Attacking and Fixing PKCS#11 Security Tokens

Tookan is an automated tool for security analysis of PKCS#11 compliant authentication tokens. In a paper presented today at CCS’10, we show how we used Tookan to reveal secret keys in devices made by Aladdin, Bull, Gemalto, RSA, snd Siemens amongst others. Tookan can also be used to validate patches to the standard, as we demonstrate in our CryptokiX project. Slides from the conference presentation are available, or you can go to the Tookan project website for full details.

This is the result of joint work between Graham Steel (LSV & INRIA) and the Security Group of the Universita’ Ca’ Foscari.