In
cryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties...
,
PKCS #11 is one of the family of standards called
Public-Key Cryptography Standards (PKCS)In cryptography, PKCS refers to a group of public-key cryptography standards devised and published by RSA Security.RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well...
, published by RSA Laboratories, that defines a platform-independent
APIAn application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
to cryptographic tokens, such as
Hardware Security ModuleA hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
s (HSM) and smart cards. (The PKCS #11 standard names the API "Cryptoki" which is an amalgamation of "cryptographic token interface" and is pronounced as "crypto-key", but "PKCS #11" is often used to refer to the API as well as the standard that defines it.)
Since there isn't a real standard for cryptographic tokens, this API has been developed to be an abstraction layer for the generic cryptographic token. The PKCS #11 API defines most commonly used cryptographic object types (RSA keys,
X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
Certificates,
DESThe Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
/
Triple DESIn cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....
keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
PKCS #11 is largely adopted to access smart cards and
HSMsA hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
. Most commercial
Certification AuthorityIn cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as
Mozilla FirefoxMozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
and
OpenSSLOpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
(using an extension). Software written for
Microsoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
may use the platform specific
MS-CAPIThe Cryptographic Application Programming Interface is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography...
API instead.
History
- 01/1994: project launched
- 04/1995: v1.0 published
- 12/1997: v2.01 published
- 12/1999: v2.10 published
- 06/2004: v2.20 published
- 12/2005: amendments 1 & 2 (one-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
tokens, CT-KIP )
- 01/2007: amendment 3 (additional mechanisms)
Applications using PKCS #11
- FreeOTFE
FreeOTFE is an open source on-the-fly disk encryption computer program for PCs running Microsoft Windows, and personal digital assistants running Windows Mobile . It creates virtual drives, or disks, to which anything written is automatically encrypted before being stored on a computer's hard or...
- Disk encryption system (PKCS #11 can either be used to encrypt critical data block, or as keyfile storage)
- Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
, a web browser
- Mozilla Thunderbird
Mozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation. The project strategy is modeled after Mozilla Firefox, a project aimed at creating a web browser...
, an email client
- OpenDNSSEC
The OpenDNSSEC is software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions to further enhance Internet security....
, a DNSSECThe Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
signer
- OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
- TLS/SSLTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
library (with engine_pkcs11)
- GnuTLS
GnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...
- TLS/SSLTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
library
- OpenVPN
OpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...
- VPN system
- StrongSwan
strongSwan is a complete IPsec implementation for Linux 2.6 and 3.x kernels.As a descendant of the FreeS/WAN project, it continues to be released under the GPL license. The project is actively maintained by Andreas Steffen who is a professor for Security in Communications at the University of...
- VPN system
- Truecrypt
TrueCrypt is a software application used for on-the-fly encryption . It is free and open source. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device .- Operating systems :TrueCrypt supports Microsoft Windows, Mac OS X, and...
- Disk encryption system (PKCS #11 only used as trivial keyfile storage)
- TrouSerS - An open-source TCG Software Stack
- OpenSC
OpenSC is a set of software tools and libraries to work with smart cards, with the focus on smart cards with cryptographic capabilities- Cryptographic support :...
- smartcard library
- OpenSSH
OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
- a Secure ShellSecure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
implementation (since OpenSSH version 5.4)
- KiTTY
Kitty may refer to:* Cat, small carnivorous mammal of the subspecies Felis silvestris catus* Kitten, a young cat* Kitty , people and fictional characters with the given name Kitty...
- a fork of the popular PuTTY SSH Client implementing PKCS #11 http://www.9bis.net/kitty/
- XCA - An open source certificate authority management application (see http://xca.sourceforge.net/)
- CryptoTerm - a closed source but free for personal use Windows SSH client
- OpenDS
OpenDS Software is a free, open source directory service, written in Java, and developed as part of the OpenDS project. OpenDS Software implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory...
- an open source directory server.
- GNOME Keyring
GNOME Keyring is a daemon application designed to take care of the user's security credentials, such as user names and passwords. The sensitive data is encrypted and stored in a keyring file in the user's home folder...
- a password and cryptographic key manager.
PKCS #11 wrappers
Since PKCS #11 is a complex
CC is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
API many wrappers exist that let the developer use the API from various languages.
- NCryptoki - .NET (C# and VB.NET) and Visual Basic 6 wrapper for PKCS #11 API
- PyKCS11 - A wrapper for Python
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
- Another wrapper for Python
- Java
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
5.0 includes a wrapper for PKCS #11 API
- pkcs11-helper - A simple open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
C interface to handle PKCS #11 tokens.
- SDeanComponents - Delphi wrapper for PKCS #11 API
- jacknji11 - Java wrapper using Java Native Access (JNA)
- ruby-pkcs11 - Ruby binding for PKCS #11 API
- pkcs11.net - .NET wrapper for PKCS #11 API
- oracle.com/solaris - Oracle Solaris Cryptographic Framework
Java
- JCE - Sun's Java
The Java Development Kit is an Oracle Corporation product aimed at Java developers. Since the introduction of Java, it has been by far the most widely used Java SDK. On 17 November 2006, Sun announced that it would be released under the GNU General Public License , thus making it free software...
has included a native (written in Java) implementation of PKCS #11 available
as part of the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE) since version 5 (JDK 1.5)
External Links