International Association
for Cryptologic Research

PKCS\\#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against

PKCS\\#11 at different levels: intrinsic logical flaws, cryptographic

vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices.

We introduce \\textit{Caml Crush}, a PKCS\\#11 filtering proxy. Our solution allows to dynamically protect PKCS\\#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using \\textit{Caml Crush} that go beyond classical PKCS\\#11 weakness mitigations.