Buy it, use it, break it ... fix it: Crush Caml, a PKCS # 11 proxy filter

No ratings

Presented at SSTIC 2014 by

Marion Daubignard

Ryad Benadjila

Thomas Calderon

Smart cards and cryptographic dedicated resources are valuable tools for enhancing the security of information systems. These devices can beings seen as a heart of trust in which cryptographic operations are performed beings. The PKCS # 11 interface programming is a common standard to interact with these resources: it has become the de facto industry standard preferred. However, recent publications have highlighted several logical and cryptographic attacks exploiting weaknesses in the PKCS # 11 interface to infringe the privacy or integrity of cryptographic keys stored in the resources concerned. We present in this paper a client / server as well as a filtering engine configurable and extensible architecture. The implementation of such a tool to analyze orders PKCS # 11 before transmitting a cryptographic resource reduces the exposure of this resource to attacks exploiting weaknesses in its implementation of PKCS # 11.