.NET 4.0 Security


The first beta of the v4.0 .NET Framework is now available, and with it comes a lot of changes to the CLR’s security system.  We’ve updated both the policy and enforcement portions of the runtime in a lot of ways that I’m pretty excited to finally see available.  Since there are a lot of security changes, I’ll spend the next month or so taking a deeper look at each of them.  At a high level, the major areas that are seeing updates with the v4 CLR are: 



Like I did when we shipped the v2.0 CLR, I’ll come back and update this post with links to the details about each of the features we added as I write more detailed blog posts about each of them.


Tomorrow, I’ll start by looking at probably the most visible change of the group – the update to the CLR’s security policy system.

Comments (11)

  1. Alice & Bob says:

    Please write a book about .NET 4.0 Security 😉

  2. 🙂  Thanks.

    -Shawn

  3. You can take a look at the new v4.0 .NET Framework , and the changes that will be described in Shawn

  4. Jack says:

    Glad to hear the security improvement. Security is the most important one!

  5. Loren says:

    So what is with the links above in the comments section.  They do not link to the blog.  Is it me or is the site.

    Loren

  6. Daniel says:

    Does .NET 4.0 include an implementation of SHA-2?

    On this page:

    http://msdn.microsoft.com/en-us/library/92f9ye3s(VS.100).aspx#digital_signatures

    …there is a note about SHA-2 being the latest recommended hash algorithm:

    "MD5 design flaws were discovered in 1996, and SHA-1 was recommended instead. In 2004, additional flaws were discovered, and the MD5 algorithm is no longer considered secure. The SHA-1 algorithm has also been found to be insecure, and SHA-2 is now recommended instead."

    Perhaps I’m not looking in the right place?

    Thanks!

  7. Daniel says:

    http://blogs.sun.com/mullan/entry/using_stronger_xml_signature_algorithms

    Can we expect to see XML signature algorithm parity in .NET 4.0?

  8. We have not updated the XML digitial signature classes in .NET 4.  However, you can use RSA-SHA256 even in .NET 3.5 SP1 by registering a custom signature description class.  This class, and a description of how to use it can be found on http://clrsecurity.codeplex.com

    -Shawn

  9. Yes – SHA256, 384, and 512 have all been supported by .NET since version 1.0.  Look at the SHA256Managed class (or in v3.5, SHA256CryptoServiceProvider and SHA256Cng).

    -Shawn

  10. Loren – it’s not you.  Once I finish writing about each of those topics, I’ll update the links to point at them.

    -Shawn