MoCrySIL - carry your cryptographic keys in your pocket

Today´s applications need to share data and workload in heterogeneous device environments. Many of these handle sensitive data and need to make use of cryptography, which induces keys that have to be provisioned, stored and shared securely. Our Cryptographic Service Interoperability Layer (CrySIL) architecture addressed these challenges by storing the key material off-device in a central hardened service that provides cryptographic functions to arbitrary devices via standardised APIs. While CrySIL is typically deployed by a trusted entity utilising hardware-security-modules (HSMs), the setup of this central trusted instance might be too complex or not desired in SME/personal deployment scenarios. Therefore, we present MoCrySIL, an extension to CrySIL that omits the need for a thrusted third party by making use of hardware-backed key-storage facilities available in today´s smart phones. We describe the MoCrySIL architectures and present a prototype that performs S/MIME based email encryption/signatures via a PKCS#11 library. We conduct a thorough security/risk analysis, and reflect on functional achievements and shortcomings.