3 In the .NET framework cryptography can be found under a number of
4 namespaces in several assemblies.
8 *** Namespace: <b>System.Security.Cryptography</b>
10 Thanks to the work of many people this namespace is almost complete.
14 * All classes are present. Most of them have (minimal)
15 documentation in <b>monodoc</b>.
17 * Most classes have their unit tests. Some tests like <code>
18 SymmetricAlgorithmTest</code> are generated by external
22 *** Namespace: <b>System.Security.Cryptography.X509Certificates</b>
26 * X.509 certificates are parsed using 100% managed code
27 (using the Mono.Security.ASN1 class).
29 * Software Publisher Certificates (SPC) used by Authenticode
30 (tm) to sign assemblies are supported and <b>minimally</b>
33 * Unit tests are generated from a set of existing certificates
34 (about a dozen) each having different properties. Another
35 set of certificates (more than 700) are used for a more
36 complete test (but isn't part of the standard test suite for
37 size and time consideration, i.e. a 7.5Mb C# source file).
42 * The class Mono.Security.X509.X509Certificate (in Mono.Security
43 assembly) is becoming a much better alternative - and will
44 continue to evolve to support the security tools.
48 ** Assembly: System.Security
50 *** Namespace: <b>System.Security.Cryptography.Xml</b>
52 This namespace implements the <a href="http://www.w3.org/TR/xmldsig-core/">
53 XML Digital Signature</a> specification from
54 <a href="http://www.w3.org/">W3C</a>.
58 * We pass the fifteen tests from Merlin's xmldsig suite with
59 success. Which is funny because Microsoft fails in one case
60 where both a X509Certificate and an X509CRL are present in
61 an X509Data. We also pass most Phaos tests.
63 * Most classes have their unit tests. Some standalone tests
64 are also in CVS to test C14N and both Merlin and Phaos test
69 ** Assembly: Mono.Security
72 This assembly provides the missing pieces to .NET security. On Windows
73 CryptoAPI is often used to provide much needed functionalities (like
74 some cryptographic algorithms, code signing, X.509 certificates). Mono,
75 for platform independance, implements these functionalities in 100%
78 *** Namespace: Mono.Security
80 * Structures (ASN1, PKCS7) and primitives (PKCS1).
82 *** Namespace: Mono.Security.Authenticode
84 * Code signing and verification.
85 * Support for SPC (Software Publisher Certificate) files and
86 PVK (Private Key) files.
88 *** Namespace: Mono.Security.Cryptography
90 * Additional algorithms: MD2, MD4, ARCFOUR (required for SSL)
93 *** Namespace: Mono.Security.Protocol.*
95 * Tls: An 100% managed SSLv3 and TLSv1 implementation from
96 Carlos Guzman Alvarez.
97 * Ntlm: NTLM authentication (used for HTTP and SQL Server).
99 *** Namespace: Mono.Security.X509.*
101 * X.509 structures (certificate, CRL...) building and decoding.
102 * PKCS#12 decoding and encoding.
103 * X.509 extensions (from public X.509 to private PKIX, Netsapce,
104 Microsoft, Entrust...).
109 * A big part of this assembly is also included inside Mono's
110 corlib. The classes are duplicated in this assembly so the
111 functionalities can be used without a dependency on Mono's
112 corlib (which depends on Mono's runtime).
114 * Unit test coverage isn't (yet) complete.
118 ** Assembly: Mono.Security.Win32
121 This assembly goal is to provide maximum compatibility with CryptoAPI
122 to application running with Mono's runtime on the Windows operating
125 <b>This assembly should NEVER be used directly by any application</b>
126 (e.g. referecing the assembly from a project).
127 The classes should only be used by modifying the <code>machine.config
128 </code> configuration file (and then only if this increased
129 compatibility is required by an application).
131 See the file <code><a href="http://cvs.hispalinux.es/cgi-bin/cvsweb/~checkout~/mcs/class/Mono.Security.Win32/README?rev=1.1&content-type=text/plain&cvsroot=mono">/mcs/class/Mono.Security.Win32/README</a></code>
132 for complete instructions.
134 *** Namespace: Mono.Security.Cryptography
138 * A RNGCryptoServiceProvider built on top of CryptoAPI. This
139 allows Windows users to get around the limitation of the
140 runtime RNG (which requires <code>/dev/[u]random/</code>).
142 * Wrapper classes for unmanaged versions of hash algorithms:
143 MD2, MD4, MD5 and SHA1 are supported. <b>note</b>: some
144 algorithms shouldn't be used in new design (MD4 is broken,
145 MD2 and MD5 aren't considered safe for some usage). They are
146 included to preserve interoperability with older applications
147 (e.g. some old, but still valid, X.509 certificates use MD2,
148 MD4 is required for NTLM authentication ...).
153 * Wrapper classes for unmanaged versions of symmetric
154 encryption algorithms (like DES, TripleDES, RC2 and others
155 present in default CSP).
157 * Wrapper classes for unmanaged versions of asymmetric
158 algorithms (like DSA and RSA) which persist their keypair
159 into the specified CSP.
164 * Similar assemblies (e.g. <code>Mono.Security.XXX</code>)
165 could be created for <a href="http://www.openssl.org">OpenSSL</a>,
166 <a href="http://www.mozilla.org/projects/security/pki/nss/">NSS</a>,
167 <a href="http://www.eskimo.com/~weidai/cryptlib.html">crypto++</a>,
168 <a href="http://www.cryptlib.orion.co.nz/">cryptlib</a> ... for
169 improved performance and/or HSM (Hardware Security Module) support
170 under Linux and/or Windows.
173 ** Assembly: Microsoft.Web.Services
175 Microsoft Web Service Enhancement (WSE), known as Web Service
176 Development Kit (WSDK) in it's beta days, is an add-on the .NET
177 framework that implements WS-Security (and other WS-* specifications).
178 It also includes improved support for XML Signature (replacing and/or
179 extending <code>System.Security.Cryptography.Xml</code>) and X.509
180 certificates classes.
182 Note: WSE is distributed as an add-on because some specifications,
183 like WS-Security, aren't yet completed by
184 <a href="http://www.oasis-open.org/committees/wss/">OASIS</a> or
187 *** Namespace: Microsoft.Web.Services.Security
191 * Most WSE 1.0 classes are implemented.
196 * Some classes from System.Security assembly need to be
197 duplicated (and somewhat fixed) in WSE for XMLDSIG.
199 * There are still missing classes and <b>many</b> missing
204 *** Namespace: Microsoft.Web.Services.Timestamp
208 * This seems complete for WSE 1.0 but some new classes were
209 introduced in WSE 2.0.
212 *** Namespace: Microsoft.Web.Services.Security.X509
216 * X509Certificate support is complete for both WSE 1.0 and 2.0.
221 * We need to define certificate stores (for both users and
222 machines). These sames stores must be linked with asymmetric
223 keypairs. This could also be used to store the SPC roots.
228 * Microsoft has released WSE 2.
234 There are many tools in the .NET framework that indirectly interacts
235 with some cryptographic classes. Unless noted the tools should work on
236 any CLR (tested with both Mono and Microsoft).
240 The following tools are complete (or mostly complete):
242 * <code>secutil</code> is a tool to extract certificates and
243 strongnames from assemblies in a format that can be easily
244 re-used in source code (C# or VB.NET syntax).
246 * <code>cert2spc</code> is a tool to transform multiple X.509
247 certificates and CRLs into a Software Publisher Certificate
248 (SPC) file - which is a long name for a simple PKCS#7 file.
250 * <code>makecert</code> to create X.509 test certificates that
251 can be used (once transformed in SPC) to sign assemblies. It's
252 now possible to generate SSL certificates for web servers.
254 * <code>sn</code> is a clone of the <code>sn</code> to manage
255 strongnames. Current version can create, convert, sign and
256 verify strongnames signatures. Some configuration options
257 are still missing, some will only works with Mono.
259 * <code>signcode</code> and <code>chktrust</code> for signing
260 and validating Authenticode(tm) signatures on assemblies (or
261 any PE file) are now working (signature and timestamps) but
262 some options aren't yet supported.
264 * <code>setreg</code> can change some cryptographic parameters
265 of the runtime. Currently it can add or remove two root test
266 certificates (the one used by Mono's <code>makecert</code>,
267 the other used by Microsoft's <code>makecert</code>).
269 * <code>certmgr</code> can add and remove certificates from
270 the stores. Most common use is to add new trusted certificates
274 Somewhat usable, somewhat incomplete:
276 * <code>certview</code> is a certificate viewer for
277 <code>System.Windows.Forms</code> (right now only working on
278 Windows), while <code>gcertview</code> is the same viewer
279 implemented for GTK# (working on both Windows and Linux).
284 The following tools are still missing or largely incomplete:
286 * Other tools like a, GUI-based, certificate manager...
289 Note that many of the tools requires the class library and/or the
290 runtime to be ready for them. E.g. StrongName and Authenticode signatures
291 tools are of limited use until supported by the runtime.
297 * RSA Laboratories' <a href="http://www.rsasecurity.com/rsalabs/faq/index.html">
298 Frequently Asked Questions</a> About Today's Cryptography, Version 4.1
300 * Public-Key Cryptography Standards (<a href="http://www.rsasecurity.com/rsalabs/pkcs/index.html">
303 * National Institute of Standards and Technology - Federal
304 Information Processing Standards <a href="http://csrc.nist.gov/publications/fips/index.html">
312 * Complete any of the TODO (and feel good about it ;-).
314 * Analyse the current coverage of the unit tests on the
315 cryptographic classes and complete the unit tests. <b><code>
316 monocov</code> does a great job at this! Now we just need to
317 complete the missing unit tests.</b>
319 * Optimization can also be done on most algorithms as crypto
320 is never fast enough. Some have been done using the
321 Community Edition of BoundChecker (a free VisualStudio
322 addon) - recommanded! Just be sure to test every optimization
323 (using the unit tests) carefully - it's so fast to break an
326 * Write some documentation on the cryptographic classes for
330 Last reviewed: June 15, 2004 (mono beta 3)