Updated March 2018
We originally published our compliance criteria for PKCS#11v2.20 back in 2014. We recently completed an update for v2.40, which contains new criteria for the extra attributes added in the new version, as well as revised references that take you directly to the right section of the HTML document of PKCS#11v2.40.
Since we started applying these criteria to commercially available PKCS#11 devices using our Analyzer, we have found multiple vulnerabilities and non-compliances in several major manufacturer’s products, all of which had FIPS/CC certifications. As a result, some of our customers have changed suppliers, and some have changed the strategy on major projects. To try Analyzer on your HSM installation just get in touch.
We’ve mentioned before that the PKCS#11 crypto token API standard doesn’t come with a set of compliance criteria. However, the 407 page standard is full of vital implementation notes that affect not just interoperability and compatibility, but robustness and security, which is why we built a compliance testing tool.
Now we’ve decided to release the list of PKCS#11 compliance criteria that our tester uses.
We have 118 compliance criteria in our initial list for PKCS#11v2.20, all of which come with a direct reference to the section and page in the standard where the compliance requirement comes from.