What is PKCS #11?

PKCS #11 is a popular cryptographic standard for the support of cryptographic hardware. It defines a platform-independent API called Cryptoki to access cryptographic devices, such as hardware security modules (HSMs). With this API, applications can address these cryptographic devices through so-called tokens and can perform cryptographic functions as implemented by these tokens. This standard, first developed by the RSA Laboratories in cooperation with representatives from industry, science, and governments, is now an open standard lead-managed by the OASIS PKCS 11 Technical Committee.

PKCS #11 can support so called hardware tokens which may be cryptographic accelerators or hardware security modules (HSMs). The PKCS #11 standard is independent of specific cryptographic hardware, yet allows to deal with many hardware specific implementations. It can support the use of multiple different token types. Due to the popularity of PKCS #11, many software products that perform cryptographic operations, provide plug-in mechanisms, which, if configured, will redirect cryptographic functions to a PKCS #11 library of mechanisms. For example, the IBM® WebSphere® Application Server and the IBM HTTP Server can be configured to use a PKCS #11 library.

The Cryptoki API provides access to a number of so-called slots. A slot is a possibility to connect to a cryptographic device (for example, to an IBM Crypto Express adapter). Typically, a slot contains a token, while a cryptographic device is connected to the slot. An application can connect to multiple tokens in a subset of those slots.

In addition, further cryptographic libraries can call PKCS #11 functions, for example, Java Cryptography Architecture (JCA), IBM Global Security Kit (GSKit), GnuTLS, or, in case of OpenSSL, by using for example, a PKCS #11 engine from the OpenSC project.

Cryptoki abstracts from the cryptographic device, that is, it makes each device look logically like every other device, regardless of the implementation technology. Whether it is a specific hardware device that requires a special device driver or a solution completely based on software (for example, a client for a cryptographic service), the Cryptoki API looks exactly the same. Hence, applications (application programmers) only interact with Cryptoki. The concrete Cryptoki implementation takes care of the interaction with the selected token.

Cryptoki is likely to be implemented as a library supporting the functions in the interface, and applications will be linked to the library. It follows an object-based approach, addressing the goals of technology independence (any kind of HW device) and resource sharing. It also presents to applications a common, logical view of the device that is called a cryptographic token. PKCS #11 assigns a slot ID to each token. An application using the Cryptoki API identifies the token that it wants to access by specifying the appropriate slot ID.

For more information about PKCS #11, refer to this URL:

PKCS #11 Cryptographic Token Interface Standard