The PKCS#11 interface for cryptographic modules should be able to provide services without giving its users access to the raw values of the cryptographic keys. In practice, however, both the design and existing implementations have various problems and inconsistencies that allow extraction of the key data.
- Study the PKCS#11 interface standard, focusing on key protection facilities available in various versions
- Familiarize with existing attacks and existing tools for automatic implementation verification (e.g. Tookan)
- Write an open-source tool that performs an automated analysis of a PKCS#11 implementation to find ways to extract the key data; use it to validate the NSS “software token” and perhaps other open-source implementations of PKCS#11.
- If relevant, suggest and implement improvements to the tested PKCS#11 implementations to mitigate the discovered attacks
- If relevant, suggest and prototype improvements to the PKCS#11 standard to mitigate the discovered attacks