Application programming interfaces (APIs) generally execute in the same processing space as the corresponding application. The application has unprotected access to the API and its functions. The API, for example, provides calling conventions for the application program to access the operating system and other services. The architecture between the application and API, however, has given rise to security concerns.
The development of cryptographic APIs allows programmers and software developers to use strong cryptography without having to understand the implementation of cryptographic algorithms. As a result, security has increased for many applications. Security issues, however, still exist for some applications utilizing cryptographic APIs.
Development paradigms that use cryptographic APIs depend on an application developer to have sufficient security knowledge with respect to selecting cryptographic algorithms, key sizes, key types, and other cryptographic parameters. If the application developer does not have sufficient knowledge about such cryptographic parameters, then security issues can arise. For example, companies may be unable to verify or insure whether an application (when using cryptographic APIs) is performing operations that are using policy controlled APIs is violating company security policies. Further, most security conscious organizations desire to have control over such parameters.
Security issues in cryptographic APIs can arise in other instances. As another example, the cryptographic APIs (such as the cryptographic API implementation libraries) run in the same process space as the application. Thus, the API and application are vulnerable to attack, compromise, misuse, or other security breaches since the application has unprotected access to the API. A hostile process, for instance, could subvert the cryptographic API and obtain services the application is not entitled to receive.