Paper 2019/462

How to wrap it up - A formally verified proposal for the use of authenticated wrapping in PKCS\#11

Alexander Dax, Robert Künnemann, Sven Tangermann, and Michael Backes


Being the most widely used and comprehensive standard for hardware security modules, cryptographic tokens and smart cards, PKCS#11 has been the subject of academic study for years. PKCS#11 provides a key store that is separate from the application, so that, ideally, an application never sees a key in the clear. Again and again, researchers have pointed out the need for an import/export mechanism that ensures the integrity of the permissions associated to a key. With version 2.40, for the first time, the standard included authenticated deterministic encryption schemes. The interface to this operation is insecure, however, so that an application can get the key in the clear, subverting the purpose of using a hardware security module. This work proposes a formal model for the secure use of authenticated deterministic encryption in PKCS11, including concrete API changes to allow for secure policies to be implemented. Owing to the authenticated encryption mechanism, the policy we propose provides more functionality than any policy proposed so far and can be implemented without access to a random number generator. Our results cover modes of operation that rely on unique initialisation vectors (IVs), like GCM or CCM, but also modes that generate synthetic IVs. We furthermore provide a proof for the deduction soundness of our modelling of deterministic encryption in Böhl's composable deduction soundness framework.

Note: Revised on Jun 26 2019: added page numbers and more precise suggestions for PKCS#11v3.00

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. MAJOR revision.CSF 2019
formal analysissecurity APIcomputational soundness
Contact author(s)
robert @ kunnemann de
2019-06-26: last of 2 revisions
2019-05-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Alexander Dax and Robert Künnemann and Sven Tangermann and Michael Backes},
      title = {How to wrap it up - A formally verified proposal for the use of authenticated wrapping in PKCS\#11},
      howpublished = {Cryptology ePrint Archive, Paper 2019/462},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.