What is PKCS#11?

Nick Smith | 30 November 2018

PKCS#11 defines an API to communicate with cryptographic security tokens such as smart cards, USB keys and Hardware Security Modules (HSMs). Also known as "Cryptoki", PKCS#11 is part of the Public Key Cryptography Standards.

PKCS#11 is a platform-independent API that can be used to manage and utilize cryptographic security hardware. Such hardware devices are often referred to as cryptographic tokens, hence the name "Cryptoki" (from Cryptographic Token Interface).

Cryptographic security hardware can include:

  • USB dongles
  • Smart cards
  • Hardware Security Modules (HSMs).

The PKCS#11 API allows for the management (creation, modification, deletion) of cryptographic objects on board the token, including:

  • RSA keys
  • X.509 Certificates
  • Symmetric keys (e.g., AES, 3DES)
  • Elliptic Curve Cryptography (ECC) keys

Software applications can call the API to use these objects for:

  • Encryption/decryption
  • Digital Signature calculation and verification

PKCS#11 in Application Software

PKCS#11 abstracts the specific details of the underlying communication between the application and the cryptographic hardware. A typical software application stack using PKCS#11 is shown below.

Application stack using PKCS#11 library, middleware and cryptographic PKI token hardware

The application calls the PKCS#11 API which is provided either by a vendor-specific library or a common PKCS#11 library which includes the functionality to communicate with hardware from a variety of vendors (eg, OpenSC).

Commonly the PKCS#11 implementation will use PC/SC to the communicate with the crypto hardware. PC/SC is a specification for integrating smart cards into computing environments. PC/SC support is built in to Windows since XP and a free implementation is available for Linux and Mac.

PKCS#11 Software Development

PKCS#11 is primarily a C API with reference header files available from OASIS (the OASIS PKCS11 Technical Committee took over maintenance of the PKCS#11 standard from RSA Security in 2013).

Ports and wrappers exist for other languages, including:

  • C/C++
    • Reference header files available from OASIS. The Microcosm PKI SDK includes the header files, C sample code and Windows binaries.
  • Java
    • Sun PKCS#11 provider (in package sun.security.pkcs11.SunPKCS11) which is included in Java SE.
    • IAIK PKCS#11 wrapper.
    • Examples of using both are included in the Microcosm PKI SDK.
  • C# and VB.NET
    • Wrappers exist but Microcosm does not endorse a specific one. A quick Google search will present several options.
  • Javascript
    • pkcs11.js lets you call cryptographic tokens directly from a web page using Javascript. This is included as part of the Microcosm PKI SDK.

Learn more about Microcosm PKI