安全协议与标准2009, 10 PKCS#11 and moreOverviewAPI Usage: SessionFunctions Summary Functions Detail/ExampleMechanisms: Algorithm, ProtocolComparison Implementation GSS-APIGCS-API CDSAMS-CAPI DEP OverviewIn cryptography, PKCS#11 is one of the family of standards called Public-Key Cryptography Standards , published by RSA Laboratories. It defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules and smart cards. Since there isnt a real standard for cryptographic tokens, this API has been developed to be an abstraction layer for the generic cryptographic token. The PKCS#11 API defines most commonly used cryptographic object types and all the functions needed to use, create/generate, modify and delete those objects. -PKCS#11 is largely adopted to access smart cards and HSMs. Most commercial Certification Authority software uses PKCS#11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS#11, such as Mozilla Firefox and OpenSSL . NSSpkcs-11v2-20.doc BackgroundPortable computing devices such as smart cards, PCMCIA cards, and smart diskettes are ideal tools for implementing public-key cryptography, as they provide a way to store the private-key component of a public-key/private-key pair securely, under the control of a single user. With such a device, a cryptographic application, rather than performing cryptographic operations itself, utilizes the device to perform the operations, with sensitive information such as private keys never being revealed. As more applications are developed for public-key cryptography, a standard programming interface for these devices becomes increasingly valuable. This standard addresses this need. kaMemory cardSmart cardPCMCIA/CardBusUSB flash driveUSB KeyExpressCardPCI Express 口令之外口令登录指纹登录智能卡登录登录次数的限制PIN和lock功能SSO 其他生物识别认证技术 抽象：TokenThe primary goal of Cryptoki was a lower-level programming interface that abstracts the details of the devices, and presents to the application a common model of the cryptographic device, called a cryptographic token . A token is a device that stores objects and can perform cryptographic functions.cryptoki是token的接口 General Cryptoki Model Object HierarchyCryptoki defines three classes of object UsersThis version of Cryptoki recognizes two token user types.One type is a Security Officer .The other type is the normal user. The role of the SO is to initialize a token and to set the normal users PIN, and possibly to manipulate some public objects. Only the normal user is allowed access to private objects on the token, and that access is granted only after the normal user has been authenticated. SessionCryptoki requires that an application open one or more sessions with a token to gain access to the tokens objects and functions. A session provides a logical connection between the application and the token. Cryptoki supports multiple sessions on multiple tokens. A session can be a read/write session or a read-only session. Session eventsSession events cause the session state to change. The following table describes the events:EventOccurs when.Log In SOthe SO is authenticated to the token.Log In Userthe normal user is authenticated to the token.Log Outthe application logs out the current user (SO or normal user).Close Sessionthe application closes the session or closes all sessions.Device Removed the device underlying the token has been removed from its slot. Read-Only Session States Read/Write Session States Access to Different Types Objects by Different Types of Sessions Type of sessionType of objectR/O PublicR/W PublicR/O UserR/W UserR/W SOPublic session objectR/WR/WR/WR/WR/WPrivate session objectR/WR/WPublic token objectR/OR/WR/OR/WR/WPrivate token objectR/OR/W with forkConsider a UNIX process P which becomes a Cryptoki application by calling C_Initialize, and then uses the fork system call to create a child process C. if C needs to use Cryptoki, it needs to perform its own C_Initialize call. if it has no need to use Cryptoki, it should immediately call C_Initialize and then call C_Finalize. with multi-threadCryptoki enables applications to provide information to libraries so that they can give appropriate support for multi-threading. In particular, when an application initializes a Cryptoki library with a call to C_Initialize, it can specify one of four possible multi-threading behaviors for the library: Summary of Cryptoki Functions CategoryFunctionDescriptionGeneralpurposeFunctionsC_Initializeinitializes CryptokiC_Finalizeclean up miscellaneous Cryptoki-associated resourcesC_GetInfoobtains general information about CryptokiC_GetFunctionListobtains entry points of Cryptoki library functions Slot and token anagement functionsSlot andtokenmanagementfunctionsC_GetSlotListobtains a list of slots in the systemC_GetSlotInfoobtains information about a particular slotC_GetTokenInfoobtains information about a particular tokenC_WaitForSlotEventwaits for a slot event