Graham Steel from Cryptosense (http://cryptosense.com) concluded Day 1 of Real World Crypto yesterday with a short talk of the state of APIs as of the end of 2014. It is well known that standardisation is a lengthy (and sometimes painful) process and the story is no different for APIs. An infamous example, which served as the main content of Graham's talk, is PKCS#11 which describes 'Cryptoki', a key management API that is widely used in practice and typically interacts with a Hardware Security Module or some kind of security token. Like the other PKCS (Public Key Cryptography Standards) documents, PKCS#11 was originally written by RSA Labs. Until very recently, the latest edition dated back to 2004! Sadly, this is not because it was a flawless standard that had stood the test of time. Instead, the key management aspects of Cryptoki have been attacked in various ingenious ways (in particular, using key wrapping to export and reimport a key with new attributes that contradict what it was supposed to be used for), including in work by Graham himself, and no one seems to be sure about how such attacks can be prevented without sacrificing a great deal of useful functionality.
The slight silver lining on this black cloud is that OASIS (Organisation for the Advancement of Structured Information Standards, https://www.oasis-open.org) has taken up the mantle of improving PKCS#11 and version 2.4 of the standard was approved in December 2014. Their writing process is highly open with the whole development of the new standard described on their website, which is great to hear. Graham himself worked on the new document and reassured the audience yesterday that lots of old, bad cryptographic algorithms have been removed and new useful algorithms like CMAC and GMAC are now supported. Unfortunately though, key management is still a problem. This is both exciting and worrying for me in particular as finding a way to do secure key management is a pretty good description of my PhD project. It's exciting that there's plenty of new work to do but worrying that lots of very smart people have tried to do it for many years and found little success.
So to summarise: standardisation of APIs has had a bit of a boost in the last year which is good news, but there are still big open problems in key management to inspire/terrify PhD students like me.
Post a Comment