Vendors that manufacture applications that require encryption/decryption incorporate cryptographic libraries in their applications. However, for export, cryptography is controlled by Government regulations. By default, cryptographic strength is constrained to weak crypto (e.g., 56 bit DES.). Special industries, for example, financial, can use “strong” crypto (e.g., 168 bit DES.). Vendors usually statically link cryptographic libraries into their applications. Vendors cannot easily change from one cryptographic library to another because the Application Programming Interfaces (APIs) vary between different vendors' libraries. The Common Data Security Architecture (CDSA) provides programmable interfaces for cryptographic and digital certificate services using a “plug and play” model. The CDSA Specification is attached as Appendix 1 and is available from the Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, Oreg. 97124-6497. The Specification is also available from cdsa@dbmg.com. With CDSA, security service providers may support varying strengths of cryptographic algorithms. Normally for a given implementation of CDSA, all applications will be allowed to use the union of all algorithms in cryptographic strengths provided by the registered service providers.
However, there is sometimes a need to allow the same implementation of CDSA to support the cryptographic needs of multiple applications, each of which needs to be constrained to a particular maximum cryptographic strength. For example, financial applications in non-U.S. jurisdictions may be allowed to use 168 bit strength cryptography, while non-financial applications may only be allowed to use 56 bit strength cryptography. What is needed is an improved system and a method to allow a single CDSA implementation to control the maximum cryptographic strength of various applications based on a configurable cryptographic control policy enforced by the CDSA framework.