PKCS 11
In cryptography, PKCS #11 is one of the Public-Key Cryptography Standards,[1] and also refers to the programming interface to create and manipulate cryptographic tokens (a token where the secret is a cryptographic key).
Detail
The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards, and names the API itself "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key", although "PKCS #11" is often used to refer to the API as well as the standard that defines it).
The API defines most commonly used cryptographic object types (RSA keys, X.509 certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
Usage
Most commercial certificate authority (CA) software uses PKCS #11 to access the CA signing key[clarification needed] or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead. Both Oracle Solaris and Red Hat Enterprise Linux contain implementations for use by applications, as well.
Relationship to KMIP
The Key Management Interoperability Protocol (KMIP) defines a wire protocol that has similar functionality to the PKCS#11 API.
The two standards were originally developed independently but are now both governed by an OASIS technical committee. It is the stated objective of both the PKCS#11 and KMIP committees to align the standards where practicable. For example, the PKCS#11 Sensitive and Extractable attributes are being added to KMIP version 1.4. There is considerable overlap between members of the two technical committees.
History
The PKCS#11 standard originated from RSA Security along with its other PKCS standards in 1994. In 2013, RSA contributed the latest draft revision of the standard (PKCS#11 2.30) to OASIS to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee.[2] The following list contains significant revision information:
- 01/1994: project launched
- 04/1995: v1.0 published
- 12/1997: v2.01 published
- 12/1999: v2.10 published
- 01/2001: v2.11 published
- 06/2004: v2.20 published[1]
- 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP [3])
- 01/2007: amendment 3 (additional mechanisms)
- 09/2009: v2.30 draft published for review, but final version never published
- 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS[4]
- 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 [5]
- 04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards [6]
- 05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata [7]
- 07/2020: OASIS PKCS #11 v3.0 specifications become approved OASIS standards [8]
See also
References
- ↑ 1.0 1.1 Susan Gleeson; Chris Zimman, eds (2015-04-14). "PKCS #11 Cryptographic Token Interface Base Specification Version 2.40". OASIS. https://www.oasis-open.org/standards#pkcs11-base-v2.40.
- ↑ "OASIS Enhances Popular Public-Key Cryptography Standard, PKCS #11, for Mobile and Cloud". OASIS. 26 March 2013. https://www.oasis-open.org/news/pr/oasis-enhances-popular-public-key-cryptography-standard-pkcs-11-for-mobile-and-cloud.
- ↑ "CT-KIP: Cryptographic Token Key Initialization Protocol". RSA Security. https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm.
- ↑ Griffin, Bob (2012-12-26). "Re-invigorating the PKCS #11 Standard". https://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/.
- ↑ "OASIS PKCS 11 TC Public Documents". OASIS. https://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11.
- ↑ "#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards". OASIS. 15 April 2015. https://www.oasis-open.org/news/announcements/pkcs-11-cryptographic-token-interface-base-specification-interface-profiles-curre.
- ↑ "#PKCS 11 V2.40 Approved Erratas published by PKCS 11 TC". OASIS. 28 June 2016. https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc.
- ↑ "#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 3.0 become OASIS Standards". OASIS. 22 July 2020. https://www.oasis-open.org/2020/07/22/four-pkcs-11-oasis-standards-published/.
External links
- RFC 7512 - The PKCS #11 URI Scheme
- PKCS#11: Cryptographic Token Interface Standard
- OASIS PKCS #11 Technical Committee home page
Original source: https://en.wikipedia.org/wiki/PKCS 11.
Read more |