Analysing PKCS#11 key management APIs with unbounded fresh data

Fröschle, Sibylle B.; Steel, Graham

Analysing PKCS#11 key management APIs with unbounded fresh data

Publikationstyp

Conference Paper

Date Issued

2009-09-28

Sprache

English

Author(s)

Fröschle, Sibylle B.

Steel, Graham

TORE-URI

http://hdl.handle.net/11420/11283

First published in

Lecture notes in computer science

Number in series

5511 LNCS

Start Page

92

End Page

106

Citation

Lecture Notes in Computer Science (5511 LNCS): 92-106 (2009-09-28)

Contribution to Conference

Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security, ARSPA-WITS 2009

Publisher DOI

10.1007/978-3-642-03459-6_7

Scopus ID

2-s2.0-70349337015

We extend Delaune, Kremer and Steel's framework for analysis of PKCS#11-based APIs from bounded to unbounded fresh data. We achieve this by: formally defining the notion of an attribute policy; showing that a well-designed API should have a certain class of policy we call complete; showing that APIs with complete policies may be safely abstracted to APIs where the attributes are fixed; and proving that these static APIs can be analysed in a small bounded model such that security properties will hold for the unbounded case. We automate analysis in our framework using the SAT-based security protocol model checker SATMC. We show that a symmetric key management subset of the Eracom PKCS#11 API, used in their ProtectServer product, preserves the secrecy of sensitive keys for unbounded numbers of fresh keys and handles, i.e. pointers to keys. We also show that this API is not robust: if an encryption key is lost to the intruder, SATMC finds an attack whereby all the keys may be compromised.

DDC Class

004: Informatik

Options

Analysing PKCS#11 key management APIs with unbounded fresh data