We are currently starting discussions with HSM manufacturers with regard to the practical implications of the attacks. It is very costly to modify the software which interacts with HSMs, and while update of the HSM software is cheaper, the system will still need testing, and the update may involve a costly re-initialisation phase. Straightforward validity checking for decimalisation tables should be easy to implement, but full protection that retains compatibility with existing mainframe software will be hard to achieve. It will depend upon the intrusion detection capabilities offered by each particular manufacturer. We hope to have a full understanding of the impact of these attacks and of the optimal preventative measures in the near future.
Although HSMs have existed for two decades, formal study of their security APIs is still in its infancy. Previous work by one of the authors [5, 4] has uncovered a whole host of diverse flaws in APIs, some at the protocol level, some exploiting properties of the underlying crypto algorithms, and some exploiting poor design of procedural controls. The techniques behind the decimalisation table attacks do not just add another string to the bow of the attacker - they further confirm that designing security APIs is one of the toughest challenges facing the security community. It is hard to see how any one methodology for gaining assurance of correctness can provide worthwhile guarantees, given the diversity of attacks at the API level. More research is needed into methods for API analysis, but for the time being we may have to concede that writing correct API specifications is as hard as writing correct code, and enter the traditional arms race between attack and defence that so many software products have to fight.
Acknowledgements
We would like to thank Richard Clayton and Ross Anderson for their helpful contributions and advice. Mike Bond was able to conduct the research thanks to the funding received from the UK Engineering and Physical Research Council (EPSRC) and Marconi plc. Piotr Zielihski was supported by a Cambridge Overseas Trust Scholarship combined with an ORS Award, as well as by a Thaddeus Mann Studentship from Trinity Hall College.
References
[1] R. Anderson: Why Cryptosystems Fail Communications of the ACM, 37(11), pp32-
40 (Nov 1994)
[2] R. Anderson: The Correctness of Crypto Transaction Sets Proc. Cambridge Security Protocols Workshop 2000 LNCS 2133, Springer-Verlag, pp 125-127 (2000)
[3] A. Biryukov, A. Shamir, D. Wagner Real Time Cryptanalysis of A5/1 on a PC Proceedings ofFast Software Encryption 2000
[4] M. Bond, R. Anderson API-Level Attacks on Embedded Systems IEEE Computer Magazine, October 2001, pp 67-75
[5] M. Bond: Attacks on Cryptoprocessor Transaction Sets Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES 2001), LNCS 2162, Springer-Verlag,
pp 220-234 (2001)
No comments:
Post a Comment