Security and interoperability of APIs for cryptographic devices

Starting from previous vulnerability analysis of the standard PKCS#11, we describe Microsoft CryptoAPI interface identifying all the possible attacks that can be performed to discover secret keys values, in hardware devices which support key management by both the standards. First, we formalize a model for CAPI, then a super model for both the standards, to describe in a unique way all the operations that can be performed. We consider interoperability between PKCS#11 and CryptoAPI, evidencing APIs differences in structures and usages. We try to use functions of both the APIs to test extensively other attacks on sensitive keys stored in the tokens. In addition to vulnerabilities, we propose some solutions to set up the most possible secure configuration for hardware devices. Future work considers the Microsoft CNG APIs, and possible new integration with PKCS#11.