Menu
Home Explore People Places Arts History Plants & Animals Science Life & Culture Technology
On this page
PKCS 11
Standard in public cryptography

In cryptography, PKCS #11 is a Public-Key Cryptography Standards that defines a C programming interface to create and manipulate cryptographic tokens that may contain secret cryptographic keys. It is often used to communicate with a Hardware Security Module or smart cards.

The PKCS #11 standard is managed by OASIS with the current version being 3.1 PKCS #11 is sometimes referred to as "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key").

The API defines most commonly used cryptographic object types (RSA keys, X.509 certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

We don't have any images related to PKCS 11 yet.
We don't have any YouTube videos related to PKCS 11 yet.
We don't have any PDF documents related to PKCS 11 yet.
We don't have any Books related to PKCS 11 yet.
We don't have any archived web articles related to PKCS 11 yet.

Usage

Most commercial certificate authority (CA) software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead. Both Oracle Solaris and Red Hat Enterprise Linux contain implementations for use by applications, as well.

Relationship to KMIP

The Key Management Interoperability Protocol (KMIP) defines a wire protocol that has similar functionality to the PKCS #11 API.

The two standards were originally developed independently but are now both governed by an OASIS technical committee. It is the stated objective of both the PKCS #11 and KMIP committees to align the standards where practicable. KMIP also has special operations that provide a complete standards based wire protocol for PKCS #11.

There is considerable overlap between members of the two technical committees.

History

The PKCS #11 standard originated from RSA Security along with its other PKCS standards in 1994. In 2013, RSA contributed the latest draft revision of the standard (PKCS #11 2.30) to OASIS to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee.3 The following list contains significant revision information:

  • 01/1994: project launched
  • 04/1995: v1.0 published
  • 12/1997: v2.01 published
  • 12/1999: v2.10 published
  • 01/2001: v2.11 published
  • 06/2004: v2.20 published4
  • 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP 5)
  • 01/2007: amendment 3 (additional mechanisms)
  • 09/2009: v2.30 draft published for review, but final version never published
  • 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS6
  • 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 7
  • 04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards 8
  • 05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata 9
  • 07/2020: OASIS PKCS #11 v3.0 specifications become approved OASIS standards 10
  • 07/2023: OASIS PKCS #11 v3.1 specifications become approved OASIS standards 11

See also

References

  1. Dieter Bong; Tony Cox, eds. (2023-07-23). "PKCS #11 Specification Version 3.1". OASIS. Retrieved 2024-08-29. https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html

  2. Paul Knight, ed. (2023-08-10). "Two PKCS #11 OASIS Standards published". OASIS. Retrieved 2025-01-05. https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/

  3. "OASIS Enhances Popular Public-Key Cryptography Standard, PKCS #11, for Mobile and Cloud". OASIS. 26 March 2013. Retrieved 2016-08-24. https://www.oasis-open.org/news/pr/oasis-enhances-popular-public-key-cryptography-standard-pkcs-11-for-mobile-and-cloud

  4. Dieter Bong; Tony Cox, eds. (2023-07-23). "PKCS #11 Specification Version 3.1". OASIS. Retrieved 2024-08-29. https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html

  5. "CT-KIP: Cryptographic Token Key Initialization Protocol". RSA Security. Archived from the original on 2017-04-17. https://web.archive.org/web/20170417085140/https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm

  6. Griffin, Bob (2012-12-26). "Re-invigorating the PKCS #11 Standard". Archived from the original on 2013-05-25. https://web.archive.org/web/20130525002555/http://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/

  7. "OASIS PKCS 11 TC Public Documents". OASIS. Retrieved 2020-01-16. https://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11

  8. "#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards". OASIS. 15 April 2015. Retrieved 2016-08-24. https://www.oasis-open.org/news/announcements/pkcs-11-cryptographic-token-interface-base-specification-interface-profiles-curre

  9. "#PKCS 11 V2.40 Approved Erratas published by PKCS 11 TC". OASIS. 28 June 2016. Retrieved 2016-08-24. https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc

  10. "#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 3.0 become OASIS Standards". OASIS. 22 July 2020. Retrieved 2020-07-23. https://www.oasis-open.org/2020/07/22/four-pkcs-11-oasis-standards-published/

  11. Paul Knight, ed. (2023-08-10). "Two PKCS #11 OASIS Standards published". OASIS. Retrieved 2025-01-05. https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/