Back to resources

August 19, 2020

Tech updateEJBCA EnterpriseSignServer Enterprise

Version three of the OASIS Standard PKCS #11 Cryptographic Token Interface was published in June 2020

Android signing schemes, compliance and crypto agility

The PKCS#11 standard has been around since 1995 and is a platform-independent API to access and use cryptographic functions in hardware security modules (HSMs), smart cards, USB tokens, TPMs and the like. PKCS#11 is standardized in the Oasis standardization organization.

In PKI and digital signature solutions, the use of cryptographic modules is widespread. On the server side, where our products mostly operate, it is mandatory in many audit schemes to use cryptographic modules that are certified. The two most prominent certifications being FIPS 140-2 (FIPS 140-3 is upcoming) and EN 419 221-5 (eIDAS Cryptographic Module for Trust Services). For PrimeKey products, such as EJBCA and SignServer, PrimeKey strives to support as wide range of cryptographic tokens as possible and therefore uses the standard PKCS#11 API to access these modules. Our products developed in Java can make use of two different client implementations of PKCS#11, the Java PKCS#11 provider which is built into the Java JDK on a high level, or JackNJI11 which gives more low level control to the PKCS#11 interface.

The PKCS#11 standard has had (among other things) a hard time keeping up with the fast cryptographic development in recent years. This has led to a number of vendor defined mechanisms being used in different vendor's HSMs and tokens. This is bad in general as a single API can no longer be used with different vendor's tokens, in effect creating lock-in effects and higher costs. As cryptography is used for a number of different use cases, all vendors don't need or want to implement the full specification. For example, if the use case is pure digital signatures, implementing key wrapping or AES encryption is not needed and would only delay the product and make it more expensive. In general, it has worked surprisingly well over the years, but there have been subtle nuances requiring consideration when attempting to use a new token claiming to be PKCS#11 compliant causing interoperability issues between clients and servers.

PKCS#11 v3.0 adds new cryptographic mechanisms, and adds profiles to the API, something that may be used to enhance interoperability between implementations. With PKCS#11 v3.0, there are now standardized mechanisms for signatures using the SHA3 hash algorithm, i.e. SHA3-256withRSA, SHA3-512 with ECDSA, etc. The PrimeKey products have supported SHA3 for quite some time, but only using software crypto token, waiting for generic standardized HSM support. In the same way as with SHA3, EdDSA signatures are now a standard part of PKCS#11. Having supported the Ed25519 and Ed448 signature algorithms for a while in the PrimeKey products, also in software crypto token, it is now possible to support it in a standard way across HSMs that implement PKCS#11 v3.0 and later.

It is on PrimeKey’s roadmap to update, the Java PKCS#11 provider and our implementation in JackNJI11, for the PrimeKey products, and information about this will be shared in the product release notes.

Contact us Learn about our cryptography solution

Related blog and news

Tech-Update-Prepare-PKI-for-Quantum-Computing
2022-04-28
Tech update
Cryptography Solution

How to prepare your PKI for quantum computing

Tech-Update-Bouncy-Castle-Kotlin-API
2022-04-12
Tech update
Cryptography Solution

Keeping it simple – private key encryption with the Bouncy Castle Kotlin API

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.
Confirm choices Accept all