Cryptology ePrint Archive: Report 2015/063

CamlCrush: A PKCS\#11 Filtering Proxy

R. Benadjila and T. Calderon and M. Daubignard

Abstract: PKCS\#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against PKCS\#11 at different levels: intrinsic logical flaws, cryptographic vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices. We introduce \textit{Caml Crush}, a PKCS\#11 filtering proxy. Our solution allows to dynamically protect PKCS\#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using \textit{Caml Crush} that go beyond classical PKCS\#11 weakness mitigations.

Category / Keywords: applications / PKCS\#11, security API, OCaml, proxy, filter, software

Original Publication (with major differences): CARDIS 2014 - Proceedings. Smart Card Research and Advanced Application Conference.

Date: received 27 Jan 2015

Contact author: marion daubignard at ssi gouv fr

Available format(s): PDF | BibTeX Citation

Version: 20150129:121315 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]