Mike Bond
University of Cambridge - Computer Laboratory

Email : Mike.Bond@cl.cam.ac.uk


Phone : +44 (0)1223 7-63571
Mobile: +44 (0)7890 171913
Fax : +44 (0)1223 3-34678

"The only way to understand the wheel is to reinvent it."
-- Me (I think!)


Home   Research   Resources   Phantom


Research - Overview, Publications and Seminars

My research is all about "Understanding Security APIs". I am concerned with learning how to defeat, design, analyse and verify any sort of Security API. You can find a list of my publications, seminars, and a whole load of technical details and resources further down the page. Most of the APIs I am examining belong to cryptoprocessors. Cryptoprocessors are tamper-resistant processors first conceived by banks and the military to protect sensitive information from physical attack - the big brothers of tamper-resistant smartcards. Cryptoprocessors are rapidly becoming more widespread, as corporations start using them to protect their PKIs, and manufacturers are examining how they can be used to enforce accessory control and new marketing models. I am currently exploring how existing APIs can be defeated purely by using the constituent commands in unexpected ways or sequences.

Jolyon Clulow's Msc thesis - "The Design and Analysis of Cryptographic APIs for Security Devices"(1.6MB), available at http://home.icon.co.za/~clulow may be of interest to those looking at PIN processing API attacks. Jolyon is now a member of the Computer Security group, and his website is here.

If you are here following up IBM's CCA relase - Version 2.41, then head for a brief comment upon the fixes. Full information on the November '01 media coverage of my work with Richard Clayton on banking security and DES cracking hardware is at http://www.cl.cam.ac.uk/~rnc1/descrack. Check out my media page as well.



Publications Quick Find

On the Security of the EMV Secure Messaging APIApr 2007PDF File (375k)
Boom! Headshot!Oct 2006PDF File (176k)
A Pact with the DevilAugust 2006PDF File (118k)
Integrity of Intention
(A Theory of Types for Security APIs)
May 2006PDF File (168k)
A Note on EMV Secure Messaging in the IBM 4758 CCAMar 2006PDF File (188k)
The Man-in-the-Middle DefenceMar 2006PDF File (65k)
Phish and ChipsMar 2006PDF File (196k)
Laser-printed PIN Mailer Vulnerability ReportJul 2005PDF File (750k)
The Dining FreemasonsApril 2005PDF File (95k)
Cryptographic Processors -- A SurveyApril 2005PDF File (450k)
Encrypted? Randomised? Compromised?
(When Cryptographically Secured Data is Not Secure)
July 2004PDF File (137k)
Extending Security Protocols Analysis : New ChallengesJuly 2004PDF File (150k)
Understanding Security APIsJune 2004PDF File (1.8MB)
Unwrapping the ChrysalisJune 2004PDF File (150k)
Decimalisation Table Attacks for PIN CrackingFeb 2003PDF File (132k)
Protocol Analysis, Composability and ComputationJan 2003PDF File (50k)
Experience Using a Low-Cost FPGA Design to Crack DES KeysAugust 2002PDF File (166k)
API Level Attacks on Embedded SystemsMay 2001PDF File (126k)
Attacks on Cryptoprocessor Transactions SetsFeb 2001PDF File (140k)
A Chosen Key Difference Attack on Control VectorsNov 2000PDF File (17k)
IBM Comment on 'A Chosen Key Difference Attack on Control Vectors'Jan 2001PDF File (32k)


Full Publications List with Abstracts

  • Laser-printed PIN Mailer Vulnerability Report
    Jul 2005, jointly with Steven Murdoch and Jolyon Clulow

    Abstract
    Tamper-evident laser-printed PIN mailers are used by many institutions to issue PINs and other secrets to individuals in a secure manner. Such mailers are created by printing the PIN using a normal laser, but on to special stationery and using a special font. The background of the stationery disguises the PIN so that it cannot be read with the naked eye without tampering. We show that currently deployed PIN mailer technology (used by the major UK banks) is vulnerable to trivial attacks that reveal the PIN without tampering. We describe image processing attacks, where a colour difference between the toner and the stationary masking pattern is exploited. We also describe angled light attacks, where the reflective properties of the toner and stationery are exploited to allow the naked eye to separate the PIN from the backing pattern. All laser-printed mailers examined so far have been shown insecure.

    Download this paper as a PDF file (750k)


  • The Dining Freemasons
    21st April 2005, jointly with George Danezis,
    International Security Protocols Workshop, Cambridge UK


    Abstract
    We continue the popular theme of offline security by considering how computer security might be applied to the challenges presented in running a secret society. We discuss membership testing problems and solutions, set in the context of security authentication protocols, and present new building blocks which could be used to generate secret society protocols more robustly and generically, including the lie channel and the compulsory arbitrary decision model.

