Cryptoki provides an interface for one or more encryption devices running in the system through a large number of slots. Each slot corresponding to a physical reader or another device interface may contain a token. When the cryptographic device exists in the reader, the token exists in the slot. Of course, because Cryptoki provides a logical view of slots and tokens, there may be other physical decoding. Multiple slots can share a card reader. The problem is that a system has quite a number of slots, and applications can connect to tokens in any or all of these slots.
Cryptographic devices can perform some cryptographic operations according to a certain set of commands, which usually go through standard device drivers, such as PCMCIA card service program or slot service program. Cryptoki makes each encryption device logically look like other devices, regardless of technology. Therefore, applications don't have to directly interface with device drivers (even don't know which devices are included); Cryptoki hid these details. Indeed, the basic equipment can be completely realized by software (for example, a processing program running on a server) without special hardware.
Cryptoki can be implemented as a library supporting interface functions, and applications are connected to the library. The application can directly connect to Cryptoki, or Cryptoki is a so-called "* * *" library (or dynamic link library), in which case the application dynamically connects to the library. It is relatively easy to generate database with Microsoft's Windows and OS/2 operating systems, and it is also relatively easy to generate "* * *" library under UNIX and d OS.
Dynamic methods have many advantages because new libraries can be used; However, from the perspective of security, there are also some shortcomings. In particular, if the library can be easily replaced, an attacker may replace it with a maliciously made fake library to intercept the user's PIN. Even though the coding signature technology can prevent many security risks of dynamic connection, from the security point of view, direct connection is generally adopted. In short, the programming interface between the application and the Cryptoki library is the same.
The type of device and the supported capabilities will depend on the dedicated Cryptoki library. This standard only defines the interface of the library, but does not define the characteristics of the library. In particular, not all libraries support the mechanisms (algorithms) defined in this interface (because not all tokens support all mechanisms). And the library may only support a subset of all cryptographic devices that can be used. (Of course, it can be expected that more and better types of devices will be developed to support multiple tokens instead of tokens provided by a single supplier. As long as the application is developed, the interface, standard database and token "profile" of Cryptoki will be formed.