Paper 2015/063

CamlCrush: A PKCS\#11 Filtering Proxy

R. Benadjila, T. Calderon, and M. Daubignard


PKCS\#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against PKCS\#11 at different levels: intrinsic logical flaws, cryptographic vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices. We introduce \textit{Caml Crush}, a PKCS\#11 filtering proxy. Our solution allows to dynamically protect PKCS\#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using \textit{Caml Crush} that go beyond classical PKCS\#11 weakness mitigations.

Available format(s)
Publication info
Published elsewhere. Major revision. CARDIS 2014 - Proceedings. Smart Card Research and Advanced Application Conference.
PKCS\#11security APIOCamlproxyfiltersoftware
Contact author(s)
marion daubignard @ ssi gouv fr
2015-01-29: received
Short URL
Creative Commons Attribution


      author = {R.  Benadjila and T.  Calderon and M.  Daubignard},
      title = {CamlCrush: A PKCS\#11 Filtering Proxy},
      howpublished = {Cryptology ePrint Archive, Paper 2015/063},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.