• SOLUTIONS
      • Cryptosense Analyzer Platform
      • Cryptography Inventory
      • Secure Cloud Migration
      • PKCS#11 Device Audit
  • RESOURCES
      • Whitepapers
      • Webinars
      • Cloud Cryptography
      • Datasheets
      • Training Courses
      • Blog
  • COMPANY
      • About Us
      • Careers
      • Partners & Resellers
      • Contact
  • SUPPORT
  • GET IN TOUCH
May 7, 2020

ANSSI TLS recommendations v1.2 in Cryptosense Discovery

Our cryptography service discovery site discovery.cryptosense.com detects servers under a given domain name and runs SSH and TLS scanners against each of them. The results are checked against best practices carefully defined by Cryptosense. You can also choose to check your results against other widely known standards: ECRYPT and NIST.

Continue reading →
March 30, 2015

PKCS#11 Compliance Testing: Caml Crush

For the next instalment in our compliance testing series, we interviewed the creators of Caml Crush, an open source PKCS#11 project. Caml Crush is a filtering proxy that inserts itself between a PKCS#11 device and the calling application. As well as its inherent client/server architecture be it local or remote, Caml Crush can also apply filters which deal with some of the major security issues that affect PKCS#11 interfaces. We will take a look at how it works and how it affects the Compliance Checker results on a device.

The developers of Caml Crush (Ryad Benadjila, Thomas Calderon, and Marion Daubignard at the ANSSI) agree that “The PKCS#11 standard is not easy to use“, so how does Caml Crush help?

The filter

The filter that Caml Crush provides means that you can add restrictions and regulations to the commands or mechanisms that the device uses. For example, the filter can be configured to prevent the use of single-DES encryption and other insecure mechanisms. Other possibilities include segregating certain mechanisms or commands between the Security Officer and the User. To test the security of their filter configurations, the ANSSI team used Cryptosense Analyzer. A full description of their results appeared in a recent paper at the CARDIS conference. Upcoming packaged versions of Caml Crush for Fedora and Debian will ship with a “secure by default” configuration.

If the underlying PKCS#11 implementation has compliance errors, the filter won’t necessarily patch them. Our tests using our compliance checker with the filter and Opencryptoki bear this out. However, Caml Crush has an embedded plugin system which could be leveraged to address this.

Implementation advice

The producers of Caml Crush advise anyone implementing a PKCS#11 interface to “pay attention to all the footnotes – especially table 15.” as this can make the difference between a secure and a non-secure implementation. There are more than 200 footnotes in the standard.

Other ANSSI PKCS#11 Projects

Recently released on github, the opkcs11-tool provides handy low-level tools for working with PKCS#11 devices. It offers some functionality unavailable in other similar open source tools, like elliptic curve key generation, fine-grained management of object attributes, PSS and OAEP schemes.

Summary

The Caml Crush filter does a great job of adding an extra level of security to a device. To configure it to suit your application and key-management, the Cryptosense toolsuite is ideal.

If you would like your PKCS#11 project included in our series, get in touch.


Get our PKCS#11 Security Whitepaper

Search the Blog

Interested in Crypto News?

Article Categories

  • Archive (37)
  • Cloud Cryptography (11)
  • Crypto Agility (3)
  • Cryptographic Vulnerabilities (8)
  • Cryptography (66)
  • Cryptography Inventory (6)
  • Cryptosense Company News (18)
  • Encryption (8)
  • HSM Security (7)
  • Key Lifecycle Visibility (4)
  • Other (8)
  • Post-Quantum Cryptography Preparedness (1)
  • Products (24)
  • Security (83)
  • Tech (10)

Most Popular Posts

  • Parameter choice for PBKDF2
  • New cryptography in .NET Core 3.0
  • The End of Triple DES
  • BouncyCastle Keystore Security
  • Why PKCS#1v1.5 Encryption Should Be Put Out of Our Misery
  • FIPS 140-3 Compliant Cryptography
  • FedRAMP and FIPS 140-2 Cryptography
  • How Ledger Hacked an HSM
  • Which Algorithms Are FIPS 140-3 Approved?
  • Cracking Java Keystores with Hashcat
    • Solutions
      • Cryptosense Analyzer Platform
      • Cryptography Inventory
      • Secure Cloud Migrations
      • PKCS#11 Security Audit
      • Request Demo
    • Resources
      • Whitepapers
      • Webinars
      • Cloud Cryptography
      • Datasheets
      • Blog
      • Support
    • Company
      • About Us
      • Careers
      • Partners & Resellers
      • Contact

Follow us on Twitter FR: +33 (0)9 72 42 35 31 US: +1 646-893-7657

info@cryptosense.com

© 2012-2020 Cryptosense | All rights reserved.

  • Cryptosense Analyzer
  • Use Cases
  • Cloud Cryptography
  • Whitepapers
  • Webinars
  • About Us
  • Blog
  • Support
  • Contact
We use cookies to deliver our services. If you continue to use this site we assume you consent to our privacy policy.ACCEPTPrivacy policy