Skip to main content
SpringerLink
Log in

An Introduction to Security API Analysis

  • Chapter
Foundations of Security Analysis and Design VI (FOSAD 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6858))

Included in the following conference series:

Abstract

A security API is an Application Program Interface that allows untrusted code to access sensitive resources in a secure way. Examples of security APIs include the interface between the tamper-resistant chip on a smartcard (trusted) and the card reader (untrusted), the interface between a cryptographic Hardware Security Module, or HSM (trusted) and the client machine (untrusted), and the Google maps API (an interface between a server, trusted by Google, and the rest of the Internet).

Work partially supported by the RAS Project “TESLA: Techniques for Enforcing Security in Languages and Applications”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Hackers crack cash machine PIN codes to steal millions. The Times online, http://www.timesonline.co.uk/tol/money/consumer_affairs/article4259009.ece

  2. Mastermind, http://commons.wikimedia.org/wiki/File:Mastermind.jpg

  3. PIN Crackers Nab Holy Grail of Bank Card Security. Wired Magazine Blog ’Threat Level’, http://blog.wired.com/27bstroke6/2009/04/pins.html

  4. The EMV Standard, http://www.emvco.com/

  5. Anderson, R.: The correctness of crypto transaction sets. In: 8th International Workshop on Security Protocols (April 2000), http://www.cl.cam.ac.uk/ftp/users/rja14/protocols00.pdf

  6. Anderson, R.: What we can learn from API security (transcript of discussion). In: Security Protocols, pp. 288–300. Springer, Heidelberg (2003)

    Google Scholar 

  7. Anderson, R.: Security Engineering, 2nd edn. Wiley, Chichester (2007)

    Google Scholar 

  8. Armando, A., Basin, D.A., Boichut, Y., Chevalier, Y., Compagna, L., Cuéllar, J., Hankes Drielsma, P., Héam, P., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  9. Armando, A., Compagna, L.: SAT-based model-checking for security protocols analysis. Int. J. Inf. Sec. 7(1), 3–32 (2008), Software available at http://www.ai-lab.it/satmc , Currently developed under the AVANTSSAR project, http://www.avantssar.eu

    Article  MATH  Google Scholar 

  10. Berkman, O., Ostrovsky, O.M.: The unbearable lightness of PIN cracking. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 224–238. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Blanchet, B.: From secrecy to authenticity in security protocols. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 342–359. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  12. Bond, M.: Attacks on cryptoprocessor transaction sets. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  13. Bond, M., Anderson, R.: API level attacks on embedded systems. IEEE Computer Magazine 34(10), 67–75 (2001)

    Article  Google Scholar 

  14. Bond, M., Clulow, J.: Encrypted? randomised? compromised (when cryptographically secured data is not secure). In: Cryptographic Algorithms and their Uses, pp. 140–151 (2004)

    Google Scholar 

  15. Bond, M., Clulow, J.: Extending security protocol analysis: New challenges. Electronic Notes in Theoretical Computer Science 125(1), 13–24 (2005)

    Article  MATH  Google Scholar 

  16. Bond, M., Zielinski, P.: Decimalization table attacks for pin cracking. Technical Report UCAM-CL-TR-560, University of Cambridge, Computer Laboratory (2003), http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf

  17. Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 260–269. ACM Press, Chicago (2010)

    Chapter  Google Scholar 

  18. Cachin, C., Camenisch, J.: Encrypting keys securely. IEEE Security & Privacy 8(4), 66–69 (2010)

    Article  Google Scholar 

  19. Cachin, C., Chandran, N.: A secure cryptographic token interface. In: Computer Security Foundations (CSF-22), pp. 141–153. IEEE Computer Society Press, Long Island (2009)

    Google Scholar 

  20. Centenaro, M., Focardi, R., Luccio, F.L., Steel, G.: Type-based analysis of PIN processing APIs. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 53–68. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  21. Clayton, R., Bond, M.: Experience using a low-cost FPGA design to crack DES keys. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 579–592. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  22. Clulow, J.: The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban (2003)

    Google Scholar 

  23. Clulow, J.: On the security of PKCS#11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  24. Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  25. Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), pp. 331–344. IEEE Computer Society Press, Pittsburgh (2008)

    Chapter  Google Scholar 

  26. Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11 and proprietary extensions. Journal of Computer Security 18(6), 1211–1245 (2010)

    Article  Google Scholar 

  27. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions in Information Theory 2(29), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  28. Durante, A., Focardi, R., Gorrieri, R.: A compiler for analyzing cryptographic protocols using noninterference. ACM Transactions on Software Engineering and Methodology 9(4), 488–528 (2000)

