Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
src
 
 
 
 
 
 

P11D

A proof-of-concept log analysis tool for PKCS#11. The tool is able to identify several key-management attacks involving symmetric encryption operations.

This tool consists of three components:

  • a software layer that wraps the existing PKCS#11 library interface. The wrapper allows the instrumentation of selected API calls to record the operations executed by the underlying library. It also computes key fingerprints to solve the log analysis problem;
  • a logging facility to store the logs of each session in a central repository;
  • the analyzer that parses the logs generated by the first two components and performs the discovery of attacks aimed at leaking the value of secure keys.

Setup

Install OpenCryptoki

sudo apt install opencryptoki libopencryptoki-dev

start the pkcsslotd daemon and initialize the token with pkcsconf. Ensure to be in the pkcs11 group to run the command.

Enter directory src and type make to compile the tool. The wrapper will be compiled to p11d.so in that directory.

Optionally, install gnutls-bin for p11tool. It allows to perform handy operations on PKCS#11 tokens. For instance, the command to list all the objects stored in the OpenCryptoki software token is the following:

p11tool --provider /usr/lib/pkcs11/libopencryptoki.so --list-all

Usage

To start an application with the PKCS#11 wrapper enabled you are required to run the logger in one terminal

$ ./analyser/logger.py

and load the p11d.so shared object before any other library:

LD_PRELOAD=./p11d.so ./your_program

Log files are automatically saved to /tmp/apilogger/. Use the ./analyser/analyser.py to parse them and search fro attacks.

Experimental Tests

The tool ships with a suite of key-mangement attakcs that can be used to assess the detection capabilities of the approach.

The supported attacks are:

  • Wrap/Decrypt
  • Wrap/Unwrap
  • Re-Import
  • Distributed Wrap/Decrypt

In order to check the tool against a certain attack, start the test_attack binary and select the appropriate attack number.

About

No description, website, or topics provided.

Resources

License

Releases

No releases published

Packages

No packages published