New Crypto Algorithms in Orcas
The January CTP of Orcas is now available, and with it comes a total of 12 new cryptography algorithm implementation classes, which include 2.5 new algorithms. (I'll count AES as 0.5 since we did already have Rijndael :-) ). These classes also are the first set of managed wrappers around the new CNG APIs in Windows Vista, which will use the Cng suffix on the implementation classes.
Dividing the new algorithms up into their types (all in the System.Security.Cryptography namespace in System.Core.dll), this CTP has:
Hash Algorithms
| Algorithm | Class | OS Required |
| MD5 | MD5Cng | Windows Vista |
| SHA-1 | SHA1Cng | Windows Vista |
| SHA-256 | SHA256CryptoServiceProvider | Windows 2003 |
| SHA256Cng | Windows Vista | |
| SHA-384 | SHA384CryptoServiceProvider | Windows 2003 |
| SHA384Cng | Windows Vista | |
| SHA-512 | SHA512CryptoServiceProvider | Windows 2003 |
| SHA512Cng | Windows Vista |
The hash algorithms work just as you would expect, and should function as simple drop-in replacements for corresponding algorithms that have already shipped in v2.0 of the .NET Framework. The big advantage here is that these hash algorithms are just wrappers around the Windows implementations of the algorithms, and therefore are FIPS compliant versions of the SHA-2 algorithms which had only managed versions in v2.0. For applications targeting Vista which must use CNG, this set of algorithms also provides CNG wrappers for all of our hashing algorithms.
Symmetric Algorithms
| Algorithm | Class | OS Required |
| AES | AesCryptoServiceProvider | Windows XP SP2 |
| AesManaged | All Supported Platforms |
We've provided a new Aes base class for implementations of AES (rather than Rijndael which allows some parameters to be set differently than AES). Two implementations of this base class are shipping with the Orcas January CTP, once which wraps the CAPI implementation of AES and a managed implementation of the algorithm which should run on any platform the CLR supports.
AesManaged is actually just a wrapper around RinjdaelManaged with some code added to make sure that you do not setup the algorithm to operate in a non-AES compatible way. For instance, AesManaged does not allow you to change the block size. (It will also disallow the use of CFB and OFB mode because of the way that RijndaelManaged works with those modes).
Asymmetric Algorithms
| Algorithm | Class | OS Required |
| Elliptic Curve DSA | ECDSACng | Windows Vista |
| Elliptic Curve Diffie-Hellman | ECDiffieHellmanCng | Windows Vista |
These are the really interesting additions to the cryptography libraries in this CTP, the first appearance of elliptic curve cryptography in the .NET Framework. Since these will take more than just a paragraph to cover, the next couple of blog posts will focus on these classes (as well as the other supporting classes to help work with CNG). Up next, Elliptic Curve DSA.
Comments
Anonymous
January 17, 2007
Does the addition of the SHA2 algorithms to the CNG mean that we'll finally be able to use RSA-SHA256? :)Anonymous
January 18, 2007
Hi Levi, Unfortunately, no :-( System.Core.dll is part of the Orcas Green Bits. To support RSA-SHA256 we'd need to update mscorlib.dll, which is part of Orcas Red Bits. Unfortunately, we're not allowed to have red bits dependencies on green bits, so we could not make this change. However, we are now totally unblocked from allowing RSA-SHA256 in the next release of the framework. (You might want to check out Soma's blog on green vs red bits here: http://blogs.msdn.com/somasegar/archive/2006/05/18/601354.aspx) -ShawnAnonymous
February 22, 2007
How about the Asp.net 2.0 vs FIPS problem you commented on in https://blogs.msdn.com/shawnfa/archive/2005/05/16/417975.aspx Is it currently possible to build an asp.net 2.0 with Require FIPS enabled on the server. I've tried the machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="TripleDES" decryption="3DES" fix listed in the KB and it doesn't work. This is a HUGE problem with government systems. AaronAnonymous
February 23, 2007
Hi Aaron, That's probably a better question to ask the ASP.NET guys. I'm not sure what work, if any, they've done to support operation in FIPS mode. -ShawnAnonymous
March 14, 2007
New Security stuff in Orcas frameworkAnonymous
February 12, 2010
The comment has been removed