    Download this paper as a PDF file (95k)


  • Cryptographic Processors -- A Survey
    April 2005, jointly with Ross Anderson, Jolyon Clulow, Sergei Skorobogatov
    IEEE Special Issue (to appear)


    Abstract
    Tamper-resistant cryptographic processors are becoming the standard way to enforce data-usage policies. Their history began with military cipher machines, and hardware security modules used to authenticate themselves to ATMs. In both cases, the designers wanted to prevent abuse of data and key material should a device fall into the wrong hands. From these specialist beginnings, cryptoprocessors spread into devices such as prepayment electricity meters, and the vending machines that sell credit for them. In the 90s, tamper-resistant smartcards became integral to GSM mobile phone indentification and to key management in pay-TV set-top boxes, while secure microcontrollers were used in remote key entry devices for cars. In the last five years, dedicated crypto chips have been embedded in devices from games consoles accessories to printer ink cartridges, to control product and accessory aftermarkets. The "Trusted Computing" initiative will soon embed cryptoprocessors in PCs so that they can identify each other remotely. This paper surveys the range of applications of tamper-resistant hardware, and the array of attack and defence mechanisms which have evolved in the tamper-resistance arms race.

    Download this paper as a PDF file (450k)


  • Encrypted? Randomised? Compromised? (When Cryptographically Secured Data is Not Secure)
    6th July 2004, jointly with Jolyon Clulow
    Cryptographic Algorithms and Their Uses, Eracom Workshop 2004, Queensland Australia


    Abstract
    Protecting data is not simply a case of encrypt and forget: even data with full cryptographic confidentiality and integrity protection can still be subject to information leakage. We consider the issue of information leakage through side channels in protocols. Previous work by Bond and Clulow identifed multiple vulnerabilities in APIs for financial PIN processing systems, and suggested remedies; however our work here shows that the fixes do not work, and that the problem of information leakage in these APIs has still not been adequately addressed. We argue that information flow and leakage analysis will play an important role in the security of encrypted databases in the future.

    Download this paper as a PDF file (137k)


  • Extending Security Protocols Analysis : New Challenges
    4th July 2004, jointly with Jolyon Clulow
    Automated Reasoning and Security Protocols Analysis 2004, Cork, Ireland


    Abstract
    We argue that formal analysis tools for security protocols are not achieving their full potential, and give only limited aid to designers of more complex modern protocols, protocols in constrained environments, and security APIs. We believe that typical assumptions such as perfect encryption can and must be relaxed, while other threats, including the partial leakage of information, must be considered if formal tools are to continue to be useful and gain widespread, real world utilisation. Using simple example protocols, we illustrate a number of attacks that are vital to avoid in security API design, but that have yet to be modelled using a formal analysis tool. We seek to extract the basic ideas behind these attacks and package them into a wish list of functionality for future research and tool development.

    Download this paper as a PDF file (150k)


  • Understanding Security APIs
    1st June 2004, Phd Thesis
    University of Cambridge Computer Laboratory


    Abstract
    This thesis introduces the newly-born field of Security API research, and lays the foundations for future analysis, study, and construction of APIs. Security APIs use cryptography to enforce a security policy on the users of the API, governing the way in which they manipulate sensitive data and key material. The thesis begins examining the origins and history of Security APIs, and that of HSMs -- tamper-resistant cryptographic processors which implement the APIs. The key contribution is a catalogue of new attacks and attack techniques for Security APIs, including both historic attacks and new unpublished work. The thesis goes on to provide a body of advice for Security API design, consisting of heuristics and discussions of key issues, including those most pertinent to modern HSMs such as authorisation and trusted paths. The advice is linked in with the cautionary tales of Security API failures from the previous chapters. As the thesis is opening a new field of academic research, its main objective is to build understanding about Security APIs.

    Download core chapter 3 "Origins of Security API Attacks", and 7 and 10 as PDF file (700k)

    Download the entire thesis as a PDF file (1.8MB)

    Disclaimer: This thesis was produced to satisfy an examination committee, rather than directly for peers, and as such, the material may not be optimally presented for purposes of future research and industrial interaction. In due course I hope to release a new slightly improved version. The fundamental content will remain the same of course!


  • Unwrapping the Chrysalis
    1st June 2004, jointly with Steven Murdoch and Daniel Cvrcek
    Computer Laboratory Technical Report TR-592


    Abstract
    We describe our experiences reverse engineering the Chrysalis- TS Luna CA3 - a PKCS#11 compliant cryptographic token. Emissions analysis and security API attacks are viewed by many to be simpler and more efficient than a direct attack on an HSM. But how difficult is it to actually "go in the front door"? We describe how we unpicked the CA3 internal architecture and abused its low-level API impersonate a CA3 token in its cloning protocol - and extract PKCS#11 private keys in the clear. We quantify the effort involved in developing and applying the skills necessary for such a reverse-engineering attack. In the process, we discover that the Luna CA3 has far more undocumented code and functionality than is revealed to the end-user, and discuss the impact of this on the security of the token.

