The document is a specification for the PKCS#11 Cryptographic Token Interface Standard published by RSA Laboratories in 2004. It describes the general Cryptoki model, object and attribute hierarchies, sessions, functions, and provides an example of session usage. The specification defines the API for cryptographic functions like encryption, signatures, key management, and object and session management that can be performed on a cryptographic token. It also includes a link to the Korean Internet Security Agency (KISA) technical specification for using accredited certificates with hardware security modules.
2. Contents
Introduction
General Cryptoki Model
Object Hierarchy
Object Attribute Hierarchy
Session
Read-only session states
Read/write session states
Session Events
Example of use of sessions
Function List
Accredited Certificate Usage Specification for Hardware
Security Module - KISA
6. Read-only session states
State Description
R/O Public Session The application has opened a read-only session. The application has read-only
access to public token objects and read/write access to public session objects.
R/O User Functions The normal user has been authenticated to the token. The application has
read-only access to all token objects (public or private) and read/write access
to all session objects (public or private).
Read-Only Session States
8. Read/Write Session States
State Description
R/W Public Session The application has opened a read/write session. The application has read/write
access to all public objects.
R/W SO Functions The Security Officer has been authenticated to the token. The application has
read/write access only to public objects on the token, not to private objects.
The SO can set the normal user’s PIN.
R/W User Functions The normal user has been authenticated to the token. The application has
read/write access to all objects.
Read/Write Session States
9. Access to Different Types Objects by
Different Types of Sessions
Type of session
Type of object
R/O
Public
R/W
Public
R/O
User
R/W
User
R/W
SO
Public session object R/W R/W R/W R/W R/W
Private session object R/W R/W
Public token object R/O R/W R/O R/W R/W
Private token object R/O R/W
Access to Different Types Objects by Different Types of Sessions
10. Session Events
Session Events
Event Occurs when...
Log In SO the SO is authenticated to the token.
Log In User the normal user is authenticated to the token.
Log Out the application logs out the current user (SO or normal user).
Close Session the application closes the session or closes all sessions.
Device Removed the device underlying the token has been removed from its slot.
15. Cryptoki
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
6. Open R/W
Session
R/W User
Function
Handle 9
7. Close session
Example of use of sessions
16. Cryptoki
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
8. Log out session 4
Fail
CKR_SESSION_HANDLE_INVALID
Example of use of sessions
17. Cryptoki
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
9. Close session 4
Fail
CKR_SESSION_HANDLE_INVALID
Example of use of sessions
18. Cryptoki
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
10. Open R/W session
R/W Public
Session
Handle 7
Example of use of sessions
19. Cryptoki
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
11. Login SO
R/W Public
Session
Handle 7
R/W SO
Function
Handle 7
Example of use of sessions
20. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread12. Open R/O session
Fail (CKR_SESSION_READ_WRITE_SO_EXISTS)
Example of use of sessions
21. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
13. Create session object
Example of use of sessions
22. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
14 Create token object
Session O1
Handle 7
Token O2
Handle 7
! SO cannot create private
CKR_USER_NOT_LOGGED_IN or CKR_TEMPLATE_INCONSISTENT
Example of use of sessions
23. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
15. Modifies O2
Session O1
Handle 7
Token O2
Handle 7
Example of use of sessions
24. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
Token O2
Handle 7
16. Object search
Handle 1
Example of use of sessions
25. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
Token O2
Handle 7
17. Modify O2
Fail
CKR_SESSION_READ_ONLY
Example of use of sessions
26. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
Token O2
Handle 7
18. Modify O2
Example of use of sessions
27. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
Token O2
Handle 7
19. Search O1
Not Succeed
Example of use of sessions
28. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
Token O2
Handle 7
20. Modify O1
Example of use of sessions
29. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
Token O2
Handle 7
21. Destory O2
Example of use of sessions
30. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
22. Attempt - Object handle7
Fail (CKR_OBJECT_HANDLE_INVALID)
Example of use of sessions
31. Cryptoki
R/W SO
Function
Handle 7
R/W User
Function
Handle 7
R/O User
Function
Handle 4
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
23. Log Out
R/W Public
session
Handle 7
R/O Public
session
Handle 4
Example of use of sessions
32. Cryptoki
R/O Public
session
Handle 4
R/W Public
session
Handle 7
R/W SO
Function
Handle 7
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
Session O1
Handle 7
24. Close session
Example of use of sessions
33. Cryptoki
R/O Public
session
Handle 4
R/W SO
Function
Handle 7
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
25. Attempt objet handle7 O1
FailCKR_OBJECT_HANDLE_INVALID
Example of use of sessions
36. Cryptoki
Example of use of sessions
T
O
K
E
N
A1
A2
B1
B2
A
B
Thread
Thread
C_Fin
alize
C_Fin
alize
28.call
28. call
37. Function List
API 함수 정의 내용
기본목적(General Purpose)
C_Initialize Cryptoki를 초기화
C_Finalize Cryptoki와 연관된다양한자원을해제
C_GetInfo Cryptoki에 대한 일반적인정보를획득
C_GetFunctionList 지원하는Cryptoki 함수 집합을획득
슬롯 & 토큰 관리(Slot and Token Management)
C_GetSlotList 시스템에있는 슬롯 집합을획득
C_GetSlotInfo 특정 슬롯에관한 정보를획득
C_GetTokenInfo 특정 토큰에관한 정보를획득
C_GetMechanismList 토큰이지원하는메커니즘집합을획득
C_GetMechanismInfo 특정 메커니즘에관한 정보를획득
세션 관리(Session Management)
C_OpenSession 응용시스템과토큰간의연결을생성
C_CloseSession 세션을종료
C_CloseAllSessions 특정 토큰과연관된모든 세션을종료
C_GetSessionInfo 세션에대한 정보 획득
C_Login 토큰에로그인
C_Logout 토큰으로부터로그아웃
암호화(Encryption), 메시지 압축(Message Digesting), 전자서명및 MAC 검증, Dual-purpose cryptographic,
Random Number Generation, Parallel function management - OPTION
API 함수 정의 내용
객체 관리(Object management)
C_CreateObject 객체 생성
C_DestroyObject 객체 파기
C_GetAttributeValue 객체 속성 획득
C_SetAttributeValue 객체 속성 수정
C_FindObjectInit 객체 검색 초기화
C_FindObjects 객체 검색
C_FindObjectsFinal 객체 검색 종료
복호화(Encryption)
C_DecryptInit 복호화기능 초기화
C_Decrypt 단일 암호화부분에대한 복호화수행
전자서명및 MAC (Signing & MACing)
C_SignInit 서명 기능을초기화
C_Sign 단일 부분 서명을수행
키 관리(Key Management)
C_UnWrapKey 키 복호화
38. Accredited Certificate Usage Specification for
Hardware Security Module - KISA
http://rootca.kisa.or.kr/kcac/down/TechSpec/6.3-Accredited%20Certificate%20
Usage%20Specification%20for%20Hardware%20Security%20Module.pdf
KISA - 보안토큰 기반의 공인인증서 이용기술 규격