Authenticated Symmetric Encryption in .NET

Over the last week, we’ve made a couple of updates to our Codeplex projects to add authenticated symmetric encryption to the managed cryptography surface area for the first time.  Since we’ve never supported authenticated symmetric algorithms in managed code before, I thought I’d run though some basics about what they are and how to use…

5

MD5 on Silverlight

Reid Borsuk, an SDE/T on the CLR security team, has released a fully transparent implementation of the MD5 hash algorithm to the MSDN Code Gallery.  Since the code is entirely transparent, it can be used as part of a Silverlight application that needs to compute MD5 hashes in order to interop with existing code or…

1

CryptoConfig

The crypto config schema has been a bit of a hot topic around here lately, specifically around how to modify the CLR’s machine.config to get custom crypto types registered with CryptoConfig. Let’s take a quick look at what CryptoConfig is first, and then we’ll see how to customize its behavior.  CryptoConfig is a type in…

1

Using RSACryptoServiceProvider for RSA-SHA256 signatures

Earlier this month, we released .NET 3.5 SP 1.  One of the new features available in this update is that RSACryptoServiceProvider has gained the ability to create and verify RSA-SHA256 signatures. Since RSACryptoServiceProvider relies on the underlying CAPI APIs to do its work, this feature will only be enabled on versions of Windows which support…

12

CLR Security Team CodePlex Site

The CLR Security Team just launched our CodePlex site: http://www.codeplex.com/clrsecurity.  Currently, it contains two assemblies that provide additional functionality to the security APIs shipped in v3.5 of the .NET Framework. We’d love your feedback on the currently offered libraries, and also welcome ideas for other libraries you’d like to see on our CodePlex site.  From…

1

Disabling the FIPS Algorithm Check

.NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was configured to require them.  This resulted in algorithms which are not FIPS compliant (or implementations which were not FIPS certified) throwing an InvalidOperationException from their constructors. In some cases this isn’t a desirable behavior.  For instance, some applications need to…

4

CLR Inside Out: Digging into IDisposable

My third MSDN magazine article, Digging into IDisposable, appeared in this month’s issue in the CLR Inside Out Column.  It’s a bit of a departure from my usual security fare; this time looking at how to best handle writing class libraries that must manage resources. Also in this month’s issue, Kenny Kerr provides a good introduction to…

0

Please do not use the .NET 2.0 HMACSHA512 and HMACSHA384 Classes

  We’ve recently discovered a bug in the HMACSHA512 and HMACSHA384 classes which shipped in the .NET Framework 2.0.  This bug will cause these algorithms to produce incorrect results which are not consistent with other implementations of HMAC-SHA-512 and HMAC-SHA-384.  Unfortunately, we did not discover this bug until recently, and the shipping .NET Framework 2.0 on all…

19

Elliptic Curve Diffie-Hellman

The second elliptic curve algorithm added to Orcas is elliptic curve Diffie-Hellman, as the ECDiffieHellmanCng class. This is the first time Diffie-Hellman is available as part of the .NET Framework, so lets take a quick look at what it is and what it does.  Diffie-Hellman is one of the oldest asymmetric algorithms, however unlike the…

8

Elliptic Curve DSA

Yesterday I gave a quick rundown of all the new cryptographic algorithms available in the Orcas January CTP.  Today, let’s dive in a little deeper to the first of the elliptic curve algorithms, ECDSA.  (ECDSA, along with the rest of the CNG classes in the .NET Framework, is only available on Windows Vista). ECDSA is…

3