Abstract
PKCS#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against PKCS#11 at different levels: intrinsic logical flaws, cryptographic vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices. We introduce Caml Crush, a PKCS#11 filtering proxy. Our solution allows to dynamically protect PKCS#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using Caml Crush that go beyond classical PKCS#11 weakness mitigations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We refer the reader to the extended version of this paper [17] for more details.
References
Caml Crush. https://github.com/ANSSI-FR/caml-crush/
CryptokiX. http://secgroup.dais.unive.it/projects/security-apis/cryptokix/
GNOME Keyring. http://live.gnome.org/GnomeKeyring
grsecurity. http://grsecurity.net/
openCryptoki. http://sourceforge.net/projects/opencryptoki/
pkcs11-proxy. http://floss.commonit.com/pkcs11-proxy.html
SELinux. http://selinuxproject.org/
Sun RPC RFC 1057 (1988). http://www.ietf.org/rfc/rfc1057.txt
CamlIDL project page (2004). http://caml.inria.fr/pub/old_caml_site/camlidl/
Xdr, RFC 4506 (2006). http://tools.ietf.org/html/rfc4506
Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: ACM Conference on Computer and Communications Security, pp. 260–269. ACM Press, October 2010
Cachin, C., Chandran, N.: A secure cryptographic token interface. In: CSF 2009, pp. 141–153. IEEE Computer Society (2009)
Clulow, J.: On the security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)
Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009)
Delaune, S., Kremer, S., Steel, G.: Formal security analysis of PKCS#11 and proprietary extensions. J. Comput. Secur. 18(6), 1211–1245 (2010)
Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)
Benadjila, R., Calderon, T., Daubignard, M.: CamlCrush: a PKCS#11 Filtering Proxy (2014). http://eprint.iacr.org/2015/063
RSA Security Inc.: PKCS#11 v2.20: Cryptographic Token Interface Standard (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Benadjila, R., Calderon, T., Daubignard, M. (2015). Caml Crush: A PKCS#11 Filtering Proxy. In: Joye, M., Moradi, A. (eds) Smart Card Research and Advanced Applications. CARDIS 2014. Lecture Notes in Computer Science(), vol 8968. Springer, Cham. https://doi.org/10.1007/978-3-319-16763-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-16763-3_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16762-6
Online ISBN: 978-3-319-16763-3
eBook Packages: Computer ScienceComputer Science (R0)