The Hazards of Security API Design

Advanced Programming Specialist Group event

Thursday 10 January 2002, 6.00pm

Sun Microsystems, Regis House, 45 King William Street, London EC4. The nearest underground stations are Bank and Cannon Street.

Mike Bond, Cambridge University.

Designing an API is hard to get right first time. The designer needs an understanding of what services are to be provided to the user, for what purpose these services will be used, and how this interaction will change and grow in the future.

Designing a Security API is even harder: the intended user can be the enemy. He may try to undermine or subvert the architecture to extract sensitive information which should only be accessible via the API, or to manipulate sensitive information in ways which the designer did not intend.

This talk explores the security API's presented by tamper-resistant microprocessors which perform cryptographic operations - "cryptoprocessors". These are used in applications such as ATM cash machines, pre-payment electricy meters, and Pay-TV.

When the attacker is considered so capable that physical attacks on the processor are guarded against, equal attention should be paid to the design of the API. However, in practice, designers do not pay enough attention to the API.

The speaker will demonstrate attacks on the APIs of banking cryptoprocessors including the 'IBM 4758 CCA', and the 'Visa Security Module', and also an attack which compromises all secret information stored in a pre-payment metering module made by PRISM.

The speaker argues that the experiences gained from understanding how to design security APIs resistant to these harsh situations are applicable to all security APIs, from the home to the battlefield.

I intend to make the talk as accessible as possible and no specialist knowledge is needed to in order to understand the material. However, if you wish to get a preview of this area then see "API-Level Attacks on Embedded Systems" Mike Bond & Ross Anderson
IEEE Computer Magazine, October 2001.

Admission is free, BUT PRE-REGISTRATION IS ESSENTIAL. E-mail your name to Dr Frank A. Martin.

CPD Value:
Half unit

The Slides of this presentation can be viewed at -