Title :
Type-Based Analysis of Generic Key Management APIs
Author :
Adao, P. ; Focardi, R. ; Luccio, F.L.
Author_Institution :
SQIG-Inst. de Telecomun. IST, TULisbon, Lisbon, Portugal
Abstract :
In the past few years, cryptographic key management APIs have been shown to be subject to tricky attacks based on the improper use of cryptographic keys. In fact, real APIs provide mechanisms to declare the intended use of keys but they are not strong enough to provide key security. In this paper, we propose a simple imperative programming language for specifying strongly-typed APIs for the management of symmetric, asymmetric and signing keys. The language requires that type information is stored together with the key but it is independent of the actual low-level implementation. We develop a type-based analysis to prove the preservation of integrity and confidentiality of sensitive keys and we show that our abstraction is expressive enough to code realistic key management APIs.
Keywords :
application program interfaces; cryptography; programming languages; asymmetric keys management; cryptographic key management; generic key management API; imperative programming language; key security; realistic key management API; sensitive keys confidentiality; sensitive keys integrity; signing keys management; tricky attacks; type-based analysis; Computational modeling; Concrete; Encryption; Semantics; Wrapping; Key-Management APIs; PKCS#11; Secure Hardware; Type-based Analysis;
Conference_Titel :
Computer Security Foundations Symposium (CSF), 2013 IEEE 26th
Conference_Location :
New Orleans, LA
DOI :
10.1109/CSF.2013.14
