Paper 2015/063

CamlCrush: A PKCS\#11 Filtering Proxy

R. Benadjila, T. Calderon, and M. Daubignard

Abstract

PKCS\#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against PKCS\#11 at different levels: intrinsic logical flaws, cryptographic vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices. We introduce \textit{Caml Crush}, a PKCS\#11 filtering proxy. Our solution allows to dynamically protect PKCS\#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using \textit{Caml Crush} that go beyond classical PKCS\#11 weakness mitigations.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Major revision. CARDIS 2014 - Proceedings. Smart Card Research and Advanced Application Conference.
Keywords
PKCS\#11security APIOCamlproxyfiltersoftware
Contact author(s)
marion daubignard @ ssi gouv fr
History
2015-01-29: received
Short URL
https://ia.cr/2015/063
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2015/063,
      author = {R.  Benadjila and T.  Calderon and M.  Daubignard},
      title = {{CamlCrush}: A {PKCS}\#11 Filtering Proxy},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/063},
      year = {2015},
      url = {https://eprint.iacr.org/2015/063}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.