What is PKCS#11?
PKCS#11 defines an API to communicate with cryptographic security tokens such as smart cards, USB keys and Hardware Security Modules (HSMs). Also known as "Cryptoki", PKCS#11 is part of the Public Key Cryptography Standards.
PKCS#11 is a platform-independant API that can be used to manage and consume cryptographic security tokens.
The API allows for the management (creation, modification, deletion) of cryptographic objects on-board the token, including:
- RSA keys
- X.509 Certificates
- Symmetric keys (e.g., AES, 3DES)
- Elliptic Curve Cryptography (ECC) keys
Software applications can call the API to use these objects for:
- Digital Signature calculation and verification
PKCS#11 abstracts the specifics of the underlying communication between the application and the token. A typical application software stack using PKCS#11 is shown below.