Use this URL to cite or link to this record in EThOS:
Title: Understanding security APIs
Author: Bond, Michael Keith
Awarding Body: University of Cambridge
Current Institution: University of Cambridge
Date of Award: 2004
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Restricted access.
Access from Institution:
This thesis introduces the newly-born field of Security API research, and lays the foundations for future analysis study, and construction of APIs. Security APIs are application programmer interfaces which use cryptography to enforce a security policy on the users of the APIs, governing the way in which they manipulate sensitive data and key material. The thesis begins by examining the origins and history of Security APIs, and that of Hardware Security Modules – tamper-resistant cryptographic processors which implement the APIs, the study of which goes hand-in-hand with this research. The major manufacturers and their products are covered, and commentaries draw together a few of the more important themes that explain why Security APIs are the way they are today. The significant original contribution at the heart of the thesis is a catalogue of new attacks and attack techniques for Security APIs. These attacks have had substantial impact on the Security API design community since their original publication. For example, the related-key “meet-in-the-middle” attack comprised every HSM analysed, and differential protocol analysis compromised all financial Security APIs. Historic attacks and brief explanations of very new unpublished attacks are also included. The thesis goes on to provide a body of advice for Security API design, consisting of heuristics and discussions of key issues, including those most pertinent to modern HSMs such as authorisation and trusted paths. The advice is linked in with the cautionary tales of Security API failures from the previous chapters. As the thesis is opening a new field of academic research, its main objective is to build understanding about Security APIs, and the conclusions drawn are open-ended and speculative. The different driving forces shaping the development of Security APIs are considered, and Trusted Computing is identified as central to the shaping of Security APIs and to the future relevance of this thesis.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available