An Experimental Study of Private Key and Secret Key Disclosure Vulnerability in Cryptographic Service Provider(CSP) Module

Cryptographic Service Provider(CSP) 모듈의 개인키/비밀키 노출 취약점에 대한 실험적 연구

  • 박진호 (한양대학교 전자컴퓨터통신공학과) ;
  • 박진호 (한양대학교 전자컴퓨터통신공학과) ;
  • 임을규 (한양대학교 전자컴퓨터통신공학과)
  • Published : 2007.09.20


In Windows operating system, CSPs(Cryptographic Service Providers) are provided for offering a easy and convenient way of using an various cryptographic algorithms to applications. The applications selectively communicate with various CSPs through a set of functions known as the Crypto API(Cryptographic Application Program Interface). During this process, a secure method, accessing data using a handle, is used in order to prevent analysis of the passing parameters to function between CryptoAPI and CSPs. In this paper, our experiment which is using a novel memory traceback method proves that still there is a vulnerability of private key and secret key disclosure in spite of the secure method above-mentioned.