International Cryptography Experiment;NSA;Cryptoki;">

Question 145. What are CAPIs?

A CAPI, or cryptographic application programming interface, is an interface to a library of functions that software developers can call upon for security and cryptography services. The goal of a CAPI is to make it easy for developers to integrate cryptography into applications. Separating the cryptographic routines from the software may also allow the export of software without any security services implemented. The software can later be linked by the user to the local security services. CAPIs can be targeted at different levels of abstraction, ranging from cryptographic module interfaces to authentication service interfaces. The International Cryptography Experiment (ICE) is an informally structured program for testing NSA's export restrictions (see Question 148 and Question 149) on CAPIs. More information can be obtained about this program by e-mail to <>. Some examples of CAPIs include RSA Laboratories' Cryptoki (PKCS #11) [RSA95], NSA's Fortezza (see Question 156), Internet GSS-API [Lin93], and the X/Open GCS-API [Xop95]. NSA has prepared a helpful report [NSA95]that surveys some of the current CAPIs.