Cryptographic Token Interface Standard

PKCS#11


Principles of Operation

figure_4.gif
Figure 4: PKCS #11 and CT-KIP integration

Figure 3 shows an integration of PKCS #11 into an application that generates cryptographic keys through the use of CT-KIP. The application invokes C_DeriveKey to derive a key of a particular type on the token. The key may subsequently be used as a basis to e.g., generate one-time password values. The application communicates with a CT-KIP server that participates in the key derivation and stores a copy of the key in its database. The key is transferred to the server in wrapped form, after a call to C_WrapKey. The server authenticates itself to the client and the client verifies the authentication by calls to C_Verify.


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230mechanism1