New Crypto Algorithms in Orcas

The January CTP of Orcas is now available, and with it comes a total of 12 new cryptography algorithm implementation classes, which include 2.5 new algorithms.  (I’ll count AES as 0.5 since we did already have Rijndael 🙂 ).  These classes also are the first set of managed wrappers around the new CNG APIs in Windows Vista, which will use the Cng suffix on the implementation classes.

Dividing the new algorithms up into their types (all in the System.Security.Cryptography namespace in System.Core.dll), this CTP has:

Hash Algorithms

Algorithm Class OS Required
MD5 MD5Cng Windows Vista
SHA-1 SHA1Cng Windows Vista
SHA-256 SHA256CryptoServiceProvider Windows 2003
SHA256Cng Windows Vista
SHA-384 SHA384CryptoServiceProvider Windows 2003
SHA384Cng Windows Vista
SHA-512 SHA512CryptoServiceProvider Windows 2003
SHA512Cng Windows Vista

The hash algorithms work just as you would expect, and should function as simple drop-in replacements for corresponding algorithms that have already shipped in v2.0 of the .NET Framework.  The big advantage here is that these hash algorithms are just wrappers around the Windows implementations of the algorithms, and therefore are FIPS compliant versions of the SHA-2 algorithms which had only managed versions in v2.0.  For applications targeting Vista which must use CNG, this set of algorithms also provides CNG wrappers for all of our hashing algorithms.

Symmetric Algorithms

Algorithm Class OS Required
AES AesCryptoServiceProvider Windows XP SP2
AesManaged All Supported Platforms

We’ve provided a new Aes base class for implementations of AES (rather than Rijndael which allows some parameters to be set differently than AES).  Two implementations of this base class are shipping with the Orcas January CTP, once which wraps the CAPI implementation of AES and a managed implementation of the algorithm which should run on any platform the CLR supports.

AesManaged is actually just a wrapper around RinjdaelManaged with some code added to make sure that you do not setup the algorithm to operate in a non-AES compatible way.  For instance, AesManaged does not allow you to change the block size.  (It will also disallow the use of CFB and OFB mode because of the way that RijndaelManaged works with those modes). 

Asymmetric Algorithms

Algorithm Class OS Required
Elliptic Curve DSA ECDSACng Windows Vista
Elliptic Curve Diffie-Hellman ECDiffieHellmanCng Windows Vista

These are the really interesting additions to the cryptography libraries in this CTP, the first appearance of elliptic curve cryptography in the .NET Framework.  Since these will take more than just a paragraph to cover, the next couple of blog posts will focus on these classes (as well as the other supporting classes to help work with CNG).  Up next, Elliptic Curve DSA.

Comments (6)

  1. Levi says:

    Does the addition of the SHA2 algorithms to the CNG mean that we’ll finally be able to use RSA-SHA256? 🙂

  2. Hi Levi,

    Unfortunately, no 🙁

    System.Core.dll is part of the Orcas Green Bits.  To support RSA-SHA256 we’d need to update mscorlib.dll, which is part of Orcas Red Bits.  Unfortunately, we’re not allowed to have red bits dependencies on green bits, so we could not make this change.  However, we are now totally unblocked from allowing RSA-SHA256 in the next release of the framework.

    (You might want to check out Soma’s blog on green vs red bits here:


  3. Aaron says:

    How about the 2.0 vs FIPS problem you commented on in

    Is it currently possible to build an 2.0 with Require FIPS enabled on the server. I’ve tried the

    machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="TripleDES" decryption="3DES"

    fix listed in the KB and it doesn’t work. This is a HUGE problem with government systems.


  4. Hi Aaron,

    That’s probably a better question to ask the ASP.NET guys.  I’m not sure what work, if any, they’ve done to support operation in FIPS mode.


  5. Daniel Moth says:

    New Security stuff in Orcas framework

  6. spandey says:

    I have to convert existing crypto component to use AES256 for symmetric encryption decryption. I started looking at it and found two classes:

    1. AESManaged under System.Security.Cryptography

    2. AES256 class under Microsoft.Web.Services.Security.Cryptography that comes under WSE2.0 framework.

    Please advise about why Microsoft has provided same set of classes under two different assemblies and which one to use in my .Net WCF Crypto Service.



Skip to main content