extracted from: Network World volume 11, number 23 June 6, 1994 page 3 NIST to propose cryptographic APIs by Ellen Messmer Washington, D.C. -- The National Institute of Standards and Technology (NIST) will soon issue a set of application program interfaces (API) that would enable vendors to integrate their products with the cryptography systems used by the federal government. Federal security managers are supporting the idea because it will simplify purchasing and bring some interoperability to cryptography products. But the move will mean more work for vendors. Once the APIs are approved as a federal mandatory purchasing standard, software and hardware vendors that want to sell to the government would have to modify any products they sell with cryptographic functions to support the government-required APIs. Several vendors, including Apple Computer, Inc., Lotus Development Corp., Novell, Inc. and WordPerfect Corp., have already integrated functions for digital signatures, encryption and decryption into the latest versions of their products. They have licensed cryptography technology from RSA Data Security, Inc., and the APIs used in their products are based on an open specification called the Public Key Cryptography Standard. In spite of the work on these industry-standard APIs, vendors may have to revamp their products to suit the government. NIST said it will detail how the government wants vendors to change their products to support a high-level API in all products sold to federal agencies. "There would be an advantage to having a common set of services calls," said Miles Smid, manager of the security technology group at NIST. "You wouldn't be locked into a single vendor. In the future, if you added more equipment or changed it, the software would still be compatible." Smid said the API service calls will include commands to sign or verify a message electronically, and encrypt or decrypt it. The calls would invoke the functions from a PCMCIA card, a smart card, software or other means. With the APIs, the user's application could make use of any cryptographic algorithm, regardless or whether it's Digital Encryption Standard, Skipjack or RSA, Smid said. "It's a great idea," said Jim Robinette, security manager at the Internal Revenue Service, which makes considerable use of both private- and public-key technology. "It's a necessity for us. From the user's perspective, it would make life very simple." A high-level API would still allow vendors free rein in how they implement their systems at a lower level, Robinette said. But he added that it may not necessarily be easy for vendors to implement the APIs. RSA President James Bidzos criticized the cryptography API plan as another swipe at his firm, which has been battling the government on patent rights issues for years. "They're not trying to work with industry on this," he said. NIST plans to unveil the APIs in about a month.