A proof-of-concept log analysis tool for PKCS#11. The tool is able to identify several key-management attacks involving symmetric encryption operations.
This tool consists of three components:
- a software layer that wraps the existing PKCS#11 library interface. The wrapper allows the instrumentation of selected API calls to record the operations executed by the underlying library. It also computes key fingerprints to solve the log analysis problem;
- a logging facility to store the logs of each session in a central repository;
- the analyzer that parses the logs generated by the first two components and performs the discovery of attacks aimed at leaking the value of secure keys.
sudo apt install opencryptoki libopencryptoki-dev
pkcsslotd daemon and initialize the token with
to be in the
pkcs11 group to run the command.
src and type
make to compile the tool. The wrapper will be
p11d.so in that directory.
p11tool. It allows to perform handy
operations on PKCS#11 tokens. For instance, the command to list all the
objects stored in the OpenCryptoki software token is the following:
p11tool --provider /usr/lib/pkcs11/libopencryptoki.so --list-all
To start an application with the PKCS#11 wrapper enabled you are required to run the logger in one terminal
and load the
p11d.so shared object before any other library:
Log files are automatically saved to
/tmp/apilogger/. Use the
./analyser/analyser.py to parse them and search fro attacks.
The tool ships with a suite of key-mangement attakcs that can be used to assess the detection capabilities of the approach.
The supported attacks are:
- Distributed Wrap/Decrypt
In order to check the tool against a certain attack, start the
test_attack binary and select the appropriate attack number.