PKCS #11: Cryptographic Token Interface Standard
This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced crypto-key and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token.
The draft Version 2.30 of the PKCS #11 specification is now available for 30-day public review. The public review will continue through Wednesday 28-Oct-2009. Please send all comments to email@example.com.
- PKCS #11 V2.30 specification front matter (Acrobat PDF)
- PKCS #11 V2.30 core specification (Acrobat PDF)
- PKCS #11 V2.30 mechanisms part 1 (Acrobat PDF)
- PKCS #11 V2.30 mechanisms part 2 (Acrobat PDF)
The presentation on PKCS #11 V2.30 given at RSA Conference 2009 is also available (Acrobat PDF).
- Conformance profile of PKCS #11 v2.11 for mobile devices; MS-Word, Acrobat pdf
- PKCS #11: Conformance Profile Specification; MS-Word, Acrobat pdf
- PKCS #11 v2.20 MS-Word (2.8mb), Acrobat pdf (1.2mb)
- Errata for PKCS #11 v2.20 (txt)
- Header files for PKCS #11 v2.20 (disclaimer):
- PKCS #11 v2.20 Amendment 1: PKCS #11 mechanisms for One-Time Password Tokens Acrobat PDF Acrobat pdf
- Header file for PKCS #11 v2.20 Amendment 1 (disclaimer)
- PKCS #11 v2.20 Amendment 2: PKCS #11 Mechanisms for the Cryptographic Token Key Initialization Protocol Acrobat pdf
- Header file for PKCS #11 v2.20 Amendment 2 (disclaimer)
- PKCS #11 v2.20 Amendment 3: Additional PKCS #11 mechanisms; Acrobat pdf
- Header file for PKCS #11 v2.20 Amendment 3 (disclaimer).
- PKCS #11 v2.11 MS-Word (1.9mb), Acrobat pdf (1mb)
- Amendment 1 to PKCS #11 v2.11 MS-Word (122K), Acrobat pdf (301K)
- Errata for PKCS #11 v2.11 (txt)
- Header files for PKCS #11 v2.11 (disclaimer): cryptoki.h, pkcs11.h, pkcs11f.h, pkcs11t.h
- Version 2.10; MS-Word (1.5mb), Acrobat pdf (1.2mb), PostScript (11.2mb)
- Header files for PKCS #11 v2.10 (disclaimer): pkcs11.h, pkcs11f.h, pkcs11t.h
- Version 2.01: MS-Word, Acrobat .pdf, zipped ms-word, and zipped Acrobat .pdf.
- Version 2.01 with changes shown from Version 2.0 initial draft: MS-Word and zipped MS-Word
- Version 2.01 Include Files (disclaimer): pkcs11.h (top level include file), pkcs11f.h and pkcs11t.h
- Version 2.01 errata: ascii
- Version 2.0 (unsupported) initial draft (14 April 1997) MS-Word, and Acrobat .pdf
- Version 2.0 (unsupported) second draft (2 July 1997) MS-Word, and Acrobat .pdf
- Version 2.0 Include Files (disclaimer): pkcs11.h (top level include file), pkcs11f.h and pkcs11t.h
- Version 1.0: MS-Word, .ps, and .ps.gz
- Version 1.0 Include File (disclaimer): ascii
- Version 1.0 errata: ascii and ms-word
- Version 2.01: Presentations from '98 workshop: Matt Wood of Intel (PowerPoint), Mike Hamann of IBM Laboratory (ms-word).
- Version 2.01: PowerPoint presentations from '97 workshop: Chris Thorpe of TIS, Matt Wood of Intel
- Version 1.0: workshop summary from July '96 PKCS 11 / Cryptoki workshop: ascii
Links to Implementations
- PKCS #11 v2.10 is based on drafts contributed by Matt Wood of Intel, provided with contribution letters: Draft 1, Draft 2, Draft 3, Final
Regarding the header / include files:
License to copy and use this software is granted provided that it is identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki)" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki)" in all material mentioning or referencing the derived work.
This software is provided “AS IS” and RSA Security, Inc. disclaims all warranties including but not limited to the implied warranty of merchantability, fitness for a particular purpose, and noninfringement.
Regarding reference implementations:
RSA Laboratories is providing links to external reference implementations for the benefit of PKCS #11 developers. RSA Laboratories has not verified or reviewed these implementations and therefore can make no statement regarding their conformance to the current PKCS #11 specification. RSA Laboratories also makes no representations regarding intellectual property coverage or ownership of the reference implementations. The implementations may also be subject to regulations on the import, export and/or use of cryptography. Resolution of these issues is the responsibility of the user.
- 7.1 What is probabilistic encryption?
- Contribution Agreements: Draft 1
- Contribution Agreements: Draft 2
- 7.2 What are special signature schemes?
- 7.3 What is a blind signature scheme?
- Contribution Agreements: Draft 3
- Contribution Agreements: Final
- 7.4 What is a designated confirmer signature?
- 7.5 What is a fail-stop signature scheme?
- 7.6 What is a group signature?
- 7.7 What is a one-time signature scheme?
- 7.8 What is an undeniable signature scheme?
- 7.9 What are on-line/off-line signatures?
- 7.10 What is OAEP?
- 7.11 What is digital timestamping?
- 7.12 What is key recovery?
- 7.13 What are LEAFs?
- 7.14 What is PSS/PSS-R?
- 7.15 What are covert channels?
- 7.16 What are proactive security techniques?
- 7.17 What is quantum computing?
- 7.18 What is quantum cryptography?
- 7.19 What is DNA computing?
- 7.20 What are biometric techniques?
- 7.21 What is tamper-resistant hardware?
- 7.22 How are hardware devices made tamper-resistant?