Jaa

Which Cryptographic Operations are Available?

  • Artikkeli

One of the more common problems to creep up when people start using the various cryptographic algorithms in the System.Security.Cryptography namespace is that their app, which works fine on their WinXP dev box suddenly starts throwing CryptographicExceptions when run on down level platforms.  The reasoning behind this is that the various algorithms which have class names ending in CryptoServiceProvider actually are thin wrappers around the native Windows Crypto API.  CAPI gets its algorithms from a Cryptographic Service Provider.

On default Windows 2000 installs, there is only the Microsoft Base Cryptographic Service Provider, which only provides RC2, RC4 and DES encryption.  To get more algorithms such as TripleDES, or RSA that uses larger than 512 bit keys, you need the Microsoft Enhanced Cryptographic Service Provider.  The enhanced CSP installs with upgrades to IE, so usually upgrading to the latest IE (or latest Windows Service Pack) will solve the problem.

To help figure out which algorithms are installed on your computer, Mitch Gallant has written a small utility that lists your CSPs and the algorithms they support.  You can find it here: https://www.jensign.com/JavaScience/ListAlgs/

Comments

  • Anonymous
    March 08, 2004
    This is a good description of the problem (but it's missing the OAEP padding which is only available to XP/2003). However you didn't supply a solution to the problem. Mitch's utility is great but it's hardly a solution that would help someone to deploy an application to multiple computers (inside or outside an organization). Upgrading (either IE, a service pack or a newer OS) isn't always a choice available to enterprise customers either.

    So let me give my own suggestion*: using a 100% managed implementation of the algorithms you require. This way you'll always be sure that the algorithms are available as you can ship the assembly containing the complete implementation. No I'm not avocating that everyone should do it's own crypto (I'll get nightmares just because of the idea) because that would be extremely bad, but I would suggest* people to look at what's already available on the Internet because this solution exists today.

    Anyway this may also be the only way to go multiple platform (e.g. the Compact Framework has no cryptographic support - unless you P/Invoke into it's own CryptoAPI and make your own CryptoStream and support classes, which sadly would be kind-of writing your own crypto).

    [* disclaimer: I'm a (potentialy biased) Mono developer - http://www.go-mono.com/]
  • Anonymous
    March 09, 2004
    Thanks for pointing out OAEP, I'd forgotten to mention that in my post. I pointed out Mitch's utility only to help debugging these problems, and to increase awareness of different CSPs on different versions of Windows.

    However, as you point out, the only way to guarantee that there's not going to be a problem is to either insist on minimum platform requirements, or use pure managed algorithms. However, writing crypto algorithms is hard and most people really should use a library. As you point out Mono provides some pure-managed implementations (though I don't know exactly which algorithms are avaliable, maybe you could provide a list here?) Also, how easy would it be to get the Mono algorithms to compile using the Microsoft toolset and distribute them with an application? Would I need just a .cs file or two, or are there a slew of dependencies to worry about?

    Another option would be to use AES encryption, provided with Microsoft's implementation in the RijndaelManaged class. This will provide for excellent symmetric encryption, however it does not provide a solution for asymmetric encryption. For hashing, SHA1Managed or SHA512Managed both provide built in managed solutions.
  • Anonymous
    March 09, 2004
    The comment has been removed
  • Anonymous
    March 09, 2004
    Good information. I think I'll post this back onto the main thread so that more people can see it. In terms of the DSA constructor, we're aware of that problem, and it should be fixed for Whidbey (which is now v2.0, not v1.2)
  • Anonymous
    May 24, 2004
    Your Articles and comments helped me finish my Paper Today , Many thanks !