PKCS#11 Developer libraries

The nShield PKCS #11 libraries, libcknfast.so and libcknfast.a (nShield tools only) on Linux, and cknfast.lib and cknfast.dll on Windows are provided so that you can integrate your PKCS #11 applications with the nShield hardware security modules.

The nShield PKCS #11 libraries:

  • Provide the PKCS #11 mechanisms listed in Mechanisms

  • Help you to identify potential security weaknesses, enabling you to create secure PKCS #11 applications more easily.

PKCS #11 security assurance mechanism

It is possible for an application to use the PKCS #11 API in ways that can introduce potential security weaknesses. For example, it is a requirement of the PKCS #11 standard that the nShield PKCS #11 libraries are able to generate keys that are explicitly exportable in plain text. An application could use this ability in error when a secure key would be more appropriate.

The nShield PKCS #11 libraries are provided with a configurable security assurance mechanism (SAM). SAM helps prevent PKCS #11 applications from performing operations through the PKCS #11 API that may compromise the security of cryptographic keys. Operations that reveal questionable behavior by the application fail by default with an explanation of the cause of failure.

If you decide that some operations that carry a higher security risk are acceptable to you, then you can reconfigure the nShield PKCS #11 library to permit these operations by means of the environment variable CKNFAST_OVERRIDE_SECURITY_ASSURANCES. You must think carefully, however, before permitting operations that could compromise the security of cryptographic keys. For more information about the environment variable and its parameters, see the User Guide for your HSM.

It is your responsibility as a security developer to familiarize yourself with the PKCS #11 standard and to ensure that all cryptographic operations used by your application are implemented in a secure manner.

If no parameters are supplied to the environment variable, the nShield PKCS #11 library fails and issues a warning, with an explanation, when the following operations are detected:

  • Short term session keys created as long term objects

  • Keys that can be exported as plain text are created

  • Keys are imported from external sources

  • Wrapping keys are created or imported

  • Unwrapping keys are created or imported

  • Keys with weak algorithms (for example, DES) are created

  • Keys with short key length are created.