Freigeben über


New Crypto Algorithms in Orcas

The January CTP of Orcas is now available, and with it comes a total of 12 new cryptography algorithm implementation classes, which include 2.5 new algorithms.  (I'll count AES as 0.5 since we did already have Rijndael :-) ).  These classes also are the first set of managed wrappers around the new CNG APIs in Windows Vista, which will use the Cng suffix on the implementation classes.

Dividing the new algorithms up into their types (all in the System.Security.Cryptography namespace in System.Core.dll), this CTP has:

Hash Algorithms

Algorithm Class OS Required
MD5 MD5Cng Windows Vista
SHA-1 SHA1Cng Windows Vista
SHA-256 SHA256CryptoServiceProvider Windows 2003
SHA256Cng Windows Vista
SHA-384 SHA384CryptoServiceProvider Windows 2003
SHA384Cng Windows Vista
SHA-512 SHA512CryptoServiceProvider Windows 2003
SHA512Cng Windows Vista

The hash algorithms work just as you would expect, and should function as simple drop-in replacements for corresponding algorithms that have already shipped in v2.0 of the .NET Framework.  The big advantage here is that these hash algorithms are just wrappers around the Windows implementations of the algorithms, and therefore are FIPS compliant versions of the SHA-2 algorithms which had only managed versions in v2.0.  For applications targeting Vista which must use CNG, this set of algorithms also provides CNG wrappers for all of our hashing algorithms.

Symmetric Algorithms

Algorithm Class OS Required
AES AesCryptoServiceProvider Windows XP SP2
AesManaged All Supported Platforms

We've provided a new Aes base class for implementations of AES (rather than Rijndael which allows some parameters to be set differently than AES).  Two implementations of this base class are shipping with the Orcas January CTP, once which wraps the CAPI implementation of AES and a managed implementation of the algorithm which should run on any platform the CLR supports.

AesManaged is actually just a wrapper around RinjdaelManaged with some code added to make sure that you do not setup the algorithm to operate in a non-AES compatible way.  For instance, AesManaged does not allow you to change the block size.  (It will also disallow the use of CFB and OFB mode because of the way that RijndaelManaged works with those modes). 

Asymmetric Algorithms

Algorithm Class OS Required
Elliptic Curve DSA ECDSACng Windows Vista
Elliptic Curve Diffie-Hellman ECDiffieHellmanCng Windows Vista

These are the really interesting additions to the cryptography libraries in this CTP, the first appearance of elliptic curve cryptography in the .NET Framework.  Since these will take more than just a paragraph to cover, the next couple of blog posts will focus on these classes (as well as the other supporting classes to help work with CNG).  Up next, Elliptic Curve DSA.

Comments

  • Anonymous
    January 17, 2007
    Does the addition of the SHA2 algorithms to the CNG mean that we'll finally be able to use RSA-SHA256? :)

  • Anonymous
    January 18, 2007
    Hi Levi, Unfortunately, no :-( System.Core.dll is part of the Orcas Green Bits.  To support RSA-SHA256 we'd need to update mscorlib.dll, which is part of Orcas Red Bits.  Unfortunately, we're not allowed to have red bits dependencies on green bits, so we could not make this change.  However, we are now totally unblocked from allowing RSA-SHA256 in the next release of the framework. (You might want to check out Soma's blog on green vs red bits here: http://blogs.msdn.com/somasegar/archive/2006/05/18/601354.aspx) -Shawn

  • Anonymous
    February 22, 2007
    How about the Asp.net 2.0 vs FIPS problem you commented on in https://blogs.msdn.com/shawnfa/archive/2005/05/16/417975.aspx Is it currently possible to build an asp.net 2.0 with Require FIPS enabled on the server. I've tried the machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="TripleDES" decryption="3DES" fix listed in the KB and it doesn't work. This is a HUGE problem with government systems. Aaron

  • Anonymous
    February 23, 2007
    Hi Aaron, That's probably a better question to ask the ASP.NET guys.  I'm not sure what work, if any, they've done to support operation in FIPS mode. -Shawn

  • Anonymous
    March 14, 2007
    New Security stuff in Orcas framework

  • Anonymous
    February 12, 2010
    The comment has been removed