![]() | Cryptographic Token Interface Standard |
PKCS#11 |
This document specifies the data types and functions available to an application requiring cryptographic services using the ANSI C programming language. These data types and functions will be provided as a C header file by the supplier of a Cryptoki library. A separate document provides a generic, programming language independent Cryptoki interface. Additional documents will provide bindings between Cryptoki and other programming languages.
Cryptoki isolates an application from the details of the cryptographic device. The application does not have to change to interface to a different type of device or to run in a different environment; thus the application is portable. How Cryptoki provides this isolation is beyond the scope of this document, though some conventions for the support of multiple types of device will be addressed in a separate document.
The set of cryptographic mechanisms (algorithms) supported in this version is somewhat limited; but new mechanisms can easily be added without changing the general interface. It is expected that additional mechanisms will be published from time to time in separate documents. It is also possible for token vendors to define their own mechanisms (although for interoperability, registration through the PKCS process is preferable).
Cryptoki is intended for cryptographic devices associated with a single user, so some features that would be included in a general-purpose interface are omitted. For example, Cryptoki does not have a means of distinguishing multiple "users." The focus is on a single user's keys and perhaps a small number of public-key certificates related to them. Moreover, the emphasis is on cryptography. While the device may perform useful non-cryptographic functions, such functions are left to other interfaces.