-04444-1_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04443-4
Online ISBN: 978-3-642-04444-1
eBook Packages: Computer ScienceComputer Science (R0)