How to wrap it up - A formally verified proposal for the use of authenticated wrapping in PKCS#11

Dax, Alexander and Tangermann, Sven and Künnemann, Robert and Backes, Michael
(2019) How to wrap it up - A formally verified proposal for the use of authenticated wrapping in PKCS#11.
In: Computer Security Foundations Symposium, Hobuken, NJ.
Conference: CSF IEEE Computer Security Foundations Symposium (was CSFW)
(In Press)

[img]
Preview
 Text
pkcs11detenc-conf.pdf
Download (537kB) | Preview

Abstract

Being the most widely used and comprehensive standard for hardware security modules, cryptographic tokens and smart cards, PKCS#11 has been the subject of academic study for years. PKCS#11 provides a key store that is separate from the application, so that, ideally, an application never sees a key in the clear. Again and again, researchers have pointed out the need for an import/export mechanism that ensures the integrity of the permissions associated to a key. With version 2.40, for the first time, the standard included authenticated deterministic encryption schemes. The interface to this operation is insecure, however, so that an application can get the key in the clear, subverting the purpose of using a hardware security module. This work proposes a formal model for the secure use of authenticated deterministic encryption in PKCS#11, including concrete API changes to allow for secure policies to be implemented. Owing to the authenticated encryption mechanism, the policy we propose provides more functionality than any policy proposed so far and can be implemented without access to a random number generator. Our results cover modes of operation that rely on unique initialisation vectors (IVs), like GCM or CCM, but also modes that generate synthetic IVs. We furthermore provide a proof for the deduction soundness of our modelling of deterministic encryption in Böhl et.al.'s composable deduction soundness framework.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Backes (InfSec)
Conference: CSF IEEE Computer Security Foundations Symposium (was CSFW)
Depositing User: Robert Künnemann
Date Deposited: 07 Jun 2019 06:58
Last Modified: 19 Oct 2020 16:20
Primary Research Area: NRA2: Reliable Security Guarantees
URI: https://publications.cispa.saarland/id/eprint/2895

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.