Master Your Cryptography

Transcription

Master Your Cryptography
Master Your Cryptography
Cryptosense is a powerful testing toolkit that enables developers and
users of cryptographic applications and devices to discover and remediate
vulnerabilities.
Key features
of Cryptosense
technology
Formal Methods technology
The combination of automated
fuzzing, model inference
and model-checking makes
the power of formal analysis
techniques available to
everyone.
Out of the box functionality
Cryptosense Analyzer requires
no configuration to produce
insights into the security of a
PKCS#11 deployment.
Available as a Product or
Service
Cryptosense analysts can
complete a full audit of a
PKCS#11 installation for you
using our toolsuite.
Ongoing monitoring
Once best practice has been
established, Cryptosense
Monitor can be installed to
ensure configurations stay
unchanged and keys remain
secure.
The Difficulty of Detecting Crypto Vulnerabilities
Emerging trends involve deploying systems in potentially hostile
environments such as mobile, cloud and internet of things. Cryptography has
become a core technology for controlling risk in these situations. However,
secure use of cryptography remains a highly specialized skill. Mistakes
in cryptographic implementations often undermine the strong security
guarantees offered.
For example in February 2013, according to an indictment from the US
department of justice in Brooklyn, NY, attackers stole PIN codes from the
ATM network to obtain $45M fraudulently from the Bank of Muscat. This was
despite the use of cryptographic hardware (HSMs) to encrypt the codes at all
times. Even HSMs are subject to bugs, configuration errors, and incorrect use
by their applications.
Identifying such problems is challenging. Static analysis tools are notoriously
bad at finding crypto flaws: in the most recent NIST evaluation (SATE 2013),
even the best performing tool missed 98.3% of flaws in this category.
The Cryptosense Approach
Cryptosense tools use a mixture of fuzzing techniques and formal analysis
to effectively detect security flaws in both hardware and software
implementations of cryptography and the applications that use them.
Vulnerabilities in the PKCS#11 API
PKCS#11 is an open standard for the interface between cryptographic
hardware and applications, with great benefits for interoperability and
avoidance of vendor lock-in. However, its complex, general-purpose
character means it is hard to implement correctly and use securely.
Cryptosense PKCS#11 edition detects bugs in implementations, configuration
errors and vulnerabilities resulting from poor use of the API by applications.
Both key-management and cryptanalytic flaws are covered.
About Cryptosense
Cryptosense’s founders combine more than 40 years experience in research
and industry. Based in Paris, France, Cryptosense provides its security
analysis solutions to an international clientele in particular in the financial,
industrial and government sectors.
© Cryptosense 2015
Cryptosense Methodology
.................................
.................................
.................................
Compliance
Configuration
Test crypto providers (HSMs,
Smartcards, software
libraries) with our Smart API
Fuzzing algorithm. Compare
results to compliance criteria
to detect vulnerabilities
arising from implementation
bugs.
Using model-checking, find
sequences of API command
calls that expose keys or
otherwise violate policy.
Determine the optimal
configuration allowing
applications to access crypto
at minimum risk.
Application Review
Test application calls to
crypto interfaces using
Cryptosense Tracer.
Compare results to secure
key-management and crypto
usage rulebase.
Monitor
Install Cryptosense
Monitor to continuously
check configuration and
key usage. Alerts are sent
if out-of standard HSM
configurations are found.
Reports are produced for
auditors.
Who is Cryptosense for?
Buyers
Builders
• Test HSMs and applications during procurement.
• Optimise deployment to minimize risk.
• Get continuous visibility on security status.
• Find crypto bugs early in the development cycle.
• Avoid cost and reputational damage from crypto errors.
• Integrate in your Secure Development Lifecycle.
Technical Specifications
• Runs on Windows, Mac and Linux - 32 or 64 bit.
• Supports any PKCS#11 compatible device including HSMs and smartcards.
• No need to consult a cloud-based database of vulnerabilities, so can be used in
sensitive internal network environments.
• Ask us about support for other cryptographic APIs.
Contact us
To find out how your organization can use Cryptosense to discover and mitigate unknown vulnerabilities
in cryptography, contact us at [email protected] or go to http://cryptosense.com
© Cryptosense 2015