PKCS 11
{{Short description|Standard in public cryptography}}
{{Correct title|title=PKCS #11|reason=hash}}
In cryptography, PKCS #11 is a Public-Key Cryptography Standards that defines a C programming interface to create and manipulate cryptographic tokens that may contain secret cryptographic keys. It is often used to communicate with a Hardware Security Module or smart cards.
The PKCS #11 standard is managed by OASIS{{cite web
| url = https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html
| title = PKCS #11 Specification Version 3.1
| editor1= Dieter Bong |editor2=Tony Cox
| date = 2023-07-23
| publisher = OASIS
| access-date = 2024-08-29
}}
with the current version being 3.1
| url = https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/
| title = Two PKCS #11 OASIS Standards published
|editor1= Paul Knight
| date = 2023-08-10
| publisher = OASIS
| access-date = 2025-01-05
}}
PKCS #11 is sometimes referred to as "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key").
The API defines most commonly used cryptographic object types (RSA keys, X.509 certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
Usage
Most commercial certificate authority (CA) software uses PKCS #11 to access the CA signing key{{clarify|date=October 2020}} or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead. Both Oracle Solaris and Red Hat Enterprise Linux contain implementations for use by applications, as well.
Relationship to KMIP
The Key Management Interoperability Protocol (KMIP) defines a wire protocol that has similar functionality to the PKCS #11 API.
The two standards were originally developed independently but are now both governed by an OASIS technical committee. It is the stated objective of both the PKCS #11 and KMIP committees to align the standards where practicable. KMIP also has special operations that provide a complete standards based wire protocol for PKCS #11.
There is considerable overlap between members of the two technical committees.
History
The PKCS #11 standard originated from RSA Security along with its other PKCS standards in 1994. In 2013, RSA contributed the latest draft revision of the standard (PKCS #11 2.30) to OASIS to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee.{{Cite web|url=https://www.oasis-open.org/news/pr/oasis-enhances-popular-public-key-cryptography-standard-pkcs-11-for-mobile-and-cloud|title=OASIS Enhances Popular Public-Key Cryptography Standard, PKCS #11, for Mobile and Cloud|date=26 March 2013 |publisher=OASIS|access-date=2016-08-24}} The following list contains significant revision information:
- 01/1994: project launched
- 04/1995: v1.0 published
- 12/1997: v2.01 published
- 12/1999: v2.10 published
- 01/2001: v2.11 published
- 06/2004: v2.20 published
- 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP {{cite web
| url = https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm
| title = CT-KIP: Cryptographic Token Key Initialization Protocol
| publisher = RSA Security
| archive-url = https://web.archive.org/web/20170417085140/https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm
| archive-date = 2017-04-17
| url-status = dead}})
- 01/2007: amendment 3 (additional mechanisms)
- 09/2009: v2.30 draft published for review, but final version never published
- 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS{{cite web
| url=https://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/
| title = Re-invigorating the PKCS #11 Standard
| first = Bob
| last = Griffin
| date = 2012-12-26
| archive-url = https://web.archive.org/web/20130525002555/http://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/
| archive-date = 2013-05-25
| url-status = dead}}
- 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 {{cite web
| url = https://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11
| title = OASIS PKCS 11 TC Public Documents
| publisher = OASIS
| access-date = 2020-01-16}}
- 04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards {{Cite web|url=https://www.oasis-open.org/news/announcements/pkcs-11-cryptographic-token-interface-base-specification-interface-profiles-curre|title=#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards|date=15 April 2015 |publisher=OASIS|access-date=2016-08-24}}
- 05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata {{Cite web|url=https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc|title=#PKCS 11 V2.40 Approved Erratas published by PKCS 11 TC|date=28 June 2016 |publisher=OASIS|access-date=2016-08-24}}
- 07/2020: OASIS PKCS #11 v3.0 specifications become approved OASIS standards {{Cite web|last=|first=|date=22 July 2020|title=#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 3.0 become OASIS Standards|url=https://www.oasis-open.org/2020/07/22/four-pkcs-11-oasis-standards-published/|archive-url=|archive-date=|access-date=2020-07-23|website=|publisher=OASIS}}
- 07/2023: OASIS PKCS #11 v3.1 specifications become approved OASIS standards
See also
References
{{reflist}}
External links
- {{IETF RFC|7512}} - The PKCS #11 URI Scheme
- [https://www.cryptsoft.com/pkcs11doc/ PKCS#11: Cryptographic Token Interface Standard]
- [https://www.oasis-open.org/committees/pkcs11 OASIS PKCS #11 Technical Committee home page]
{{PKCS navbox}}
{{Cryptography navbox}}