Development of a High-Level PKI Services API
The PKI Group is currently working with the Federal Deposit Insurance
Corporation (FDIC) to develop a high-level Application Programming
Interface (API) for public-key based cryptographic services. Currently,
PKI-enabled applications must use proprietary, vendor-provided APIs
to interface with their PKI, thus making support across multiple
PKI products difficult. To facilitate the development and wide-deployment
of PKI-enabled applications, NIST and FDIC are working to make this
interface to a PKI consistent, regardless of the PKI product being
used. If each PKI product and each application can meet at a common
interface, more applications will become PKI enabled for all PKIs.
The following picture shows the context for the high-level API.
The application requiring security services is any application
that needs to sign and/or encrypt information. The security services/vendor
products are the existing vendor products that provide the signing
and encryption security services. The product API is the
application programming interface provided by the product for calling
the signing and encryption services. The high-level
PKI services API is the common API being developed to provide
a consistent interface to signing and encryption services irrespective
of the product used for those services. The glue layer is the code
necessary to translate the high-level
PKI services API into the product API. It is anticipated
that over time the high-level PKI services API will become
part of the product API.
A common high level API that consists of 10 functional calls is
currently being considered. The functional calls are described in
the table below.
Call |
Purpose |
signBuffer() |
Generates a digital signature over the information
provided in a buffer using the algorithms specified within the
originator's certificate |
signFile() |
Generates a digital signature over the information
provided in a file using the algorithms specified within the
originator's certificate |
verifyBuffer() |
Verifies a digital signature that was generated
over the information provided in a buffer using the originator's
certificate information |
verifyFile() |
Verifies a digital signature that was generated
over the information provided in a file using the originator's
certificate information |
encryptBuffer() |
Encrypts the information provided in a buffer
using a symmetric key that is subsequently encrypted using the
recipient's public encryption key |
encryptFile() |
Encrypts the information provided in a file using
a symmetric key that is subsequently encrypted using the recipient's
public encryption key |
decryptBuffer() |
Decrypts the symmetric encryption key provided
in an encoded object using the recipient's private encryption
key and then decrypts the information provided. |
decryptFile() |
Decrypts the symmetric encryption key provided
in an encoded object residing on a file using the recipient's
private encryption key and then decrypts the information provided |
CMSBufferParser() |
A non-cryptographic function to faciliate parsing
encoded message in a buffer |
CMSFileParser() |
A non-cryptographic function to faciliate parsing
encoded message in a file |
The high-level API is designed to hide the complexity of the underlying
security mechanisms but facilitate service requests through simple
service calls. Several federal agencies have expressed interests
in this effort. In deploying PKI technology, FDIC plans to use this
high-level API to develop PKI-aware applications. The document Utility
Program Requirements specifies the requirements for a utility
program to facilitate independent audit of such systems. A NIST
Recommendation on the high-level cryptographic API is being considered
for the future.
The Computer Security Resource Center is in the of the at the .
NIST is an agency of the
Please send
comments or suggestions to Shu-jen.Chang@nist.gov
Last Modified: January 27, 2003
|