Abstract: Designing an cryptographic key management interface for a tamper resistant device is a difficult problem. The interface should be designed so that no matter what sequence of commands is called, the key management policy continues to hold: sensitive keys remain secret, keys can only be used for their designated purposes, keys are be exported and imported from the device securely, etc. Most commercial key management APIs are based around the RSA standard PKCS#11. In this talk, we will show how implementing this standard without a great deal of care can lead to multiple security vulnerabilities. We will look at a number of examples of attacks and see why they are difficult to fix. We will discuss a formal framework for the analysis of such APIs. Finally, we will discuss new standards being developed by OASIS and IEEE to try to improve the situation.