October 20, 2015

PKCS#11 Functionality Reports

When choosing an HSM or Smartcard to act as crypto provider for a PKCS#11 application, it’s important that the provider actually supports the specific cryptographic algorithms (or “mechanisms” in PKCS#11 terminology) required for the commands that the application will use. What’s more, if the device offers insecure mechanisms, an attacker might make use of them to compromise data. There are 224 mechanisms and 54 commands in v2.20 of the standard. How can I find out which ones a specific device implements?

To help with this problem we’ve added a functionality summary to the PKCS#11 compliance reports produced by our software. The output is designed to look like the “Mechanisms vs Functions” table (table 34 in v2.20) of the standard which shows which mechanisms are considered valid for each command. In our table, a cross indicates that we were able to use the mechanism in that row successfully for the command in that column.

Updated March 2018

Functionality reports now feature in the stats output of Cryptosense Analyzer for all APIs, including PKCS#11. Try it out on your device.

Try Cryptosense Analyzer for Free

Get our PKCS#11 Security Whitepaper

February 4, 2015

Cryptosense PKCS#11 Compliance Testing: Opencryptoki

Update March 2018

Since we wrote this post our compliance criteria have been extended to over 100 covering PKCS#11 v2.40 and used to find a host of issues with live HSMs.

Original post:

Recently we’ve been trying out our PKCS#11 compliance tester on a number of open-source PKCS#11 implementations. We’ll be publishing the results here over the next few weeks, as well as sending the reports from our tools to the project developers. First up: Opencryptoki and its PKCS#11 software token.

Continue reading →