    Download this paper as a PDF file (345k). (Sample code also available here).


  • Decimalisation Table Attacks for PIN Cracking
    February 2003, jointly with Piotr Zielinski
    a Computer Laboratory Technical Report


    Abstract
    We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a 300 withdrawal limit per card, the potential bounty is raised from 7200 to 2.1 million and a single motivated attacker could withdraw 30-50 thousand of this each day. This attack thus presents a serious threat to bank security.

    Download this paper as a PDF file (132k)


  • Protocol Analysis, Composability and Computation
    January 2003, jointly with Ross Anderson
    A short paper for "Computer Systems : Papers for Roger Needham"


    Download the paper as an HTML page (~50k)


  • Experience Using a Low-Cost FPGA Design to Crack DES Keys
    1st August 2002, jointly with Richard Clayton
    Presented at CHES 2002 Workshop in San Francisco


    Abstract
    This paper describes the authors' experiences attacking the IBM 4758 CCA, used in retail banking to protect the ATM infrastructure. One of the authors had previously proposed a theoretical attack to extract DES keys from the system, but it failed to take account of real-world banking security practice. We developed a practical scheme that collected the necessary data in a single 10-minute session. Risk of discovery by intrusion detection systems made it necessary to complete the key "cracking" part of the attack within a few days, so a hardware DES cracker was implemented on a US$995 off-the-shelf FPGA development board. This gave a 20-fold increase in key testing speed over the use of a standard 800 MHz PC. The attack was not only successful in its aims, but also shed new light on the protocol vulnerabilities being exploited. In addition, the FPGA development led to a fresh way of demonstrating the non-randomness of some of the DES S-boxes and indicated when pipelining can be a more effective technique than replication of processing blocks. The wide range of insights we obtained demonstrates that there can be significant value in implementing attacks "for real".

    Download this paper as a PDF file (166k)


  • API Level Attacks on Embedded Systems
    2nd May 2001, jointly with Ross Anderson
    IEEE Computer Magazine Oct 2001 p67-75


    Abstract
    A whole new family of attacks has recently been discovered on the application programming interfaces (APIs) used by security processors. These extend and generalise a number of attacks already known on authentication protocols. The basic idea is that by presenting valid com- mands to the security processor, but in an unexpected sequence, it is possible to obtain results that break the security policy envisioned by its designer. Such attacks are economically important, as security processors are used to support a wide range of services, from automatic teller machines through pay-TV to prepayment utility metering. Designing APIs that resist such attacks is difficult, as a typical security processor needs a substantial command set with several dozen commands that allow it to service a number of external and internal protocols. The attacks are also scientifically interesting; preventing them may become an important new application area for formal methods and design verification tools generally.

    Download an earlier version of this paper as a PDF file (126k)


  • Attacks on Cryptoprocessor Transactions Sets
    31st January 2001 , Presented at the CHES 2001 Workshop in Paris
    http://www.chesworkshop.org

    Abstract
    Attacks are presented on the IBM 4758 CCA (the first ever security module to have achieved all round FIPS140-1 Level 4 certification) and the Visa Security Module. Two new attack principles are demonstrated. Related key attacks use known or chosen differences between two cryptographic keys. Data protected with one key can then be abused by manipulation using the other key. Meet in the middle attacks work by generating a large number of unknown keys of the same type, thus reducing the key space that must be searched to discover the value of one of the keys in the type. Design heuristics are presented to avoid these attacks and other common errors.

    Download this paper as a PDF file (140k)


  • A Chosen Key Difference Attack on Control Vectors
    1st November 2000 , Unpublished

  • Abstract
    An attack on the implementation of control vectors in the IBM Common Cryptographic Architecture is presented. The final key part holder in a multiple part import introduces two key encrypting keys (KEKs), one the intended key and one with a chosen difference from the former, by including this difference in his own key part. When this difference is set to the difference between two control vectors, keys originally encrypted with the former KEK can be cast to a new type by importing them under the latter KEK. Thus unauthorised type casts can be made from an arbitrary source type to any destination type the attacker has permission to use.

