PKCS11

The correct title of this article is PKCS #11. The substitution or omission of the # sign is because of technical restrictions.

In cryptography, PKCS #11^[1] is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories, that defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards. (The PKCS #11 standard names the API "Cryptoki" which is an amalgamation of "cryptographic token interface" and is pronounced as "crypto-key", but "PKCS #11" is often used to refer to the API as well as the standard that defines it.)

Since there isn't a real standard for cryptographic tokens, this API has been developed to be an abstraction layer for the generic cryptographic token. The PKCS #11 API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

PKCS #11 is largely adopted to access smart cards and HSMs. Most commercial Certification Authority software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). Software written for Microsoft Windows may use the platform specific MS-CAPI API instead.

History

• 01/1994: project launched
• 04/1995: v1.0 published
• 12/1997: v2.01 published
• 12/1999: v2.10 published
• 06/2004: v2.20 published
• 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP ^[2])
• 01/2007: amendment 3 (additional mechanisms)

Applications using PKCS #11

• FreeOTFE - Disk encryption system (PKCS #11 can either be used to encrypt critical data block, or as keyfile storage)
• Mozilla Firefox, a web browser
• Mozilla Thunderbird, an email client
• OpenDNSSEC, a DNSSEC signer
• OpenSSL - TLS/SSL library (with engine_pkcs11)
• GnuTLS - TLS/SSL library
• OpenVPN - VPN system
• StrongSwan - VPN system
• Truecrypt - Disk encryption system (PKCS #11 only used as trivial keyfile storage)
• TrouSerS - An open-source TCG Software Stack
• OpenSC - smartcard library
• OpenSSH - a Secure Shell implementation (since OpenSSH version 5.4)
• KiTTY - a fork of the popular PuTTY SSH Client implementing PKCS #11 [1]
• XCA - An open source certificate authority management application (see http://xca.sourceforge.net/)
• CryptoTerm - a closed source but free for personal use Windows SSH client
• OpenDS - an open source directory server.
• GNOME Keyring - a password and cryptographic key manager.

PKCS #11 wrappers

Since PKCS #11 is a complex C API many wrappers exist that let the developer use the API from various languages.

• NCryptoki - .NET (C# and VB.NET) and Visual Basic 6 wrapper for PKCS #11 API
• PyKCS11 - A wrapper for Python
• Another wrapper for Python
• Java 5.0 includes a wrapper for PKCS #11 API
• pkcs11-helper - A simple open source C interface to handle PKCS #11 tokens.
• SDeanComponents - Delphi wrapper for PKCS #11 API
• jacknji11 - Java wrapper using Java Native Access (JNA)
• ruby-pkcs11 - Ruby binding for PKCS #11 API
• pkcs11.net - .NET wrapper for PKCS #11 API
• oracle.com/solaris - Oracle Solaris Cryptographic Framework

Other Implementations

Java

• JCE - Sun's Java has included a native (written in Java) implementation of PKCS #11 available

as part of the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE) since version 5 (JDK 1.5)

External Links

• Cryptsoft page on PKCS #11
• Using PKCS #11 with java Part 1
• Using PKCS #11 with java Part 2 (RSA Generation)

References

1. "PKCS #11: Cryptographic Token Interface Standard". http://www.rsa.com/rsalabs/node.asp?id=2133. 
2. "CT-KIP: Cryptographic Token Key Initialization Protocol". http://www.rsa.com/rsalabs/node.asp?id=2817.