CSRC   nistlogo
Home Library Services Events Advisories Contact Site Map  
SEARCH
PKI Homepage

Federal Bridge Certification Authority (FBCA)

Secure Mail

TWG

NIST Cryptographic Standards

 
 
   
Development of a High-Level PKI Services API

The PKI Group is currently working with the Federal Deposit Insurance Corporation (FDIC) to develop a high-level Application Programming Interface (API) for public-key based cryptographic services. Currently, PKI-enabled applications must use proprietary, vendor-provided APIs to interface with their PKI, thus making support across multiple PKI products difficult. To facilitate the development and wide-deployment of PKI-enabled applications, NIST and FDIC are working to make this interface to a PKI consistent, regardless of the PKI product being used. If each PKI product and each application can meet at a common interface, more applications will become PKI enabled for all PKIs.

The following picture shows the context for the high-level API.

The application requiring security services is any application that needs to sign and/or encrypt information. The security services/vendor products are the existing vendor products that provide the signing and encryption security services. The product API is the application programming interface provided by the product for calling the signing and encryption services. The high-level PKI services API is the common API being developed to provide a consistent interface to signing and encryption services irrespective of the product used for those services. The glue layer is the code necessary to translate the high-level PKI services API into the product API. It is anticipated that over time the high-level PKI services API will become part of the product API.

A common high level API that consists of 10 functional calls is currently being considered. The functional calls are described in the table below.

 
Call Purpose
signBuffer() Generates a digital signature over the information provided in a buffer using the algorithms specified within the originator's certificate
signFile() Generates a digital signature over the information provided in a file using the algorithms specified within the originator's certificate
verifyBuffer() Verifies a digital signature that was generated over the information provided in a buffer using the originator's certificate information
verifyFile() Verifies a digital signature that was generated over the information provided in a file using the originator's certificate information
encryptBuffer() Encrypts the information provided in a buffer using a symmetric key that is subsequently encrypted using the recipient's public encryption key
encryptFile() Encrypts the information provided in a file using a symmetric key that is subsequently encrypted using the recipient's public encryption key
decryptBuffer() Decrypts the symmetric encryption key provided in an encoded object using the recipient's private encryption key and then decrypts the information provided.
decryptFile() Decrypts the symmetric encryption key provided in an encoded object residing on a file using the recipient's private encryption key and then decrypts the information provided
CMSBufferParser() A non-cryptographic function to faciliate parsing encoded message in a buffer
CMSFileParser() A non-cryptographic function to faciliate parsing encoded message in a file

The high-level API is designed to hide the complexity of the underlying security mechanisms but facilitate service requests through simple service calls. Several federal agencies have expressed interests in this effort. In deploying PKI technology, FDIC plans to use this high-level API to develop PKI-aware applications. The document Utility Program Requirements specifies the requirements for a utility program to facilitate independent audit of such systems. A NIST Recommendation on the high-level cryptographic API is being considered for the future.

 

Please read our NIST disclaimer and privacy policy.
The Computer Security Resource Center is in the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology .
NIST is an agency of the U.S. Commerce Department's Technology Administration.
Please send comments or suggestions to Shu-jen.Chang@nist.gov
Last Modified: January 27, 2003