REDMOND, Wash., Sept. 10, 1996 —
— Envisioning a new category of secure Internet applications, Microsoft Corp. today announced cross-platform technology that allows millions of developers to add strong security to existing and future software programs. CryptoAPI version 2.0, which Microsoft is making available in beta today ( http://www.microsoft.com /intdev/security/ ), provides the underlying technology necessary to add security features to applications, such as the ability to digitally sign a document and send it over the Internet or verify an individual’s identity in an exchange of personal, financial or medical information. CryptoAPI 2.0 creates the foundation for a public key infrastructure (PKI), which will provide end users with a highly secure environment for communicating and conducting business over the Internet.
Until now, adding cryptographic capabilities to software was extremely difficult for most developers. Each vendor of a cryptographic solution required software developers to write specific code to take advantage of that vendor’s service. In addition, applications that needed to be used outside the United States required significant revision to comply with export regulations. The challenge developers face in providing different types of cryptography in software programs is analogous to the difficulty software developers had in supporting printers from different manufacturers before the Microsoft® Windows® operating system provided a common way to recognize printers.
CryptoAPI 2.0 provides cross-platform, operating-system-level support for cryptography in the same way that today’s operating systems provide device drivers for printers. As a result, developers can easily use a variety of cryptographic solutions – from exportable, 40-bit software encryption to extremely strong, 1,024-bit hardware encryption – without rewriting their applications. CryptoAPI 2.0 also frees developers from the need to develop their own cryptography, providing built-in, replaceable cryptographic modules.
CryptoAPI 2.0 is available to developers using a variety of programming languages, including the Visual Basic® programming system, the Visual C++® development system set, and Java
. In addition to traditional programming interfaces, the cryptographic features are being delivered as a set of COM interfaces, providing developers with maximum flexibility in how they build cryptography-enabled applications.
CryptoAPI 2.0 provides the following key benefits:
It eliminates the need for application developers to create their own cryptography by providing an interface to third-party cryptographic service provider (CSP) modules that deliver cryptographic technology from specific vendors.
CryptoAPI’s modular design allows developers to work with a full range of CSPs that provide either software- or hardware-based cryptography, such as software algorithms or smart cards.
Replaceable cryptographic modules let developers create applications for worldwide use without having to worry about encryption export issues.
Replaceable cryptographic modules also enable developers to easily upgrade cryptographic technology as it becomes available without having to modify their applications.
CryptoAPI frees developers from the financial obligation of licensing cryptographic technologies directly from CSP vendors.
At Microsoft’s Security Design Review today, which is being attended by more than 150 independent software vendors, Microsoft will demonstrate beta versions of CSP modules from BBN Corp., Cylink and Spyrus, in addition to the Microsoft CSP module, which is based on technology from RSA Data Security.
CryptoAPI makes it easy for developers to create applications with the world’s most widely used encryption technology from RSA,
said Jim Bidzos, president of RSA.
“The availability of exportable and upgradeable cryptography provides developers with security functions that are effective throughout the world.”
CryptoAPI 2.0 Technical Details
CryptoAPI 2.0 adds high-level interfaces to the Windows family of operating systems for common cryptographic operations such as authentication, signing and encryption/decryption services. These cryptography operations make it easier for developers to do the following:
Encrypt and decrypt messages, files, programs, passwords, forms, credit-card numbers or any other data either residing locally on a PC or being transmitted over a network, including the Internet
Create and manage public and private keys for public key-based encryption
Create and manage digital certificates
Digitally sign a message or data to ensure that a recipient knows the identity of its creator and that the data hasn’t been tampered with or altered
“People need to know whom they’re doing business with on the Internet,”
said Stratton Sclavos, president and CEO of VeriSign Inc.
“CryptoAPI 2.0 lets developers easily create applications that can recognize industry-standard identification methods, such as VeriSign’s Digital IDs. We’re excited to be working with Microsoft and other companies to create a cross-platform public key infrastructure that allows the Internet to be a secure channel for conducting business.”
