Everything you ever wanted to know about the popular standard for HSMs
PKCS#11 is the most widely-used interface standard for general-purpose cryptographic hardware such as Hardware Security Modules (HSMs). Originally proposed by RSA in 1994 as part of their Public Key Cryptography Standards series, it was transferred to OASIS in 2013, and is now in version 3.0.
The standard has great benefits for interoperability, but contains a number of traps for the unwary. Here you can find all our resources for understanding the risks and making sure you use PKCS#11 securely.
What's the difference between being compliant with the PKCS#11 standard, and being vulnerable?
In this video Graham explains why you need to know about PKCS11 compliance and how it can make a difference to the security of smartcards, HSMs and other secure hardware.
See our whole Youtube playlist on PKCS#11.
Modern applications that use cryptography usually access that functionality via an application program interface (API) to a software or hardware cryptographic provider. Security-critical applications often make use of Hardware Security Modules (HSMs): special purpose computers that provide high-speed cryptographic services whilst keeping key material inside a tamper-sensitive enclosure. Together with smart cards or similar chip-based tokens, they form the backbone of many modern cryptographic applications in diverse sectors from banking to automotive.
In this white paper, we discuss attacks on systems using the PKCS#11 API. We consider what it means for an interface to be secure, and we discuss how to audit applications’ use of the API. There will be plenty of concrete examples of attacks on real devices, and we will explain how to detect these issues using Cryptosense Analyzer Platform.