PKCS 11

{{Short description|Standard in public cryptography}}

{{Correct title|title=PKCS #11|reason=hash}}

In cryptography, PKCS #11 is a Public-Key Cryptography Standards that defines a C programming interface to create and manipulate cryptographic tokens that may contain secret cryptographic keys. It is often used to communicate with a Hardware Security Module or smart cards.

The PKCS #11 standard is managed by OASIS{{cite web

| url = https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html

| title = PKCS #11 Specification Version 3.1

| editor1= Dieter Bong |editor2=Tony Cox

| date = 2023-07-23

| publisher = OASIS

| access-date = 2024-08-29

}}

with the current version being 3.1

{{cite web

| url = https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/

| title = Two PKCS #11 OASIS Standards published

|editor1= Paul Knight

| date = 2023-08-10

| publisher = OASIS

| access-date = 2025-01-05

}}

PKCS #11 is sometimes referred to as "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key").

The API defines most commonly used cryptographic object types (RSA keys, X.509 certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

Usage

Most commercial certificate authority (CA) software uses PKCS #11 to access the CA signing key{{clarify|date=October 2020}} or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead. Both Oracle Solaris and Red Hat Enterprise Linux contain implementations for use by applications, as well.

Relationship to KMIP

The Key Management Interoperability Protocol (KMIP) defines a wire protocol that has similar functionality to the PKCS #11 API.

The two standards were originally developed independently but are now both governed by an OASIS technical committee. It is the stated objective of both the PKCS #11 and KMIP committees to align the standards where practicable. KMIP also has special operations that provide a complete standards based wire protocol for PKCS #11.

There is considerable overlap between members of the two technical committees.

History

The PKCS #11 standard originated from RSA Security along with its other PKCS standards in 1994. In 2013, RSA contributed the latest draft revision of the standard (PKCS #11 2.30) to OASIS to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee.{{Cite web|url=https://www.oasis-open.org/news/pr/oasis-enhances-popular-public-key-cryptography-standard-pkcs-11-for-mobile-and-cloud|title=OASIS Enhances Popular Public-Key Cryptography Standard, PKCS #11, for Mobile and Cloud|date=26 March 2013 |publisher=OASIS|access-date=2016-08-24}} The following list contains significant revision information:

  • 01/1994: project launched
  • 04/1995: v1.0 published
  • 12/1997: v2.01 published
  • 12/1999: v2.10 published
  • 01/2001: v2.11 published
  • 06/2004: v2.20 published
  • 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP {{cite web

| url = https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm

| title = CT-KIP: Cryptographic Token Key Initialization Protocol

| publisher = RSA Security

| archive-url = https://web.archive.org/web/20170417085140/https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm

| archive-date = 2017-04-17

| url-status = dead}})

  • 01/2007: amendment 3 (additional mechanisms)
  • 09/2009: v2.30 draft published for review, but final version never published
  • 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS{{cite web

| url=https://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/

| title = Re-invigorating the PKCS #11 Standard

| first = Bob

| last = Griffin

| date = 2012-12-26

| archive-url = https://web.archive.org/web/20130525002555/http://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/

| archive-date = 2013-05-25

| url-status = dead}}

  • 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 {{cite web

| url = https://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11

| title = OASIS PKCS 11 TC Public Documents

| publisher = OASIS

| access-date = 2020-01-16}}

  • 04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards {{Cite web|url=https://www.oasis-open.org/news/announcements/pkcs-11-cryptographic-token-interface-base-specification-interface-profiles-curre|title=#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards|date=15 April 2015 |publisher=OASIS|access-date=2016-08-24}}
  • 05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata {{Cite web|url=https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc|title=#PKCS 11 V2.40 Approved Erratas published by PKCS 11 TC|date=28 June 2016 |publisher=OASIS|access-date=2016-08-24}}
  • 07/2020: OASIS PKCS #11 v3.0 specifications become approved OASIS standards {{Cite web|last=|first=|date=22 July 2020|title=#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 3.0 become OASIS Standards|url=https://www.oasis-open.org/2020/07/22/four-pkcs-11-oasis-standards-published/|archive-url=|archive-date=|access-date=2020-07-23|website=|publisher=OASIS}}
  • 07/2023: OASIS PKCS #11 v3.1 specifications become approved OASIS standards

See also

References

{{reflist}}