    Article  Google Scholar 

  29. Durgin, N.A., Lincoln, P., Mitchell, J.C.: Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security 12(2), 247–311 (2004)

    Article  Google Scholar 

  30. Focardi, R., Luccio, F.L.: Secure upgrade of hardware security modules in bank networks. In: Armando, A., Lowe, G. (eds.) ARSPA-WITS 2010. LNCS, vol. 6186, pp. 95–110. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  31. Focardi, R., Luccio, F.L.: Guessing bank pins by winning a mastermind game. Theory of Computing Systems (to appear, 2011)

    Google Scholar 

  32. Focardi, R., Luccio, F.L., Steel, G.: Blunting differential attacks on PIN processing APIs. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 88–103. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  33. Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  34. Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)

    Google Scholar 

  35. Herzog, J.: Applying protocol analysis to security device interfaces. IEEE Security & Privacy Magazine 4(4), 84–87 (2006)

    Article  Google Scholar 

  36. IEEE 1619.3 Technical Committee. IEEE storage standard 1619.3 (key management) (draft), https://siswg.net/

  37. International Organization for Standardization. ISO 9564-1: Banking personal identification number (PIN) management and security, 30 pages

    Google Scholar 

  38. Keighren, G.: Model checking security APIs. Master’s thesis, University of Edinburgh (2007)

    Google Scholar 

  39. Knuth, D.: The Computer as a Master Mind. Journal of Recreational Mathematics 9, 1–6 (1976)

    MathSciNet  MATH  Google Scholar 

  40. Kremer, S., Steel, G., Warinschi, B.: Security for key management interfaces. In: Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF 2011), Cernay-la-Ville, France, pp. 266–280. IEEE Computer Society Press, Los Alamitos (2011)

    Chapter  Google Scholar 

  41. Longley, D., Rigby, S.: An automatic search for security flaws in key management schemes. Computers and Security 11(1), 75–89 (1992)

    Article  Google Scholar 

  42. Lowe, G.: Breaking and fixing the Needham Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  43. Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification and qualified robustness. Journal of Computer Security 14(2), 157–196 (2006)

    Article  Google Scholar 

  44. OASIS Key Management Interoperability Protocol (KMIP) Technical Committee. KMIP – key management interoperability protocol (February 2009), http://xml.coverpages.org/KMIP/

  45. openCryptoki, http://sourceforge.net/projects/opencryptoki/

  46. Pickover, C.A.: The Math Book: From Pythagoras to the 57th Dimension, 250 Milestones in the History of Mathematics. Sterling (2009)

    Google Scholar 

  47. RSA Security Inc., v2.20. PKCS #11: Cryptographic Token Interface Standard (June 2004)

    Google Scholar 

  48. Schneier, B.: Applied Cryptography, 2nd edn. John Wiley and Sons, Chichester (1996)

    MATH  Google Scholar 

  49. Steel, G.: Formal Analysis of PIN Block Attacks. Theoretical Computer Science 367(1-2), 257–270 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  50. Stuckman, J., Zhang, G.: Mastermind is NP-Complete. INFOCOMP Journal of Computer Science 5, 25–28 (2006)

    Google Scholar 

  51. Tsalapati, E.: Analysis of PKCS#11 using AVISPA tools. Master’s thesis, University of Edinburgh (2007)

    Google Scholar 

  52. Youn, P., Adida, B., Bond, M., Clulow, J., Herzog, J., Lin, A., Rivest, R., Anderson, R.: Robbing the bank with a theorem prover. Technical Report UCAM-CL-TR-644, University of Cambridge (August 2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DAIS, Università Ca’Foscari Venezia, Italy

    Riccardo Focardi & Flaminia L. Luccio

  2. LSV, ENS Cachan & CNRS & INRIA, France

    Graham Steel

Authors
  1. Riccardo Focardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Flaminia L. Luccio
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Graham Steel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Scienze di Base e Fondamenti, Università degli Studi di Urbino “Carlo Bo”, Piazza della Repubblica 13, 61029, Urbino, Italy

    Alessandro Aldini

  2. Dipartimento di Scienze dell’Informazione, Università degli Studi di Bologna, Mura Anteo Zamboni 7, 40127, Bologna, Italy

    Roberto Gorrieri

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Focardi, R., Luccio, F.L., Steel, G. (2011). An Introduction to Security API Analysis. In: Aldini, A., Gorrieri, R. (eds) Foundations of Security Analysis and Design VI. FOSAD 2011. Lecture Notes in Computer Science, vol 6858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23082-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23082-0_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23081-3

  • Online ISBN: 978-3-642-23082-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation