PKCS#11 Terminology

It is necessary to know about the cryptographic devices first before start learning the PKCS#11 standard.

Cryptographic devices normally perform two types of functions:

  • Storage the cryptographic objects (asymmetric keys, symmetric keys and X509 certificates etc)
  • Performing cryptographic operations (Asymmetric key pair generation, symmetric key generation, hashing, encryption/decryption and signing etc)

The cryptographic devices include hardware security modules (HSMs), USB based cryptographic tokens and smart cards etc. Different cryptographic devices have different capabilities in terms of the storage of cryptographic objects and also for performing different cryptographic operations.

HSM is always on the higher end in terms of cryptographic storage and for the cryptographic operations. HSM have the capability to store thousands or even more cryptographic keys and also have the implementation of large variety of cryptographic algorithms. HSM is normally considered as a server end product for storing the cryptographic keys centrally for corporate users and also for storing application specific keys and so on.

Smart card is a low end product in terms of cryptographic storage and also for the implementation of different cryptographic algorithms, which is fair as smart card belongs to a single user. Smart card may have the capability to store a single key for the user and also provide support for one or two cryptographic algorithms e.g. RSA for asymmetric key pair generation, signing and SHA256 algorithm for hashing.

In cryptographic devices, cryptographic objects store inside the device and all the cryptographic operations also perform inside the device. The application only has to feed the data to the device and point to the right cryptographic object and the operation. The device then perform the desired operation and return the output to the application.

As per above explanation, there are different types of cryptographic devices from different vendors and also have different capabilities. If each cryptographic device vendor provides its own proprietary way of accessing the device then the applications become tightly bound to the specific cryptographic device. If there is a need to change the cryptographic device then the application has to be updated with the proprietary interface of the new cryptographic device. PKCS#11 is a rescue in this scenario.

PKCS#11 defines a standard API model for accessing the cryptographic objects and performing different cryptographic operations. Majority of the cryptographic device vendors implement this API model in their products. Applications that need to access the cryptographic devices can use the PKCS#11 interface and these applications do not need to change the application code once the underlying cryptographic device changes. The API model is distributed as multiple C header files which are part of the standard PKCS#11 specification. Cryptographic device vendors implement these C header files and distributed as DLL (Windows) or SO (Linux) files. Applications can then load these DLL or SO files in their applications in order to access the cryptographic devices. A number of wrappers are also written on top of DLL or SO files in different languages e.g. Java and C# etc.

PKCS#11 API model defines a specific terminology which needs to be understood in order to use the PKCS#11 API model in your applications.


Cryptoki (Cryptographic Token Interface) is a library (DLL or SO file) that is provided by the cryptographic device vendors. It contains an implementation of the PKCS#11 C header files. Every cryptographic device vendor provides its own PKCS#11 complaint library. Applications has to load this library in order to access the cryptographic device.


Slots are the logical partitions in the cryptographic device. In case of HSMs, there could be hundreds or more slots are available while in the case of smart cards, there could be only one slot available.


Token is a device where application stores the cryptographic objects and also perform cryptographic operations. In the case of smart cards, you can think of slot as a smart card reader while the smart card inserted inside the reader is the token. In case of HSMs, you cannot visualize the slot and token relationship just like you did in case of reader and the smart card. when a slot is initialized in HSM then the token is present in the slot.


Once a token is present in the slot then the application opens a session (logical connection) with the token. Once the session is in place, the application can perform different cryptographic operations with the token e.g. application can use the session object to generate asymmetric key pair, produce signature with the private key present inside the token and so on. When the application is done with the cryptographic operations then it can close the session with the token.


In PKCS#11 terminology, cryptographic algorithms are called mechanisms e.g. RSA, AES and SHA256 cryptographic algorithms are called mechanisms.


Cryptographic devices contains private and public objects. In order to access the private objects, users must be authenticated from the device. One of the operation that requires authentication is the access of private key in order to produce a signature.