Key handling with control vectors
IBM Systems Journal - Special issue on cryptology
A key-management scheme based on control vectors
IBM Systems Journal - Special issue on cryptology
Communications of the ACM
On the Reliability of Electronic Payment Systems
IEEE Transactions on Software Engineering
Security Engineering: A Guide to Building Dependable Distributed Systems
Security Engineering: A Guide to Building Dependable Distributed Systems
Robustness Principles for Public Key Protocols
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Using Independent Auditors as Intrusion Detection Systems
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Outbound Authentication for Programmable Secure Coprocessors
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Fairy Dust, Secrets, and the Real World
IEEE Security and Privacy
Protecting cryptographic keys and computations via virtual secure coprocessing
ACM SIGARCH Computer Architecture News - Special issue: Workshop on architectural support for security and anti-virus (WASSA)
Protecting Client Privacy with Trusted Computing at the Server
IEEE Security and Privacy
Formal analysis of PIN block attacks
Theoretical Computer Science - Automated reasoning for security protocol analysis
Secure FPGA circuits using controlled placement and routing
CODES+ISSS '07 Proceedings of the 5th IEEE/ACM international conference on Hardware/software codesign and system synthesis
A Secure Content Delivery System Based on a Partially Reconfigurable FPGA
IEICE - Transactions on Information and Systems
Proceedings of the 2008 workshop on New security paradigms
Extending Security Protocol Analysis: New Challenges
Electronic Notes in Theoretical Computer Science (ENTCS)
Integrity of intention (a theory of types for security APIs)
Information Security Tech. Report
Prototyping an armored data vault rights management on Big Brother's computer
PET'02 Proceedings of the 2nd international conference on Privacy enhancing technologies
The initial costs and maintenance costs of protocols
Proceedings of the 13th international conference on Security protocols
Formal security analysis of PKCS#11 and proprietary extensions
Journal of Computer Security - 7th International Workshop on Issues in the Theory of Security (WITS'07)
Formal analysis of key integrity in PKCS#11
ARSPA-WITS'10 Proceedings of the 2010 joint conference on Automated reasoning for security protocol analysis and issues in the theory of security
Software security aspects of Java-based mobile phones
Proceedings of the 2011 ACM Symposium on Applied Computing
Security protocol deployment risk
Security'08 Proceedings of the 16th International conference on Security protocols
An introduction to security API analysis
Foundations of security analysis and design VI
One user, many hats; and, sometimes, no hat: towards a secure yet usable PDA
SP'04 Proceedings of the 12th international conference on Security Protocols
The dancing bear: a new way of composing ciphers
SP'04 Proceedings of the 12th international conference on Security Protocols
Deduction with XOR constraints in security API modelling
CADE' 20 Proceedings of the 20th international conference on Automated Deduction
A linux kernel cryptographic framework: decoupling cryptographic keys from applications
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Type-Based analysis of PKCS#11 key management
POST'12 Proceedings of the First international conference on Principles of Security and Trust
Type-based analysis of key management in PKCS#11 cryptographic devices
Journal of Computer Security - Security and Trust Principles
Hi-index | 4.10 |
A growing number of embedded systems use security processors to distribute control, billing, and metering among devices with intermittent or restricted online connectivity. The more obvious examples include smart cards, microcontrollers used as value counters in postal meters and vending machines, and cryptographic processors used in networks of automatic teller machines and point-of-sale equipment to encipher customers' personal identification numbers.Recently, a whole new family of attacks has been discovered on the application programming interfaces these security processors use. These API attacks extend and generalize the known types of attack that target authentication protocols. Such attacks present valid commands to the security processor but in an unexpected sequence, thereby obtaining results that break the security policy its designer envisioned.Designing security APIs is a new research field with significant industrial and scientific importance. The poor design of present interfaces prevents many tamper-resistant processors from achieving their potential and leaves a disappointing dependency on procedural controls驴the design of which involves subtleties likely to exceed the grasp of most implementers.It is unclear that a "generalized" API will work. The natural accretion of functionality presents security with one of its greatest enemies. Yet, getting the API right is relevant for more than just cryptoprocessors. The API is where cryptography, protocols, operating-system access controls, and operating procedures all come together驴or fail to. It truly is a microcosm of the security engineering problem.