Whitepaper - PKCS #11

The Role of PKCS #11 in Module Integration The process of incorporating cryptographic technology into an IT security ecosystem typically requires technical integration to add support for vendor Application Programming Interfaces. For many organizations, the flexibility offered by a custom interface is desirable. For others, PKCS #11 provides a standards-based cryptographic library that eliminates the need for extensive integration work. This whitepaper discusses what PKCS #11 is and why it increases the efficiency and ease of incorporating cryptographic hardware into systems of many types and sizes.

Defining PKCS #11 Many enterprise-level organizations develop in-house host applications for their core cryptographic infrastructures. To foster communication between hardware security modules and these host applications, the HSM typically provides a proprietary Application Programming Interface (API). APIs can be drastically different between vendors, only sharing the same concepts and cryptographic algorithms, which can lead to an increase in cost and time for integration work. Because of this, there became a need for a standards-based cryptographic library. That’s where PKCS #11 comes in. PKCS #11 (Public- Cryptographic Standard #11) is a standard originally developed by RSA Functionality Laboratories and currently maintained by PKCS #11’s design is centered around tokens. In this OASIS. PKCS #11 specifies a standardized API in context, tokens refer to individual devices that are the C programming language that allows easy able to perform cryptographic functions and store automation of cryptographic operations such as either certificates, keys, or data, which are considered , decryption, signing, and verifying. objects. PKCS #11 references cryptographic objects An HSM vendor that supports PKCS #11 provides by creating a logical map of their attributes, such as a software library that bridges the PKCS #11 whether a key is private or public.1 API defined in the standard with their own The attributes assigned to a token object must proprietary API to perform the cryptographic be securely stored inside an HSM or encrypted operations in hardware. Implementations key block to avoid tampering. Within the HSM, of the PKCS #11 API exist that perform the organizations can increase security further by cryptographic operations in software on the host dynamically restricting functionality and limiting , but these are less secure because the certain operations or objects to require dual control host application’s hardware can be compromised, for access. leading to the exposure of the encryption keys. PKCS #11 provides functionality PKCS #11 is a common choice for software such as key generation, derivation, importing, and vendors who utilize encryption in their cryptogram exporting. All of the most common applications. By allowing the use of a PKCS #11 cryptographic ciphers are supported by the library, module in their application, a software vendor including Triple DES, AES, and RSA. can allow any supported HSM to be a drop-in replacement for software-based encryption. 1: “PKCS #11 Base Functionality v2.30: Cryptoki - Draft 4.” RSA Laboratories, July 2009.

FUTUREX.COM The Role of PKCS #11 in Integration Integrating with Futurex HSMs Futurex implements a form of the PKCS #11 standard to permit communication between Futurex products and a wide range of applications. With just a few exceptions which have been incorporated to enhance overall security, Futurex supports all functions supplied in PKCS #11, with the addition of some custom functions developed by Futurex in order to increase utility. Futurex HSMs have been tested for PKCS #11 compatibility and certified with numerous common applications. The advantage of using PKCS #11 to foster communication between host applications and hardware security modules lies in how simple it is to perform integration work. If a host application uses software that already supports PKCS #11, it can use the Futurex PKCS #11 module without implementing vendor-specific code.

Enabling PKCS #11 on a Futurex Device For organizations operating Futurex devices without PKCS #11 already enabled, the process of adding support is a simple and straightforward one. PKCS #11 is available through Futurex’s General Purpose license, which can be implemented through a quick and simple process. 1. Contact the Futurex Xceptional Support Team to request the General Purpose Cryptography license. 2. Access the Futurex device and download a feature update request. 3. Securely transfer the file to the Futurex Xceptional Support Team. 4. After receiving the updated feature update file from the Futurex Xceptional Support team, upload the file into the hardware security module. The Xceptional Support Team will also provide configuration files to use in the host application that will interface with the Futurex hardware security module. 5. After completing the activation process, PKCS #11 functionality will be available for use.

Additional Security: Key Labels, Usages, and Security Flags PKCS #11 allows keys to be defined with specific restrictions, such as login requirements and usage restrictions. Through PKCS #11’s logical mapping, defining keys with specific parameters aids in security by limiting the actions that can be performed with them, allowing organizations to strictly control how keys are used. Futurex HSMs have the ability to set these restrictions on key usage and configuration. Below illustrates how these restrictions affect keys that are stored on the HSM or encrypted under a major key:

Key Storage Slot Major Key Cryptogram Normal User Admin User Only admin users Only admin users can Can change can use, overwrite, or use or change the No permissions. not private to Private change the key in the Private cryptogram. sensitive. slot. The key in the slot Can change Can change cannot be extracted Unavailable. between not Sensitive not sensitive to from the HSM. Sensitive sensitive and sensitive. The key usage, security sensitive. The key usage and usage, or label cannot Can change security usage cannot Can change not be changed for the between not Immutable be changed for the immutable to key in this slot. The slot Immutable immutable and cryptogram. immutable. cannot be overwritten. immutable.

Global Headquarters 864 Old Boerne Road, Bulverde, Texas 78163 USA TF 800.251.5112 P +1 830.980.9782 F +1 830.438.8782 [email protected] WWW.FUTUREX.COM