[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST to propose cryptographic APIs




extracted from:
 
Network World
volume 11, number 23
June 6, 1994
 
page 3
 
 
NIST to propose cryptographic APIs
by Ellen Messmer
 
  Washington, D.C. -- The National Institute of Standards and Technology
(NIST) will soon issue a set of application program interfaces (API)
that would enable vendors to integrate their products with the
cryptography systems used by the federal government.
  Federal security managers are supporting the idea because it will
simplify purchasing and bring some interoperability to cryptography
products. But the move will mean more work for vendors.
  Once the APIs are approved as a federal mandatory purchasing
standard, software and hardware vendors that want to sell to the
government would have to modify any products they sell with
cryptographic functions to support the government-required APIs.
  Several vendors, including Apple Computer, Inc., Lotus Development
Corp., Novell, Inc. and WordPerfect Corp., have already integrated
functions for digital signatures, encryption and decryption into the
latest versions of their products.
  They have licensed cryptography technology from RSA Data Security,
Inc., and the APIs used in their products are based on an open
specification called the Public Key Cryptography Standard. In spite of
the work on these industry-standard APIs, vendors may have to revamp
their products to suit the government.
  NIST said it will detail how the government wants vendors to change
their products to support a high-level API in all products sold to
federal agencies.
  "There would be an advantage to having a common set of services
calls," said Miles Smid, manager of the security technology group at
NIST. "You wouldn't be locked into a single vendor. In the future, if
you added more equipment or changed it, the software would still be
compatible."
  Smid said the API service calls will include commands to sign or
verify a message electronically, and encrypt or decrypt it. The calls
would invoke the functions from a PCMCIA card, a smart card, software
or other means. With the APIs, the user's application could make use
of any cryptographic algorithm, regardless or whether it's Digital
Encryption Standard, Skipjack or RSA, Smid said.
  "It's a great idea," said Jim Robinette, security manager at the
Internal Revenue Service, which makes considerable use of both
private- and public-key technology. "It's a necessity for us. From
the user's perspective, it would make life very simple."
  A high-level API would still allow vendors free rein in how they
implement their systems at a lower level, Robinette said. But he added
that it may not necessarily be easy for vendors to implement the APIs.
  RSA President James Bidzos criticized the cryptography API plan as
another swipe at his firm, which has been battling the government on
patent rights issues for years. "They're not trying to work with
industry on this," he said.
  NIST plans to unveil the APIs in about a month.