PKCS 11


In cryptography, PKCS #11 is a Public-Key Cryptography Standard that defines a C programming interface to create and manipulate cryptographic tokens that may contain secret cryptographic keys. It is often used to communicate with a Hardware Security Module or smart cards.
The PKCS #11 standard is managed by OASIS
with the current version being 3.1
PKCS #11 is sometimes referred to as "Cryptoki".
The API defines most commonly used cryptographic object types and all the functions needed to use, create/generate, modify and delete those objects.

Usage

Most commercial certificate authority software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL. It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead. Both Oracle Solaris and Red Hat Enterprise Linux contain implementations for use by applications, as well.

Relationship to KMIP

The Key Management Interoperability Protocol defines a wire protocol that has similar functionality to the PKCS #11 API.
The two standards were originally developed independently but are now both governed by an OASIS technical committee. It is the stated objective of both the PKCS #11 and KMIP committees to align the standards where practicable. KMIP also has special operations that provide a complete standards based wire protocol for PKCS #11.
There is considerable overlap between members of the two technical committees.

History

The PKCS #11 standard originated from RSA Security along with its other PKCS standards in 1994. In 2013, RSA contributed the latest draft revision of the standard to OASIS to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee. The following list contains significant revision information:
  • 01/1994: project launched
  • 04/1995: v1.0 published
  • 12/1997: v2.01 published
  • 12/1999: v2.10 published
  • 01/2001: v2.11 published
  • 06/2004: v2.20 published
  • 12/2005: amendments 1 & 2
  • 01/2007: amendment 3
  • 09/2009: v2.30 draft published for review, but final version never published
  • 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS
  • 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40
  • 04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards
  • 05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata
  • 07/2020: OASIS PKCS #11 v3.0 specifications become approved OASIS standards
  • 07/2023: OASIS PKCS #11 v3.1 specifications become approved OASIS standards