Everipedia Logo
Everipedia is now IQ.wiki - Join the IQ Brainlist and our Discord for early access to editing on the new platform and to participate in the beta testing.
PKCS 11

PKCS 11

In cryptography, PKCS #11 is one of the Public-Key Cryptography Standards,[1] and also refers to the programming interface to create and manipulate cryptographic tokens.

Detail

The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards, and names the API itself "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key" - but "PKCS #11" is often used to refer to the API as well as the standard that defines it).

The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

Usage

Most commercial certificate authority software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead. Both Oracle Solaris and Red Hat Enterprise Linux contain implementations for use by applications, as well.

Relationship to KMIP

The Key Management Interoperability Protocol (KMIP) defines a wire protocol that has similar functionality to the PKCS#11 API.
The two standards were originally developed independently but are now both governed by an OASIS technical committee. It is the stated objective of both the PKCS#11 and KMIP committees to align the standards where practicable. For example, the PKCS#11 Sensitive and Extractable attributes are being added to KMIP version 1.4. There is considerable overlap between members of the two technical committees.

History

The PKCS#11 standard originated from RSA Security along with its other PKCS standards in 1994. In 2013, RSA contributed the latest draft revision of the standard (PKCS#11 2.30) to OASIS to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee.[2] The following list contains significant revision information:

  • 01/1994: project launched

  • 04/1995: v1.0 published

  • 12/1997: v2.01 published

  • 12/1999: v2.10 published

  • 01/2001: v2.11 published

  • 06/2004: v2.20 published[1]

  • 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP [3])

  • 01/2007: amendment 3 (additional mechanisms)

  • 09/2009: v2.30 draft published for review, but final version never published

  • 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS [4]

  • 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 [5]

  • 04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards [6]

  • 05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata [7]

See also

References

[1]
Citation Linkwww.oasis-open.org"PKCS #11: Cryptographic Token Interface Standard".
Sep 24, 2019, 11:10 PM
[2]
Citation Linkwww.oasis-open.org"OASIS Enhances Popular Public-Key Cryptography Standard, PKCS #11, for Mobile and Cloud | OASIS". www.oasis-open.org. Retrieved 2016-08-24.
Sep 24, 2019, 11:10 PM
[3]
Citation Link//www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm"CT-KIP: Cryptographic Token Key Initialization Protocol".
Sep 24, 2019, 11:10 PM
[4]
Citation Linkblogs.rsa.com"Archived copy". Archived from the original on 2013-05-25. Retrieved 2013-07-18. Cite uses deprecated parameter |deadurl= (help)CS1 maint: archived copy as title (link)
Sep 24, 2019, 11:10 PM
[5]
Citation Linkwww.oasis-open.orghttps://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11
Sep 24, 2019, 11:10 PM
[6]
Citation Linkwww.oasis-open.org"#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards | OASIS". www.oasis-open.org. Retrieved 2016-08-24.
Sep 24, 2019, 11:10 PM
[7]
Citation Linkwww.oasis-open.org"#PKCS 11 V2.40 Approved Erratas published by PKCS 11 TC | OASIS". www.oasis-open.org. Retrieved 2016-08-24.
Sep 24, 2019, 11:10 PM
[8]
Citation Linkwww.oasis-open.orgOASIS PKCS #11 TC page
Sep 24, 2019, 11:10 PM
[9]
Citation Linkwww.cryptsoft.comCryptsoft page on PKCS #11
Sep 24, 2019, 11:10 PM
[10]
Citation Linkwww.p6r.comP6R PKCS #11 Client (includes a KMIP token)
Sep 24, 2019, 11:10 PM
[11]
Citation Linkwww.oracle.comOracle Solaris Cryptographic Framework Whitepaper
Sep 24, 2019, 11:10 PM
[12]
Citation Linkwww.oasis-open.org"PKCS #11: Cryptographic Token Interface Standard"
Sep 24, 2019, 11:10 PM
[13]
Citation Linkwww.oasis-open.org"OASIS Enhances Popular Public-Key Cryptography Standard, PKCS #11, for Mobile and Cloud | OASIS"
Sep 24, 2019, 11:10 PM
[14]
Citation Linkwww.emc.com"CT-KIP: Cryptographic Token Key Initialization Protocol"
Sep 24, 2019, 11:10 PM
[15]
Citation Linkweb.archive.org"Archived copy"
Sep 24, 2019, 11:10 PM
[16]
Citation Linkblogs.rsa.comthe original
Sep 24, 2019, 11:10 PM
[17]
Citation Linkwww.oasis-open.orghttps://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11
Sep 24, 2019, 11:10 PM
[18]
Citation Linkwww.oasis-open.org"#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards | OASIS"
Sep 24, 2019, 11:10 PM
[19]
Citation Linkwww.oasis-open.org"#PKCS 11 V2.40 Approved Erratas published by PKCS 11 TC | OASIS"
Sep 24, 2019, 11:10 PM
[20]
Citation Linkwww.oasis-open.orgOASIS PKCS #11 TC page
Sep 24, 2019, 11:10 PM