Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
an input that could be specified by the user. If a normal PIN verification command<br />
failed, it discounted a single possibility – the incorrect guess at the PIN. However,<br />
if the decimalisation table was modified, much more information could be learnt.<br />
For example, if the user entered a trial PIN of 0000, and a decimalisation table<br />
of all zeroes, with a single 1 in the 7 position – 0000000100000000 – then if the<br />
verification succeeded the user could deduce that the PIN did not contain the digit<br />
7. Zielinski optimised the author’s original algorithm, revealing that PINs could be<br />
determined with an average of 15 guesses [10].<br />
3.4 Attacks on Modern <strong>APIs</strong><br />
Many of today’s <strong>Security</strong> <strong>APIs</strong> have been discovered to be vulnerable to the same<br />
or similar techniques as those described in this chapter. However, there are some<br />
more modern API designs which bear less resemblance to those used in financial<br />
security applications. In particular, the main issues relating to the security of PKI<br />
hardware security modules are authorisation and trusted path. These issues have<br />
only very recently been explored, and there have been no concrete attacks published.<br />
Chapter 8 includes a discussion of the issues of authorisation and trusted path, and<br />
describes several hypothetical attacks.<br />
Finally, if the reader is already thoroughly familiar with the attacks described in<br />
this chapter, attention should be drawn to several brand new <strong>Security</strong> API attacks<br />
which have been outlined in section 7.3.12, which were developed by the author as<br />
a result of analysis of nCipher’s payShield API.<br />
29