    Download this paper as a PDF file (17k)


  • IBM Comment on 'A Chosen Key Difference Attack on Control Vectors'
    16th January 2001 , IBM's Response to my first (unpublished) paper

    Download this paper as a PDF file (32k)


Seminars

  • Attacks on Cryptoprocessor Transactions Sets
    13th February 2001 , Security Group Seminar
    Computer Laboratory, University of Cambridge

    25th April 2001 at COSIC , Katholieke Universitat Leuven

    13th May 2001 at CHES Workshop, Paris

    Download the slides as a PDF file (448k)


  • A Low-cost Hardware Birthday Attack on DES
    5th June 2001 , Security Group Seminar
    Computer Laboratory, University of Cambridge
    (jointly with Richard Clayton)

    Download the slides as a PDF file (150k)


  • First Steps in Cryptoprocessor API Analysis
    24th September 2001 , Dagstuhl Seminar
    "Specification and Verification of Secure Cryptographic Protocols"
    workshop, Schloss Dagstuhl, Germany

    Slides to follow shortly


  • A Practical Covert-Channel Attack on a
    Windows Content Protection Product
    19th October 2001 , Security Group Meeting
    Computer Laboratory, University of Cambridge

    Slides to follow shortly


  • The Benefits and Pitfalls of Cryptographic Hardware
    28th January 2002 , Information Security Forum 2002
    A conference presentation given to the Information Security Forum 2002,
    Four Seasons Hotel, Canary Wharf, London

    Download the slides as a PDF file (241k)


  • The Hazards of Security API Design
    10th January 2002 , BCS Advanced Programming Seminar
    British Computer Society Advanced Programming Specialist Group, London

    Download the slides as a PDF file (900k)


  • Using Low-cost Cryptographic Hardware to "Rob a Bank"
    7th February 2002 , MCS School, Oxford
    Magdalene College School, Oxford

    Download the slides as a PDF file (839k)


  • Careers in Computer Science
    24th April 2002 , King's School, Bruton
    King's School, Bruton, Somerset

    Slides to follow...


  • Experience Using a Low-Cost FPGA to Crack DES Keys
    15th August 2002 , CHES Workshop, 2002
    CHES Workshop, 2002, Redwood City, San Francisco

    Slides to follow...


  • The Hazards of Security API Design : Special Edition
    19th August 2002 , TJ Watson Research Labs, IBM
    Given to the Security PIC at IBM TJ Watson Research Labs, Hawthorne NY

    Slides to follow...


  • Hardware Security Modules : Benefits and Pitfalls
    4th October 2002 , EEMA ISSE 2002, Eurodisney
    EEMA Information Security Solutions Europe conference, Eurodisney, 2002

    Slides to follow...


  • Model Checking Cryptoprocessors : "Why I like the British Museum"
    12th November 2002 , Security Group Seminar
    Computer Laboratory, University of Cambridge

    Download the slides as a PDF file (1.4MB). Download a real audio file of the talk (warning: not the best sound quality!) here (6.3MB).


  • "How to Rob a Bank"
    10th December 2002 , Emmanuel College MCR Seminar
    Emmanuel College, University of Cambridge

    Slides might follow...


  • "How to avoid a proper job, and still keep busy"
    24th February 2003 , LCE Seminar
    Laboratory for Communications Engineering, University of Cambridge

    Slides might follow...


  • "Differential Protocol Analysis and API-Level Attacks"
    30th April 2003 , Security and Protection of Information
    Brno Exhibition Centre, Brno, Czech Republic

    Slides might follow...


  • "Security APIs - Digital Battlefields"
    4th November 2003 , Information Security Group, University of Bristol
    Merchant Venturer Building, University of Bristol

    Download the slides as a PDF file (1.7MB)


  • "A Monster Emerges from the Chrysalis"
    10th February 2004 , Security Group Seminar
    Computer Laboratory, University of Cambridge

    Download the slides as a PDF file (2.3M)
    Also read a draft version of a tech report here, and view associated source here.

  • "From Cryptography to Robbery in Three Easy Steps"
    March 2004 , TOC Group Student Seminar
    MIT Laboratory for Computer Science

    Slides available sometime soon.


  • "Security APIs : The last word in ATM security? The first word in TC?"
    11th May 2004 , Royal Holloway ISG Seminar
    Royal Holloway, University of London

    Download the slides as a PDF file (1.6M)



  • "HSMs and Security APIs : Enabling Trusted Computing"
    30th September 2004 , EEMA ISSE 2004, Berlin
    EEMA Information Security Solutions Europe conference, Berlin, 2004

    Download the slides as a PDF file (590k)



  • "Tutorial: Penetrating Secure Hardware"
    3rd May 2005, SPI 2005, Brno, Czech Republic Security and Protection of Information 2005

    Download the slides shortly...



Page created : 22nd November '00
Last update : 16th Oct '06

Mike.Bond@cl.cam.ac.uk