PKCS11
Encyclopedia
In cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

, PKCS #11 is one of the family of standards called Public-Key Cryptography Standards (PKCS)
PKCS
In cryptography, PKCS refers to a group of public-key cryptography standards devised and published by RSA Security.RSA Data Security Inc was assigned the licensing rights for the patent on the RSA asymmetric key algorithm and acquired the licensing rights to several other key patents as well...

, published by RSA Laboratories, that defines a platform-independent API
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...

 to cryptographic tokens, such as Hardware Security Module
Hardware Security Module
A hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...

s (HSM) and smart cards. (The PKCS #11 standard names the API "Cryptoki" which is an amalgamation of "cryptographic token interface" and is pronounced as "crypto-key", but "PKCS #11" is often used to refer to the API as well as the standard that defines it.)

Since there isn't a real standard for cryptographic tokens, this API has been developed to be an abstraction layer for the generic cryptographic token. The PKCS #11 API defines most commonly used cryptographic object types (RSA keys, X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...

 Certificates, DES
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...

/Triple DES
Triple DES
In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....

 keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

PKCS #11 is largely adopted to access smart cards and HSMs
Hardware Security Module
A hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...

. Most commercial Certification Authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...

 software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...

 and OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...

 (using an extension). Software written for Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

 may use the platform specific MS-CAPI
Cryptographic Application Programming Interface
The Cryptographic Application Programming Interface is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography...

 API instead.

History

  • 01/1994: project launched
  • 04/1995: v1.0 published
  • 12/1997: v2.01 published
  • 12/1999: v2.10 published
  • 06/2004: v2.20 published
  • 12/2005: amendments 1 & 2 (one-time password
    One-time password
    A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...

     tokens, CT-KIP )
  • 01/2007: amendment 3 (additional mechanisms)

Applications using PKCS #11

  • FreeOTFE
    FreeOTFE
    FreeOTFE is an open source on-the-fly disk encryption computer program for PCs running Microsoft Windows, and personal digital assistants running Windows Mobile . It creates virtual drives, or disks, to which anything written is automatically encrypted before being stored on a computer's hard or...

     - Disk encryption system (PKCS #11 can either be used to encrypt critical data block, or as keyfile storage)
  • Mozilla Firefox
    Mozilla Firefox
    Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...

    , a web browser
  • Mozilla Thunderbird
    Mozilla Thunderbird
    Mozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation. The project strategy is modeled after Mozilla Firefox, a project aimed at creating a web browser...

    , an email client
  • OpenDNSSEC
    OpenDNSSEC
    The OpenDNSSEC is software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions to further enhance Internet security....

    , a DNSSEC
    DNSSEC
    The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...

     signer
  • OpenSSL
    OpenSSL
    OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...

     - TLS/SSL
    Transport Layer Security
    Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

     library (with engine_pkcs11)
  • GnuTLS
    GnuTLS
    GnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...

     - TLS/SSL
    Transport Layer Security
    Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

     library
  • OpenVPN
    OpenVPN
    OpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...

     - VPN system
  • StrongSwan
    StrongSwan
    strongSwan is a complete IPsec implementation for Linux 2.6 and 3.x kernels.As a descendant of the FreeS/WAN project, it continues to be released under the GPL license. The project is actively maintained by Andreas Steffen who is a professor for Security in Communications at the University of...

     - VPN system
  • Truecrypt
    TrueCrypt
    TrueCrypt is a software application used for on-the-fly encryption . It is free and open source. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device .- Operating systems :TrueCrypt supports Microsoft Windows, Mac OS X, and...

     - Disk encryption system (PKCS #11 only used as trivial keyfile storage)
  • TrouSerS - An open-source TCG Software Stack
  • OpenSC
    OpenSC
    OpenSC is a set of software tools and libraries to work with smart cards, with the focus on smart cards with cryptographic capabilities- Cryptographic support :...

     - smartcard library
  • OpenSSH
    OpenSSH
    OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...

     - a Secure Shell
    Secure Shell
    Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...

     implementation (since OpenSSH version 5.4)
  • KiTTY
    Kitty
    Kitty may refer to:* Cat, small carnivorous mammal of the subspecies Felis silvestris catus* Kitten, a young cat* Kitty , people and fictional characters with the given name Kitty...

     - a fork of the popular PuTTY SSH Client implementing PKCS #11 http://www.9bis.net/kitty/
  • XCA - An open source certificate authority management application (see http://xca.sourceforge.net/)
  • CryptoTerm - a closed source but free for personal use Windows SSH client
  • OpenDS
    OpenDS
    OpenDS Software is a free, open source directory service, written in Java, and developed as part of the OpenDS project. OpenDS Software implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory...

     - an open source directory server.
  • GNOME Keyring
    GNOME Keyring
    GNOME Keyring is a daemon application designed to take care of the user's security credentials, such as user names and passwords. The sensitive data is encrypted and stored in a keyring file in the user's home folder...

     - a password and cryptographic key manager.

PKCS #11 wrappers

Since PKCS #11 is a complex C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....

 API many wrappers exist that let the developer use the API from various languages.
  • NCryptoki - .NET (C# and VB.NET) and Visual Basic 6 wrapper for PKCS #11 API
  • PyKCS11 - A wrapper for Python
    Python (programming language)
    Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...

  • Another wrapper for Python
  • Java
    Java (programming language)
    Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...

     5.0 includes a wrapper for PKCS #11 API
  • pkcs11-helper - A simple open source
    Open source
    The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...

     C interface to handle PKCS #11 tokens.
  • SDeanComponents - Delphi wrapper for PKCS #11 API
  • jacknji11 - Java wrapper using Java Native Access (JNA)
  • ruby-pkcs11 - Ruby binding for PKCS #11 API
  • pkcs11.net - .NET wrapper for PKCS #11 API
  • oracle.com/solaris - Oracle Solaris Cryptographic Framework

Java

  • JCE - Sun's Java
    Java Development Kit
    The Java Development Kit is an Oracle Corporation product aimed at Java developers. Since the introduction of Java, it has been by far the most widely used Java SDK. On 17 November 2006, Sun announced that it would be released under the GNU General Public License , thus making it free software...

    has included a native (written in Java) implementation of PKCS #11 available

as part of the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE) since version 5 (JDK 1.5)

External Links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK