National Academies Press: OpenBook

Cryptography's Role in Securing the Information Society (1996)

Chapter: K - Cryptographic Applications Programming Interfaces

« Previous: J - Examples of Risks Posed by Unprotected Information
Suggested Citation:"K - Cryptographic Applications Programming Interfaces." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 474

K Cryptographic Applications Programming Interfaces

Modern software systems are built using various techniques that provide flexibility and reliability. One of the most important techniques centers on the use of an applications programming interface.

An applications programming interface (API) is a well-defined boundary between two system components that isolates a specific process or set of services. For example, it is quite common now for an application to interact with an electronic mail (e-mail) server through an e-mail API, such as MAPI (Microsoft), VIM (Lotus), or AOCE (Apple), to name a few. In such cases, the API defines a set of services that allow an application to retrieve or submit mail messages from or to the mail server. APIs can be implemented by using hardware, software, or some combination. Furthermore, software APIs can be implemented by using dynamically linked libraries, statically linked libraries, remote procedure calls, or any combination.

APIs have evolved as the result of both technical and business pressures. Technically, software developers have moved increasingly to "open," client-server systems. An open system is one in which interoperable products from different vendors are used to provide the functionality required by the users. Such systems depend heavily on commercial standards and APIs are often used to support those standards. For example, e-mail exchange using the X.400 standard is now supported by the CMC API. An API allows multiple vendors to develop interoperable products, even though individual product versions are continually changing.

Although APIs are used to support open standards, a large number of

Suggested Citation:"K - Cryptographic Applications Programming Interfaces." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 475

proprietary APIs are also used by vendors to safeguard their technical investments. Even within these closed environments, APIs provide a major technical and business benefit for those vendors licensed to develop products using that API. For example, Novell was one of the first network operating system vendors to make extensive use of an API to support a wide range of add-on products.  Under its approach, a "netware" loadable module (NLM) can be developed by a third-party developer and incorporated into an operational system by the user. The use of a proprietary API allows vendors to maintain the quality of third party products, to provide a basis for the development of niche products, and to maintain a competitive advantage. In Novell's case, the development of NLMs for major database products has boosted its sales in that competitive server market.

Perhaps the most common API today is Microsoft's object linking and embedding (OLE) software technology, which provides general-purpose sockets for modules that can undertake many different functions. For example, an OLE socket can provide the user with the capability to insert a module for file encryption or for file compression. Thus, although it might be possible to use government regulations to prevent the widespread use of sockets for encryption, it would be difficult to dampen the spread of a general-purpose socket that has many uses. OLE interfaces could plausibly support some level of encryption capability; however, since OLE interfaces are not specifically designed for security, they may have weaknesses that render them unsuitable for security-specific applications.

A cryptographic applications programming interface (CAPI) is an API specifically designed to support the introduction of cryptographic functions into products. It is not necessary to actually provide the cryptographic functions when the system is initially sold. Users would then be able to incorporate the cryptographic add-ons of their choice. Technically, a CAPI would provide an interface to a set of cryptographic services; it would usually include authentication, digital signature generation, random number generation, and stream or block mode encryption. Although there are some technical problems specific to CAPIs, most notably those associated with ensuring the integrity of the security processing, they exhibit, for the most part, the same advantages as any other API. That is, there are strong technical and business reasons for incorporating a CAPI into open systems.

CAPIs would enable applications developers to take for granted the existence of cryptographic functionality and not have to provide for such functionality themselves. Moreover, by separating the cryptography from the baseline product, major system vendors will be able to make changes

Suggested Citation:"K - Cryptographic Applications Programming Interfaces." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 476

to the baseline product driven by market considerations without waiting for an export license review that would be necessary for a product with built-in cryptographic functionality.

Cryptographic APIs are likely to have a profound effect on the rapidity with which cryptography will diffuse into various information technology applications. If implemented properly (not a trivial task), they can enhance the security of stored data and communications. When effective CAPI technologies are embedded into the operating systems upon which IT applications build, the result will likely be encrypted files and communications galore. Operating systems will be shipped with default cryptographic modules that are active "out of the box," and users will have the option of replacing default modules with more capable modules procured from other vendors.

The notion of a CAPI is not new. However, in general, export licenses for products incorporating CAPIs have been denied, even though such products, with no cryptographic capabilities built into them, have no cryptographic functionality and are therefore not specifically included in Category XIII of the International Traffic in Arms Regulations (see Appendix N). The reason for such denial has been that strong cryptographic capabilities could be deployed on a vast scale if U.S. vendors exported applications supporting a common CAPI and a foreign vendor marketed (or some party made available over the Internet) an add-on module with strong cryptography, which foreign users could then plug into the baseline U.S. product.

Suggested Citation:"K - Cryptographic Applications Programming Interfaces." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 474
Suggested Citation:"K - Cryptographic Applications Programming Interfaces." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 475
Suggested Citation:"K - Cryptographic Applications Programming Interfaces." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 476
Next: L - Other Looming Issues Related to Cryptography Policy »
Cryptography's Role in Securing the Information Society Get This Book
×
Buy Hardback | $80.00 Buy Ebook | $64.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

For every opportunity presented by the information age, there is an opening to invade the privacy and threaten the security of the nation, U.S. businesses, and citizens in their private lives. The more information that is transmitted in computer-readable form, the more vulnerable we become to automated spying. It's been estimated that some 10 billion words of computer-readable data can be searched for as little as $1. Rival companies can glean proprietary secrets . . . anti-U.S. terrorists can research targets . . . network hackers can do anything from charging purchases on someone else's credit card to accessing military installations. With patience and persistence, numerous pieces of data can be assembled into a revealing mosaic.

Cryptography's Role in Securing the Information Society addresses the urgent need for a strong national policy on cryptography that promotes and encourages the widespread use of this powerful tool for protecting of the information interests of individuals, businesses, and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes. This book presents a comprehensive examination of cryptography—the representation of messages in code—and its transformation from a national security tool to a key component of the global information superhighway. The committee enlarges the scope of policy options and offers specific conclusions and recommendations for decision makers.

Cryptography's Role in Securing the Information Society explores how all of us are affected by information security issues: private companies and businesses; law enforcement and other agencies; people in their private lives. This volume takes a realistic look at what cryptography can and cannot do and how its development has been shaped by the forces of supply and demand. How can a business ensure that employees use encryption to protect proprietary data but not to conceal illegal actions? Is encryption of voice traffic a serious threat to legitimate law enforcement wiretaps? What is the systemic threat to the nation's information infrastructure? These and other thought-provoking questions are explored.

Cryptography's Role in Securing the Information Society provides a detailed review of the Escrowed Encryption Standard (known informally as the Clipper chip proposal), a federal cryptography standard for telephony promulgated in 1994 that raised nationwide controversy over its "Big Brother" implications. The committee examines the strategy of export control over cryptography: although this tool has been used for years in support of national security, it is increasingly criticized by the vendors who are subject to federal export regulation.

The book also examines other less well known but nevertheless critical issues in national cryptography policy such as digital telephony and the interplay between international and national issues. The themes of Cryptography's Role in Securing the Information Society are illustrated throughout with many examples—some alarming and all instructive—from the worlds of government and business as well as the international network of hackers. This book will be of critical importance to everyone concerned about electronic security: policymakers, regulators, attorneys, security officials, law enforcement agents, business leaders, information managers, program developers, privacy advocates, and Internet users.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!