Token objects are not stored in the nShield module. Instead, they are stored in an encrypted and integrity-protected form on the hard disk of the host computer. The key used for this encryption is created by combining information stored on the smart card with information stored in the nShield module and with the card passphrase.

Session keys are stored on the nShield module, while other session objects are stored in host memory. Token objects on the host are created in the kmdata directory. In order to access token objects, the user must have:

  • the smart card

  • the passphrase for the smart card

  • an nShield module containing the module key used to create the token

  • the host file containing the nShield key blob protecting the token object.

The nShield PKCS #11 library can be used to manipulate Data Objects, Certificate Objects, and Key Objects.

Certificate Objects and Data Objects

The nShield PKCS #11 library does not parse Certificate Objects or Data Objects.

The size of Data Objects is limited by what can be fitted into a single command (under most circumstances, this limit is 8192 bytes).

Key Objects

The following restrictions apply to keys:

Key types Restrictions


Modulus greater than or equal to 1024.

The nShield PKCS #11 library requires all of the attributes for an RSA key object to be supplied, as listed in Table 26: "RSA Private Key Object Attributes" of PKCS #11 Cryptographic Token Interface Standard version 2.40.


Modulus greater than or equal to 1024 in multiples of 8 bits.


Modulus greater than or equal to 1024.

Card passphrases

All passphrases are hashed using the SHA-1 hash mechanism and then combined with a module key to produce the key used to encrypt data on the nShield physical or software token. The passphrase supplied can be of any length.

The ckinittoken program imposes a 512-byte limit on the passphrase.
C_GetTokenInfo reports _MaxPinLen as 256 because some applications may have problems with a larger value.

When C_Login is called, the passphrase is used to load private objects protected by that card set on to all modules with cards from that set. Public objects belonging to that set are loaded on to all the modules. C_Login fails if any logical token fails to load. All cards in a card set must have the same passphrase.

The functions C_SetPIN, C_InitPIN, and C_InitToken are supported in load-sharing mode only when using softcards. To use these functions in load-sharing mode, you must have created a softcard with the command ppmk -n before selecting the corresponding slot.
The C_InitToken function is not supported for use in non-load-sharing FIPS 140 Level 3 Security Worlds.