Abstract
A security API is an Application Program Interface that allows untrusted code to access sensitive resources in a secure way. Examples of security APIs include the interface between the tamper-resistant chip on a smartcard (trusted) and the card reader (untrusted), the interface between a cryptographic Hardware Security Module, or HSM (trusted) and the client machine (untrusted), and the Google maps API (an interface between a server, trusted by Google, and the rest of the Internet).
Work partially supported by the RAS Project “TESLA: Techniques for Enforcing Security in Languages and Applications”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hackers crack cash machine PIN codes to steal millions. The Times online, http://www.timesonline.co.uk/tol/money/consumer_affairs/article4259009.ece
Mastermind, http://commons.wikimedia.org/wiki/File:Mastermind.jpg
PIN Crackers Nab Holy Grail of Bank Card Security. Wired Magazine Blog ’Threat Level’, http://blog.wired.com/27bstroke6/2009/04/pins.html
The EMV Standard, http://www.emvco.com/
Anderson, R.: The correctness of crypto transaction sets. In: 8th International Workshop on Security Protocols (April 2000), http://www.cl.cam.ac.uk/ftp/users/rja14/protocols00.pdf
Anderson, R.: What we can learn from API security (transcript of discussion). In: Security Protocols, pp. 288–300. Springer, Heidelberg (2003)
Anderson, R.: Security Engineering, 2nd edn. Wiley, Chichester (2007)
Armando, A., Basin, D.A., Boichut, Y., Chevalier, Y., Compagna, L., Cuéllar, J., Hankes Drielsma, P., Héam, P., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)
Armando, A., Compagna, L.: SAT-based model-checking for security protocols analysis. Int. J. Inf. Sec. 7(1), 3–32 (2008), Software available at http://www.ai-lab.it/satmc , Currently developed under the AVANTSSAR project, http://www.avantssar.eu
Berkman, O., Ostrovsky, O.M.: The unbearable lightness of PIN cracking. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 224–238. Springer, Heidelberg (2007)
Blanchet, B.: From secrecy to authenticity in security protocols. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 342–359. Springer, Heidelberg (2002)
Bond, M.: Attacks on cryptoprocessor transaction sets. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)
Bond, M., Anderson, R.: API level attacks on embedded systems. IEEE Computer Magazine 34(10), 67–75 (2001)
Bond, M., Clulow, J.: Encrypted? randomised? compromised (when cryptographically secured data is not secure). In: Cryptographic Algorithms and their Uses, pp. 140–151 (2004)
Bond, M., Clulow, J.: Extending security protocol analysis: New challenges. Electronic Notes in Theoretical Computer Science 125(1), 13–24 (2005)
Bond, M., Zielinski, P.: Decimalization table attacks for pin cracking. Technical Report UCAM-CL-TR-560, University of Cambridge, Computer Laboratory (2003), http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 260–269. ACM Press, Chicago (2010)
Cachin, C., Camenisch, J.: Encrypting keys securely. IEEE Security & Privacy 8(4), 66–69 (2010)
Cachin, C., Chandran, N.: A secure cryptographic token interface. In: Computer Security Foundations (CSF-22), pp. 141–153. IEEE Computer Society Press, Long Island (2009)
Centenaro, M., Focardi, R., Luccio, F.L., Steel, G.: Type-based analysis of PIN processing APIs. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 53–68. Springer, Heidelberg (2009)
Clayton, R., Bond, M.: Experience using a low-cost FPGA design to crack DES keys. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 579–592. Springer, Heidelberg (2003)
Clulow, J.: The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban (2003)
Clulow, J.: On the security of PKCS#11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)
Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009)
Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), pp. 331–344. IEEE Computer Society Press, Pittsburgh (2008)
Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11 and proprietary extensions. Journal of Computer Security 18(6), 1211–1245 (2010)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions in Information Theory 2(29), 198–208 (1983)
Durante, A., Focardi, R., Gorrieri, R.: A compiler for analyzing cryptographic protocols using noninterference. ACM Transactions on Software Engineering and Methodology 9(4), 488–528 (2000)
Durgin, N.A., Lincoln, P., Mitchell, J.C.: Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security 12(2), 247–311 (2004)
Focardi, R., Luccio, F.L.: Secure upgrade of hardware security modules in bank networks. In: Armando, A., Lowe, G. (eds.) ARSPA-WITS 2010. LNCS, vol. 6186, pp. 95–110. Springer, Heidelberg (2010)
Focardi, R., Luccio, F.L.: Guessing bank pins by winning a mastermind game. Theory of Computing Systems (to appear, 2011)
Focardi, R., Luccio, F.L., Steel, G.: Blunting differential attacks on PIN processing APIs. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 88–103. Springer, Heidelberg (2009)
Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)
Herzog, J.: Applying protocol analysis to security device interfaces. IEEE Security & Privacy Magazine 4(4), 84–87 (2006)
IEEE 1619.3 Technical Committee. IEEE storage standard 1619.3 (key management) (draft), https://siswg.net/
International Organization for Standardization. ISO 9564-1: Banking personal identification number (PIN) management and security, 30 pages
Keighren, G.: Model checking security APIs. Master’s thesis, University of Edinburgh (2007)
Knuth, D.: The Computer as a Master Mind. Journal of Recreational Mathematics 9, 1–6 (1976)
Kremer, S., Steel, G., Warinschi, B.: Security for key management interfaces. In: Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF 2011), Cernay-la-Ville, France, pp. 266–280. IEEE Computer Society Press, Los Alamitos (2011)
Longley, D., Rigby, S.: An automatic search for security flaws in key management schemes. Computers and Security 11(1), 75–89 (1992)
Lowe, G.: Breaking and fixing the Needham Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)
Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification and qualified robustness. Journal of Computer Security 14(2), 157–196 (2006)
OASIS Key Management Interoperability Protocol (KMIP) Technical Committee. KMIP – key management interoperability protocol (February 2009), http://xml.coverpages.org/KMIP/
openCryptoki, http://sourceforge.net/projects/opencryptoki/
Pickover, C.A.: The Math Book: From Pythagoras to the 57th Dimension, 250 Milestones in the History of Mathematics. Sterling (2009)
RSA Security Inc., v2.20. PKCS #11: Cryptographic Token Interface Standard (June 2004)
Schneier, B.: Applied Cryptography, 2nd edn. John Wiley and Sons, Chichester (1996)
Steel, G.: Formal Analysis of PIN Block Attacks. Theoretical Computer Science 367(1-2), 257–270 (2006)
Stuckman, J., Zhang, G.: Mastermind is NP-Complete. INFOCOMP Journal of Computer Science 5, 25–28 (2006)
Tsalapati, E.: Analysis of PKCS#11 using AVISPA tools. Master’s thesis, University of Edinburgh (2007)
Youn, P., Adida, B., Bond, M., Clulow, J., Herzog, J., Lin, A., Rivest, R., Anderson, R.: Robbing the bank with a theorem prover. Technical Report UCAM-CL-TR-644, University of Cambridge (August 2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Focardi, R., Luccio, F.L., Steel, G. (2011). An Introduction to Security API Analysis. In: Aldini, A., Gorrieri, R. (eds) Foundations of Security Analysis and Design VI. FOSAD 2011. Lecture Notes in Computer Science, vol 6858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23082-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-23082-0_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23081-3
Online ISBN: 978-3-642-23082-0
eBook Packages: Computer ScienceComputer Science (R0)