Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKCS11 Key Protection And the Insider Threat.

Published byLoraine Lane Modified over 9 years ago

Similar presentations

Presentation on theme: "PKCS11 Key Protection And the Insider Threat."— Presentation transcript:

1 PKCS11 Key Protection And the Insider Threat

2 Outline The Insider Threat Existing Protection Mechanism
Primary Key vs Secondary Key Primary Key Protection Secondary Key Protection Related Items

3 The Insider Threat General design goal – if desired, key material checks in but never checks out (PKCS11, the roach motel of key material) Insider threat is authorized, but illegitimate, user Stolen credentials (e.g. PIN) Hacked application using PKCS11 token for security Attacker is authorized token user, but token should prevent extraction attacks. PKCS11 has reasonable protection for primary keys, but little or no protection for secondary keys (see below)

4 Existing Protection Mechanisms (1)
CKA_PRIVATE Limits key use to CKU_USER if true Needs work or replacement if we add user logins (or additional roles) CKA_SENSITIVE Generally prevents use of C_GetAttributeValue with “sensitive” attributes if true CKA_EXTRACTABLE Allows the use of C_WrapKey if true But see also CKA_WRAP_WITH_TRUSTED and CKA_TRUSTED CKA_DERIVE, CKA_SIGN, etc Allows use of C_DeriveKey, C_Sign etc if true

5 Existing Protection Mechanism (2)
CKA_WRAP_WITH_TRUSTED If CKA_EXTRACTABLE is true, limits wrapping of *this* key to only by CKA_TRUSTED=true keys CKA_TRUSTED Can only be set to true by CKU_SO But CKU_SO can’t see CKA_PRIVATE keys to set them Limits usefulness of CKA_WRAP_WITH_TRUSTED to public keys. Or non-private symmetric keys CKA_ALLOWED_MECHANISMS Locks key to specific set of mechanisms Doesn’t appear to be a sticky attribute

6 Existing Protection Mechanisms (3)
CKA_WRAP_TEMPLATE Limits use of *this* key to only wrap keys that match template Simple to bypass by creating a new wrapping key without this restriction CKA_UNWRAP_TEMPLATE Forces unwrapped key to have certain attributes Currently *not* a sticky attribute Easy to bypass by copying key and clearing the template CKA_COPYABLE, CKA_DESTROYABLE, CKA_MODIFIABLE If true, allows C_CopyObject, C_DestroyObject, C_SetAttributeValue respectively Some issues with policy language should be clarified.

7 Primary Key vs Secondary Key
For the purposes of this presentation Primary Key Key created or loaded by legitimate user for which the source key material is not accessible to an attacker Generated on token, or securely loaded Sticky attributes set at creation Secondary key A key created through the use of C_DeriveKey from a Primary or Secondary Key Creation can be repeated at any time assuming public data and original key Or a key created through the use of C_UnwrapKey where the wrapped key material is accessible at some point to an attacker Unwrapping can be repeated at any time as long as unwrapping key is still on token

8 Primary Key Protection (1)
Creator can prevent extraction CKA_EXTRACTABLE=false (sticky) Creator can prevent key data extraction CKA_SENSITIVE=true (sticky) Creator can limit key to specific use CKA_DERIVE, CKA_SIGN, etc But not sticky, so attacker can change Creator can limit key to specific mechanisms CKA_ALLOWED_MECHANISMS Other stickyness problems for other protection attributes

9 Primary Key Protection (2)
Extractable Keys (CKA_EXTRACTABLE=true) Constrained by CKA_WRAP_WITH_TRUSTED and CKA_WRAP_TEMPLATE But attacker can add new key with less restrictive wrap template. Re-loaded wrapped keys Wrapped keys don’t contain original attributes Unwrapped keys can be set with any attributes But some protection through CKA_UNWRAP_TEMPLATE

10 Primary Key Protection (3)
Fixes? Add stickyness language to all protection attributes Ensure attributes can become more restrictive, but not less Allow key to specify its wrap key at creation CKA_WRAP_WITH_UUID CKA_UUID (read only, internally generated) Doesn’t require SO intervention to specify a “trusted” key. Specify at least one wrapping mechanism that preserves/restores key attributes CKM_SEAL_KEY