Microsoft expects CryptoAPI 2.0 to be available on several platforms. On Aug. 21, Microsoft announced it is licensing CryptoAPI to RSA Data Security, including the rights to incorporate CryptoAPI into RSA’s BSAFE and other security toolkit products, to port CryptoAPI to new platforms, and to build on Microsoft’s base set of cryptography services. CryptoAPI 1.0 is now shipping in Microsoft Internet Explorer 3.0 and the Windows NT® operating system version 4.0. Microsoft also expects that the functionality of CryptoAPI calling RSA’s cryptographic engine will be shipped for Macintosh and 16-bit versions of Windows operating systems in early 1997.
CryptoAPI Accessible to Developers for Visual Basic and Java
Microsoft also announced today that CryptoAPI 2.0 is available to millions of developers using Visual Basic and Java, making it easier to add cryptography and certificate functionality to their applications. A set of COM interfaces encapsulating CryptoAPI’s certificate and cryptographic functionality is now available on Microsoft’s Web site.
“Providing CryptoAPI as COM interfaces enables the millions of developers using tools such as Visual Basic to incorporate cryptography and certificate features easily into our applications,”
said David Mendlen, an architect for Ameritech Cellular who uses Visual Basic.
“Building exportable applications with flexible and renewable security lets us provide added value to all of our customers without having to rewrite applications for foreign markets.”
“Microsoft is demonstrating its commitment to helping all developers, including those using Visual Basic and Java to create secure applications for a global market,”
said Brad Silverberg, senior vice president of the Internet platform and tools division at Microsoft.
“By providing companies and developers with easy access to cryptography, CryptoAPI 2.0 will accelerate the development of a cost-effective public key infrastructure, giving end users a richer and safer computing experience.”
Support From Major Cryptographic Service Providers
In addition to the bundled CSP based on RSA technology for CryptoAPI 1.0 and CryptoAPI 2.0 beta version provided by Microsoft, six additional corporations announced they will provide CSP modules for CryptoAPI. Atalla (a Tandem company), Northern Telecom Inc. (Nortel Secure Networks) and Trusted Information Systems have committed to provide CSP modules in the future, and at the Security Design Review, Microsoft is demonstrating beta versions of CSP from BBN Corp., Cylink and Spyrus.
The BBN CSP module supports hardware-based cryptographic key generation and storage using BBN’s SafeKeyper certificate signing unit. BBN is a leading provider of Internet and internetworking services to businesses and organizations.
Cylink’s CSP provides developers with a wide variety of public key cryptography services including Diffie-Hellman key management, DES encryption, DSS digital signatures and standards-based document hashing. Cylink is a leading provider of network security and management systems.
The Spyrus CSP supports their EES LYNKS Privacy Card, a tamper-resistant PCMCIA card that implements multiple U.S. government and commercial algorithms for key transport, key wrap, hash and digital signature. In addition, for government organizations, Spyrus will ship a CSP that works with Fortezza-compliant PCMCIA cards. Spyrus is a leading provider of information security technology, addressing a wide range of security requirements in commercial and government organizations.
About Microsoft Internet Security Framework
The Microsoft Internet Security Framework (MISF) is a comprehensive set of cross-platform, interoperable security technologies for electronic commerce and online communications that support Internet security standards. MISF technologies implemented to date include Authenticode technology, CryptoAPI 1.0 and CryptoAPI 2.0 (beta version), support for client authentication, support for secure socket layer (SSL) and private communications technology (PCT) secure channel protocols, and a beta implementation of the Secure Electronic Transactions (SET) protocol for credit-card transactions. Upcoming MISF technologies include a certificate server (demonstrated at the design review), PFX 1.0 (alpha version demonstrated at design review), and a
In addition, MISF technologies allow corporations to make use of their existing investments in network security by integrating with the robust Windows NT security model. Windows NT provides mechanisms to control access to all system and network resources, the auditing of all security-related events, sophisticated password protection, and the ability to lock out intruders. Windows NT also provides a single logon for users and central management of user accounts for administrators. For more information on the Microsoft Internet Security Framework, visit http://msdn.microsoft.com/library/backgrnd/html/msdn_misf.htm .
Founded in 1975, Microsoft (NASDAQ
) is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.
Microsoft, Windows, Visual Basic, Visual C++ and Windows NT are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
Java is a trademark of Sun Microsystems Inc.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages.