Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
WCF allows you to specify a custom crypto algorithm to use when encrypting data or computing digital signatures. This is done by the following steps:
Derive a class from SecurityAlgorithmSuite
Register the algorithm
Configure the binding with the SecurityAlgorithmSuite-derived class.
Derive a class from SecurityAlgorithmSuite
The SecurityAlgorithmSuite is an abstract base class that allows you to specify the algorithm to use when performing various security related operations. For example, computing a hash for a digital signature or encrypting a message. The following code shows how to derive a class from SecurityAlgorithmSuite:
public class MyCustomAlgorithmSuite : SecurityAlgorithmSuite
{
public override string DefaultAsymmetricKeyWrapAlgorithm
{
get { return SecurityAlgorithms.RsaOaepKeyWrap; }
}
public override string DefaultAsymmetricSignatureAlgorithm
{
get { return SecurityAlgorithms.RsaSha1Signature; }
}
public override string DefaultCanonicalizationAlgorithm
{
get { return SecurityAlgorithms.ExclusiveC14n; ; }
}
public override string DefaultDigestAlgorithm
{
get { return SecurityAlgorithms.MyCustomHashAlgorithm; }
}
public override string DefaultEncryptionAlgorithm
{
get { return SecurityAlgorithms.Aes128Encryption; }
}
public override int DefaultEncryptionKeyDerivationLength
{
get { return 128; }
}
public override int DefaultSignatureKeyDerivationLength
{
get { return 128; }
}
public override int DefaultSymmetricKeyLength
{
get { return 128; }
}
public override string DefaultSymmetricKeyWrapAlgorithm
{
get { return SecurityAlgorithms.Aes128Encryption; }
}
public override string DefaultSymmetricSignatureAlgorithm
{
get { return SecurityAlgorithms.HmacSha1Signature; }
}
public override bool IsAsymmetricKeyLengthSupported(int length)
{
return length >= 1024 && length <= 4096;
}
public override bool IsSymmetricKeyLengthSupported(int length)
{
return length >= 128 && length <= 256;
}
}
Register the Custom Algorithm
Registration can be done in a configuration file or in imperative code. Registering a custom algorithm is done by creating a mapping between a class that implements a crypto service provider and an alias. The alias is then mapped to a URI which is used when specifying the algorithm in the WCF service's binding. The following configuration snippet illustrates how to register a custom algorithm in config:
<configuration>
<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</cryptoClasses>
<nameEntry name="http://contoso.com/CustomAlgorithms/CustomHashAlgorithm"
class="SHA256CSP" />
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>
</configuration>
The section under the <cryptoClasses> element creates the mapping between the SHA256CryptoServiceProvider and the alias "SHA256CSP". The <nameEntry> element creates the mapping between the "SHA256CSP" alias and the specified URL http://contoso.com/CustomAlgorithms/CustomHashAlgorithm.
To register the custom algorithm in code use the AddAlgorithm(Type, String[]) method. This method creates both mappings. The following example shows how to call this method:
// Register the custom URI string defined for the hashAlgorithm in MyCustomAlgorithmSuite class to create the
// SHA256CryptoServiceProvider hash algorithm object.
CryptoConfig.AddAlgorithm(typeof(SHA256CryptoServiceProvider), "http://contoso.com/CustomAlgorithms/CustomHashAlgorithm");
Configure the Binding
You configure the binding by specifying the custom SecurityAlgorithmSuite-derived class in the binding settings as shown in the following code snippet:
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Message.AlgorithmSuite = new MyCustomAlgorithmSuite();
For a complete code example, see the Cryptographic Agility in WCF Security sample.