Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Contents<br />
1 Introduction 12<br />
1.1 How to Read this Thesis . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
1.2 Schedule of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
2 Origins of <strong>Security</strong> <strong>APIs</strong> 17<br />
2.1 Beginnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2 The ‘Killer App’ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2.3 The Present . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
2.4 Key Dates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20<br />
3 Origins of <strong>Security</strong> API Attacks 21<br />
3.1 Early <strong>Security</strong> API Failures . . . . . . . . . . . . . . . . . . . . . . . 21<br />
3.2 A Second Look at the Visa <strong>Security</strong> Module . . . . . . . . . . . . . . 22<br />
3.2.1 XOR to Null Key Attack . . . . . . . . . . . . . . . . . . . . . 23<br />
3.2.2 Type System Attack . . . . . . . . . . . . . . . . . . . . . . . 24<br />
3.3 Development of the Attack Toolkit . . . . . . . . . . . . . . . . . . . 26<br />
3.3.1 Meet-in-the-Middle Attack . . . . . . . . . . . . . . . . . . . . 26<br />
3.3.2 3DES Key Binding Attack . . . . . . . . . . . . . . . . . . . . 27<br />
3.3.3 Decimalisation Table Attack . . . . . . . . . . . . . . . . . . . 28<br />
3.4 Attacks on Modern <strong>APIs</strong> . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
4 Applications of <strong>Security</strong> <strong>APIs</strong> 30<br />
4.1 Automated Teller Machine <strong>Security</strong> . . . . . . . . . . . . . . . . . . . 30<br />
4.1.1 Targets of Attack . . . . . . . . . . . . . . . . . . . . . . . . . 31<br />
4.1.2 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
4.2 Electronic Payment Schemes . . . . . . . . . . . . . . . . . . . . . . . 33<br />
7