Master Your Cryptography
Transcription
Master Your Cryptography
Master Your Cryptography Cryptosense is a powerful testing toolkit that enables developers and users of cryptographic applications and devices to discover and remediate vulnerabilities. Key features of Cryptosense technology Formal Methods technology The combination of automated fuzzing, model inference and model-checking makes the power of formal analysis techniques available to everyone. Out of the box functionality Cryptosense Analyzer requires no configuration to produce insights into the security of a PKCS#11 deployment. Available as a Product or Service Cryptosense analysts can complete a full audit of a PKCS#11 installation for you using our toolsuite. Ongoing monitoring Once best practice has been established, Cryptosense Monitor can be installed to ensure configurations stay unchanged and keys remain secure. The Difficulty of Detecting Crypto Vulnerabilities Emerging trends involve deploying systems in potentially hostile environments such as mobile, cloud and internet of things. Cryptography has become a core technology for controlling risk in these situations. However, secure use of cryptography remains a highly specialized skill. Mistakes in cryptographic implementations often undermine the strong security guarantees offered. For example in February 2013, according to an indictment from the US department of justice in Brooklyn, NY, attackers stole PIN codes from the ATM network to obtain $45M fraudulently from the Bank of Muscat. This was despite the use of cryptographic hardware (HSMs) to encrypt the codes at all times. Even HSMs are subject to bugs, configuration errors, and incorrect use by their applications. Identifying such problems is challenging. Static analysis tools are notoriously bad at finding crypto flaws: in the most recent NIST evaluation (SATE 2013), even the best performing tool missed 98.3% of flaws in this category. The Cryptosense Approach Cryptosense tools use a mixture of fuzzing techniques and formal analysis to effectively detect security flaws in both hardware and software implementations of cryptography and the applications that use them. Vulnerabilities in the PKCS#11 API PKCS#11 is an open standard for the interface between cryptographic hardware and applications, with great benefits for interoperability and avoidance of vendor lock-in. However, its complex, general-purpose character means it is hard to implement correctly and use securely. Cryptosense PKCS#11 edition detects bugs in implementations, configuration errors and vulnerabilities resulting from poor use of the API by applications. Both key-management and cryptanalytic flaws are covered. About Cryptosense Cryptosense’s founders combine more than 40 years experience in research and industry. Based in Paris, France, Cryptosense provides its security analysis solutions to an international clientele in particular in the financial, industrial and government sectors. © Cryptosense 2015 Cryptosense Methodology ................................. ................................. ................................. Compliance Configuration Test crypto providers (HSMs, Smartcards, software libraries) with our Smart API Fuzzing algorithm. Compare results to compliance criteria to detect vulnerabilities arising from implementation bugs. Using model-checking, find sequences of API command calls that expose keys or otherwise violate policy. Determine the optimal configuration allowing applications to access crypto at minimum risk. Application Review Test application calls to crypto interfaces using Cryptosense Tracer. Compare results to secure key-management and crypto usage rulebase. Monitor Install Cryptosense Monitor to continuously check configuration and key usage. Alerts are sent if out-of standard HSM configurations are found. Reports are produced for auditors. Who is Cryptosense for? Buyers Builders • Test HSMs and applications during procurement. • Optimise deployment to minimize risk. • Get continuous visibility on security status. • Find crypto bugs early in the development cycle. • Avoid cost and reputational damage from crypto errors. • Integrate in your Secure Development Lifecycle. Technical Specifications • Runs on Windows, Mac and Linux - 32 or 64 bit. • Supports any PKCS#11 compatible device including HSMs and smartcards. • No need to consult a cloud-based database of vulnerabilities, so can be used in sensitive internal network environments. • Ask us about support for other cryptographic APIs. Contact us To find out how your organization can use Cryptosense to discover and mitigate unknown vulnerabilities in cryptography, contact us at [email protected] or go to http://cryptosense.com © Cryptosense 2015