Learn More
Attacks are presented on the IBM 4758 CCA (the first ever security module to have achieved all round FIPS140-1 Level 4 certification) and the Visa Security Module. Two new attack principles are demonstrated. Related key attacks use known or chosen differences between two cryptographic keys. Data protected with one key can then be abused by manipulation(More)
EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating(More)
— Tamper-resistant cryptographic processors are becoming the standard way to enforce data-usage policies. Their history began with military cipher machines, and hardware security modules used to encrypt the PINs that bank customers use to authenticate themselves to ATMs. In both cases, the designers wanted to prevent abuse of data and key material should a(More)
In this work, we present the first automated analysis of security application programming interfaces (security APIs). In particular, we analyze the API of the IBM 4758 CCA, a hardware security module for banking networks. Adapting techniques from formal analyses of security protocols, we model the API purely according its specification and assuming ideal(More)
EMV, also known as "Chip and PIN", is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the(More)
A whole new family of attacks has recently been discovered on the application programming interfaces (APIs) used by security processors. These extend and generalise a number of attacks already known on au-thentication protocols. The basic idea is that by presenting valid commands to the security processor, but in an unexpected sequence, it is possible to(More)
We argue that formal analysis tools for security protocols are not achieving their full potential, and give only limited aid to designers of more complex modern protocols, protocols in constrained environments, and security APIs. We believe that typical assumptions such as perfect encryption can and must be relaxed, while other threats, including the(More)