11 Secondary Key Protection (1)
General model of attack for C_Derive is that attacker Has use permission for primary key Has access to “public data” used for the derive operation E.g. other side public key, random data, label, etc Re-derives desired key But sets attributes of derived key so key data is extractable E.g. CKA_SENSITIVE=false or CKA_EXTRACTABLE=true Extracts key data and passes it on or uses it No mechanism to enforce setting of policy on derived secondary keys

12 Secondary Key Protection (2)
Second method of attack for C_DeriveKey is that attacker Has use of CKK_GENERIC_SECRET primary key Has access to public data used by derive operation Has use of the underlying PRF CMAC or HMAC function used by the derive mechanism Knows the derive function Uses the CMAC or HMAC function with the primary key and public data to directly produce a public version of the key stream Extracts the key data and passes it on or uses it CKA_ALLOWED_MECHANISMS is currrently only way to protect against this, but attribute is non-sticky.

13 Secondary Key Protection (3)
General method of attack for C_UnwrapKey is that attacker Has use of unwrapping key Has access to wrapped key data Unwraps the wrapped key But sets attributes of unwrapped key so key data is extractable Extracts key data and passes it on or uses it CKA_UNWRAP_TEMPLATE enforces attributes of unwrapped keys But CKA_UNWRAP_TEMPLATE is not currently sticky, so trivial for attacker to remove it in C_CopyObject or by C_SetAttributeValue Some vendors did fix this though. Possible for legitimate user to screw up unwrap configuration

14 Secondary Key Protection (4)
Fixes? Specify a mechanism to enforce policy on derived keys I.e., CKA_DERIVE_TEMPLATE Since derives can be multilevel, mechanism must be able to propagate through each level of derive Revisit default and permitted sensitivities for all derive mechanisms (e.g. default is at least as sensitive as key being derived from, but if template is provided at original key creation, permitted values can be weaker If done this way, template can only be applied at key creation and is read-only or prohibited after (otherwise violates the “changes must be in direction of more secure” policy

15 Secondary Key Protection (5)
Example: TLS wants to protect pre-master and master secret from extraction, but wants to export mac and encryption secrets for use by general purpose processor. Default for TLS would be if pre-master and master were “sensitive” and “non-extractable” then so would derived keys Template would allow for easing restriction at creation of master secret

16 Related Items CKK_GENERIC_SECRET
Can be used with derivation, CMAC and HMAC mechanisms Problematic for policy controls especially as C_Derive mechanisms use underlying CMAC or HMAC PRFs Perhaps instead: CKK_MASTER_SECRET – can be used with C_Derive mechanisms only CKK_AES_CMAC, CKK_DES_CMAC etc (or only CKK_CMAC?) CKK_SHA1_HMAC, CKK_SHA2_HMAC (or CKK_HMAC? Or CKK_SHA(224|256|384)_HMAC?)

Download ppt "PKCS11 Key Protection And the Insider Threat."

Similar presentations

PKCS-11 Protocol for Enterprise Key Management

PKCS-11 Protocol for Enterprise Key Management
Operating System Security

Operating System Security
CT-KIP Magnus Nyström, RSA Security 23 May 2005. Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.

CT-KIP Magnus Nyström, RSA Security 23 May Overview A client-server protocol for initialization (and configuration) of cryptographic tokens —Intended.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
FlareCo Ltd ALTER DATABASE AdventureWorks SET PARTNER FORCE_SERVICE_ALLOW_DATA_LOSS Slide 1.

FlareCo Ltd ALTER DATABASE AdventureWorks SET PARTNER FORCE_SERVICE_ALLOW_DATA_LOSS Slide 1.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
ERP Risks, Security Checklist, and Priorities for Change Joy R. Hughes VPIT and CIO George Mason University Co-chair STF.

ERP Risks, Security Checklist, and Priorities for Change Joy R. Hughes VPIT and CIO George Mason University Co-chair STF.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.

Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.

Similar presentations

Ads by Google