Information Trust Institute block of abstract images
Information Trust Institute block of abstract images

Introduction to Security APIs


Graham Steel
Research Fellow
INRIA, France

Watch This Session

(Video runs from 1:47:20 to 2:46:40)

View the Slides

A security API is an Application Program Interface that allows untrusted code to access sensitive resources in a secure way. It is the interface between processes running with different levels of trust. Examples of security APIs include the interface between the tamper-resistant chip on a smartcard (trusted) and the code running on the client application (untrusted), the interface between a cryptographic Hardware Security Module (or HSM, trusted) and the host machine (untrusted), and web service APIs (an interface between a server, trusted by the service provider, and the rest of the Internet).

In this lecture, we will introduce security APIs with plenty of examples of attacks from real world applications ranging from authentication tokens to electricity meters. We will introduce analysis techniques for such APIs that facilitate detection of flaws and ultimately the design of a secure API.

Suggested Reading:

"An Introduction to Security API Analysis"


Graham Steel Graham Steel holds a masters in mathematics from the University of Cambridge and a Ph.D. in informatics from the University of Edinburgh. He is currently a researcher at INRIA, the French national agency for computer science research, where he is part of the Prosecco project team based in central Paris.

Steel's main research interests are in formal analysis of information security and applied cryptography. His current work on cryptographic API verification involves using formal techniques to construct and analyse abstract models of cryptographic device interfaces. In addition to international conference and journal publications, his recent results have featured in Wired magazine and the New York Times.