Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pkcs11]

PKCS #11 (Public-Key Cryptography Standard 11) defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards called Cryptoki.

Public-Key Cryptography Standard number 11 is one of the family of standards called Public-Key Cryptography Standards (PKCS). It defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards.

The PKCS #11 standard names the API "Cryptoki" which is an amalgamation of "cryptographic token interface" and is pronounced as "crypto-key", but "PKCS #11" is often used to refer to the API as well as the standard that defines it.

40 questions
11
votes
1 answer

CKM_RSA_PKCS vs CKM_RSA_X_509 mechanisms in PKCS#11

What is the exact difference between the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms in the PKCS#11 v2.20 specification (Please explain with an example)?
Ehsan Khodarahmi
  • 236
  • 4
  • 12
9
votes
5 answers

Source for PKCS#11 Header Files

Is there a known authoritative source for the ANSI C header files for PKCS#11 Cryptoki? Specifically, I am having trouble locating pkcs11.h, pkcs11t.h, and pkcs11f.h for v2.30 and v2.40. Are there known MD5 or SHA hashes for these files?
user25339
  • 93
  • 1
  • 5
5
votes
2 answers

Smart Card - Entropy during on-board public key generation

I know that some (advanced) smart cards or tokens allow generating key pair directly on the device, but I wonder how the card can gather entropy during the process. Any idea ?
crypto-learner
  • 347
  • 1
  • 4
  • 11
5
votes
1 answer

What are options to compute DES retail MAC (aka ISO 9797-1 mode 3) under PKCS#11?

The DES retail MAC, also known as ISO 9797-1 mode 3 with DES, computes the MAC of a block of data using a 16-byte (112 bit) key. It can be seen as CBC-MAC using simple DES with the first half of the key for all the blocks, except the last where 3DES…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
4
votes
1 answer

PKCS11: CKA_VALUE_LEN attribute and Unwrap key

In PKCS11 specification v2.40, we see some confusion with CKA_VALUE_LEN attribute and UnwrapKey behavior. From PKCS11 spec 2.40 section 2.8.2, 2 -> MUST not be specified when object is created with C_CreateObject. 3 -> MUST be specified when object…
Brahmaji Kommanaboyina
  • 63
  • 3
4
votes
0 answers

Can CKM_RSA_PKCS signature be made secure by lowering its maximum input size?

The CKM_RSA_PKCS Mechanism in PKCS#11 is a signature scheme commonly used to implement RSASSA-PKCS1-v1_5 of PKCS#1 for data hashed externally to a PKCS#11 token (such as an HSM). Basically it is the (still extremely common) RSASSA-PKCS1-v1_5, except…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
3
votes
3 answers

What is the purpose of implementing cryptographic algorithms in a token?

In particular, in PKCS #11. Not a lot of information on the web; I found this explanations. Ignoring the empty marketing talk like “heightened security” and “centralized and secure management”, I managed to extract the following benefits: secrets…
beroal
  • 291
  • 2
  • 5
3
votes
0 answers

What is the proper return code for C_Login when a CKU_SO attempts to log into a non-initialized token?

Looking at the PKCS#11 2.4 spec, C_Login returns CKR_USER_PIN_NOT_INITIALIZED when a "normal user's PIN has not yet been initialized with C_InitPIN". However, I can not find anything that would be analogous to a situation when a user calls C_Login…
Mike
  • 85
  • 6
3
votes
1 answer

RSA hybrid decryption via PKCS#11 - unwrap or decrypt?

I have an application that does RSA hybrid encryption/decryption – i.e., messages are encrypted with a fresh AES key, which is then itself encrypted with RSA-OAEP and sent with the message. Decryption then does the reverse. I want to now provide…
Neil Madden
  • 557
  • 3
  • 13
3
votes
1 answer

How can CKA_TRUSTED be set to true?

I'm confused by the wording of the PKCS#11 v2.40 specification in terms of when CKA_TRUSTED can be set to true on a public key certificate object: The CKA_TRUSTED attribute cannot be set to CK_TRUE by an application. It MUST be set by a token …
Mike
  • 85
  • 6
3
votes
0 answers

Limit the number of private key uses for RSASSA-PKCS1-v1_5 with SHA-256 signature?

Assuming all messages and their signatures are available to the attacker, is it secure to use the same RSA private key to sign many messages (roughly $10^{6}$) via PKCS#11 CKM_SHA256_RSA_PKCS using a reasonably long (i.e. 2048 bit) key? For…
vlp
  • 153
  • 8
3
votes
1 answer

How do SignRecover and VerifyRecover work?

In PKCS#11, there are the SignRecover and VerifyRecover methods, where the data can be recovered from the signature. How do these methods work? Can I implement signrecover and verifyrecover with openssl?
sfallahdoost
  • 65
  • 5
3
votes
1 answer

Why is C_digest defined in PKCS#11?

Digesting doesn't require any key and can be performed on the client side. Why does the PKCS#11 token interface standard have a C_digest method? For example, why should I send my data to a PKCS11 HSM whereas I can do this in my client?
sfallahdoost
  • 65
  • 5
2
votes
1 answer

Why is data signed with SHA256-RSA-PKCS and digest signed with RSA-PKCS different?

I need to sign some data using RSA. I have the digest that I can sign but the signature turns out different from the signing source data. There is data in data.bin and its sha256 digest in digest.bin $ xxd -p -c32…
Margus Pala
  • 155
  • 2
  • 8
2
votes
1 answer

OID for Ed25519

I am working on a code generating Edwards curve (Ed25519) keys in a HSM using PKCS#11 API. In the public key template the CKA_EC_PARAMS uses an OID to specify the curve. The encoding for Ed25519 is 06 09 2B 06 01 04 01 DA 47 0F 01. I understand the…
Peter
  • 23
  • 3
1
2 3