Specifying a Custom Crypto Algorithm
WCF allows you to specify a custom crypto algorithm to use when encrypting data or computing digital signatures. This is done by the following steps:
Derive a class from SecurityAlgorithmSuite
Register the algorithm
Configure the binding with the SecurityAlgorithmSuite-derived class.
Derive a class from SecurityAlgorithmSuite
The SecurityAlgorithmSuite is an abstract base class that allows you to specify the algorithm to use when performing various security related operations. For example, computing a hash for a digital signature or encrypting a message. The following code shows how to derive a class from SecurityAlgorithmSuite:
public class MyCustomAlgorithmSuite : SecurityAlgorithmSuite
{
public override string DefaultAsymmetricKeyWrapAlgorithm
{
get { return SecurityAlgorithms.RsaOaepKeyWrap; }
}
public override string DefaultAsymmetricSignatureAlgorithm
{
get { return SecurityAlgorithms.RsaSha1Signature; }
}
public override string DefaultCanonicalizationAlgorithm
{
get { return SecurityAlgorithms.ExclusiveC14n; ; }
}
public override string DefaultDigestAlgorithm
{
get { return SecurityAlgorithms.MyCustomHashAlgorithm; }
}
public override string DefaultEncryptionAlgorithm
{
get { return SecurityAlgorithms.Aes128Encryption; }
}
public override int DefaultEncryptionKeyDerivationLength
{
get { return 128; }
}
public override int DefaultSignatureKeyDerivationLength
{
get { return 128; }
}
public override int DefaultSymmetricKeyLength
{
get { return 128; }
}
public override string DefaultSymmetricKeyWrapAlgorithm
{
get { return SecurityAlgorithms.Aes128Encryption; }
}
public override string DefaultSymmetricSignatureAlgorithm
{
get { return SecurityAlgorithms.HmacSha1Signature; }
}
public override bool IsAsymmetricKeyLengthSupported(int length)
{
return length >= 1024 && length <= 4096;
}
public override bool IsSymmetricKeyLengthSupported(int length)
{
return length >= 128 && length <= 256;
}
}
Register the Custom Algorithm
Registration can be done in a configuration file or in imperative code. Registering a custom algorithm is done by creating a mapping between a class that implements a crypto service provider and an alias. The alias is then mapped to a URI which is used when specifying the algorithm in the WCF service's binding. The following configuration snippet illustrates how to register a custom algorithm in config:
<configuration>
<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</cryptoClasses>
<nameEntry name="http://contoso.com/CustomAlgorithms/CustomHashAlgorithm"
class="SHA256CSP" />
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>
</configuration>
The section under the <cryptoClasses> element creates the mapping between the SHA256CryptoServiceProvider and the alias "SHA256CSP". The <nameEntry> element creates the mapping between the "SHA256CSP" alias and the specified URL http://contoso.com/CustomAlgorithms/CustomHashAlgorithm.
To register the custom algorithm in code use the AddAlgorithm(Type, String[]) method. This method creates both mappings. The following example shows how to call this method:
// Register the custom URI string defined for the hashAlgorithm in MyCustomAlgorithmSuite class to create the
// SHA256CryptoServiceProvider hash algorithm object.
CryptoConfig.AddAlgorithm(typeof(SHA256CryptoServiceProvider), "http://contoso.com/CustomAlgorithms/CustomHashAlgorithm");
Configure the Binding
You configure the binding by specifying the custom SecurityAlgorithmSuite-derived class in the binding settings as shown in the following code snippet:
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Message.AlgorithmSuite = new MyCustomAlgorithmSuite();
For a complete code example, see the Cryptographic Agility in WCF Security sample.