Secure your PKCS#11 Deployments

Cryptosense Analyzer software ensures the ongoing security of your PKCS#11 deployments with comprehensive testing and monitoring tools.

Hardware-based cryptography is a core technology for controlling risk in potentially hostile environments such as mobile, cloud and Internet of things. However, choosing, configuring, deploying and securely using a cryptographic device like a Hardware Security Module (HSM) is far from simple. A small mistake in the details can lead to a complete loss of security.

PKCS#11 crypto flaws

Smart Fuzzing

Our adaptative mutation-based fuzzing engine explores the corner-cases of the PKCS#11 standard as implemented in the device under test. The results are passed through more than 140 compliance and vulnerability filters to detect anomalies and weaknesses, including a number of issues that can compromise private keys like CVE-2015-5464 and CVE-2015-6924. This facilitates security testing of vendor equipment before procurement, automated audits, and evaluation of firmware updates and configuration changes.

Our PKCs#11 fuzzer can either be run in full auto mode, or configured at the command-line to go deeper on certain configurations of commands. If a crash in the HSM driver is discovered, the fuzzer returns the call required to reproduce the issue. Fuzzing can also be resumed from existing traces to save analysis time.

Read PKCS#11 Use Case


Vulnerability Types found by Cryptosense Analyzer in PKCS#11 deployments

In HSM Firmware

Despite their FIPS and CC certifications, HSMs contain programming errors just like any other complex system. In 2015, two independent vulnerabilities were found that compromised private keys of certified HSMs (CVE-2015-5464 and CVE-2015-6924). Cryptosense’s smart fuzzing tools detect instances of known vulnerabilities including these and others from the academic literature, as well as performing a PKCS#11 compliance test that can indicate the presence of previously unknown weaknesses.

In PKCS#11 Configuration

If implemented “as is”, it is well-known that the PKCS#11 API does not adequately protect sensitive keys. Typically, real-world deployments involve restricting the operations available in the API to mitigate key-extraction attacks. Cryptosense Analyzer can test a given configuration and determine whether any combination of commands may leak a key, making secure configuration straightforward.

In PKCS#11 Applications

Even if the HSM is bug-free and correctly set up, applications that use the device still have to use cryptography securely. Mistakes like poor algorithm choice, IV mismanagement, absence of key role separation etc. can create vulnerabilities. Cryptosense App Tracer detects these flaws.

During Deployment

Good preparatory work can be undone if in practice HSMs are incorrectly configured after firmware updates, or if key-management operations leave keys incorrectly set up. Cryptosense Analyzer provides ongoing visibility on HSM security and alerts in the case of out-of-standard configuration. Fuzzing and analysis can be automatically scheduled to give alerts in case of out of standard results.


Start free trial

Try a Free 14-day Trial

Cryptosense Analyzer audits your applications and infrastructure to find vulnerabilities and understand your crypto landscape. Use it to optimise bug-fix resources and demonstrate compliance.