![]() | Cryptographic Token Interface Standard |
PKCS#11 |
This document specifies the data types and functions available to an application requiring cryptographic services using the ANSI C programming language. These data types and functions will be provided as a C header file by the supplier of a Cryptoki library. A separate document provides a generic, language-independent Cryptoki interface. Additional documents will provide bindings between Cryptoki and other programming languages.
Cryptoki isolates an application from the details of the cryptographic device. The application does not have to change to interface to a different type of device or to run in a different environment; thus, the application is portable. How Cryptoki provides this isolation is beyond the scope of this document, although some conventions for the support of multiple types of device will be addressed here and in a separate document.
A number of cryptographic mechanisms (algorithms) are supported in this version; in addition, new mechanisms can easily be added later without changing the general interface. It is possible that additional mechanisms will be published from time to time in separate documents. It is also possible for token vendors to define their own mechanisms (although, for the sake of interoperability, registration through the PKCS process is preferable).
Cryptoki v2.0 is intended for cryptographic devices associated with a single user, so some features that would be included in a general-purpose interface are omitted. For example, Cryptoki v2.0 does not have a means of distinguishing multiple "users". The focus is on a single user's keys and perhaps a small number of public-key certificates related to them. Moreover, the emphasis is on cryptography. While the device may perform useful non-cryptographic functions, such functions are left to other interfaces.