Bortolozzo et al. proposed a configuration of PKCS#11, called the Secure Templates Patch (STP), supporting symmetric encryption and key wrapping. However, the security guarantees for STP given by Bortolozzo et al. are with respect to a weak attacker model. STP has been implemented as a set of filtering rules in Caml Crush, a software filter for PKCS#11 that rejects certain API calls. The filtering rules in Caml Crush extend STP by allowing users to compute and verify MACs and so the previous analysis of STP does not apply to this configuration.
We give a rigorous analysis of STP, including the extension used in Caml Crush. Our contribution is as follows:
(i) We show that the extension of STP used in Caml Crush is insecure.
(ii) We propose a strong, computational security model for configurations of PKCS#11 where the adversary can adaptively corrupt keys and prove that STP is secure in this model.
(iii) We prove the security of an extension of STP that adds support for public-key encryption and digital signatures.Category / Keywords: cryptographic protocols / key management, smart cards Original Publication (with major differences): Financial Cryptography and Data Security 2017 Date: received 14 Feb 2017, last revised 28 Feb 2017 Contact author: ryan stanley at bristol ac uk Available format(s): PDF | BibTeX Citation Version: 20170228:155828 (All versions of this report) Short URL: ia.cr/2017/134 Discussion forum: Show discussion | Start new discussion