- PKCS11
-
The correct title of this article is PKCS #11. The substitution or omission of the # sign is because of technical restrictions.
In cryptography, PKCS #11[1] is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories, that defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards. (The PKCS #11 standard names the API "Cryptoki" which is an amalgamation of "cryptographic token interface" and is pronounced as "crypto-key", but "PKCS #11" is often used to refer to the API as well as the standard that defines it.)
Since there isn't a real standard for cryptographic tokens, this API has been developed to be an abstraction layer for the generic cryptographic token. The PKCS #11 API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
PKCS #11 is largely adopted to access smart cards and HSMs. Most commercial Certification Authority software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). Software written for Microsoft Windows may use the platform specific MS-CAPI API instead.
Contents
History
- 01/1994: project launched
- 04/1995: v1.0 published
- 12/1997: v2.01 published
- 12/1999: v2.10 published
- 06/2004: v2.20 published
- 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP [2])
- 01/2007: amendment 3 (additional mechanisms)
Applications using PKCS #11
- FreeOTFE - Disk encryption system (PKCS #11 can either be used to encrypt critical data block, or as keyfile storage)
- Mozilla Firefox, a web browser
- Mozilla Thunderbird, an email client
- OpenDNSSEC, a DNSSEC signer
- OpenSSL - TLS/SSL library (with engine_pkcs11)
- GnuTLS - TLS/SSL library
- OpenVPN - VPN system
- StrongSwan - VPN system
- Truecrypt - Disk encryption system (PKCS #11 only used as trivial keyfile storage)
- TrouSerS - An open-source TCG Software Stack
- OpenSC - smartcard library
- OpenSSH - a Secure Shell implementation (since OpenSSH version 5.4)
- KiTTY - a fork of the popular PuTTY SSH Client implementing PKCS #11 [1]
- XCA - An open source certificate authority management application (see http://xca.sourceforge.net/)
- CryptoTerm - a closed source but free for personal use Windows SSH client
- OpenDS - an open source directory server.
- GNOME Keyring - a password and cryptographic key manager.
PKCS #11 wrappers
Since PKCS #11 is a complex C API many wrappers exist that let the developer use the API from various languages.
- NCryptoki - .NET (C# and VB.NET) and Visual Basic 6 wrapper for PKCS #11 API
- PyKCS11 - A wrapper for Python
- Another wrapper for Python
- Java 5.0 includes a wrapper for PKCS #11 API
- pkcs11-helper - A simple open source C interface to handle PKCS #11 tokens.
- SDeanComponents - Delphi wrapper for PKCS #11 API
- jacknji11 - Java wrapper using Java Native Access (JNA)
- ruby-pkcs11 - Ruby binding for PKCS #11 API
- pkcs11.net - .NET wrapper for PKCS #11 API
- oracle.com/solaris - Oracle Solaris Cryptographic Framework
Other Implementations
Java
as part of the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE) since version 5 (JDK 1.5)
External Links
- Cryptsoft page on PKCS #11
- Using PKCS #11 with java Part 1
- Using PKCS #11 with java Part 2 (RSA Generation)
References
Cryptography Categories:- Cryptography standards
- Smart cards
Wikimedia Foundation. 2010.
