.NET 4.0 Security

The first beta of the v4.0 .NET Framework is now available, and with it comes a lot of changes to the CLR’s security system.  We’ve updated both the policy and enforcement portions of the runtime in a lot of ways that I’m pretty excited to finally see available.  Since there are a lot of security changes, I’ll spend the next month or so taking a deeper look at each of them.  At a high level, the major areas that are seeing updates with the v4 CLR are: 

Like I did when we shipped the v2.0 CLR, I’ll come back and update this post with links to the details about each of the features we added as I write more detailed blog posts about each of them.

Tomorrow, I’ll start by looking at probably the most visible change of the group – the update to the CLR’s security policy system.

Comments (11)

  1. Alice & Bob says:

    Please write a book about .NET 4.0 Security 😉

  2. shawnfa says:

    🙂  Thanks.


  3. You can take a look at the new v4.0 .NET Framework , and the changes that will be described in Shawn

  4. Jack says:

    Glad to hear the security improvement. Security is the most important one!

  5. Loren says:

    So what is with the links above in the comments section.  They do not link to the blog.  Is it me or is the site.


  6. Daniel says:

    Does .NET 4.0 include an implementation of SHA-2?

    On this page:


    …there is a note about SHA-2 being the latest recommended hash algorithm:

    "MD5 design flaws were discovered in 1996, and SHA-1 was recommended instead. In 2004, additional flaws were discovered, and the MD5 algorithm is no longer considered secure. The SHA-1 algorithm has also been found to be insecure, and SHA-2 is now recommended instead."

    Perhaps I’m not looking in the right place?


  7. Daniel says:


    Can we expect to see XML signature algorithm parity in .NET 4.0?

  8. shawnfa says:

    We have not updated the XML digitial signature classes in .NET 4.  However, you can use RSA-SHA256 even in .NET 3.5 SP1 by registering a custom signature description class.  This class, and a description of how to use it can be found on http://clrsecurity.codeplex.com


  9. shawnfa says:

    Yes – SHA256, 384, and 512 have all been supported by .NET since version 1.0.  Look at the SHA256Managed class (or in v3.5, SHA256CryptoServiceProvider and SHA256Cng).


  10. shawnfa says:

    Loren – it’s not you.  Once I finish writing about each of those topics, I’ll update the links to point at them.