* Cryptography In the .NET framework cryptography can be found under a number of namespaces in several assemblies. ** Assembly: corlib *** Namespace: System.Security.Cryptography Thanks to the work of many people this namespace is almost complete. **** Status
SymmetricAlgorithmTest
are generated by external
tools.
* MACTripleDES is compatible with the implementation shipped in
framework 1.0. Version 1.1 gives different results when the
MACed data is a multiple of BlockSize (8 bytes).
/dev/[u]random
device (which do not exists
under Windows). A Windows specific alternative is available
using the Mono.Security.Win32 assembly.
* Keypair persistance for RSA and DSA. This persistance must
somehow be linked with X509 certificate stores (in planning).
* PasswordDeriveBytes.CryptDeriveKey
is included
in MS BCL to provide compatibility with existing Windows
applications. The main problem is that the key derivation
algorithm can be different for every CSP (Crypto Service
Provider). However for compatibility we should provide an
implementation compatible with the MS CSP (most likely used).
*CryptoServiceProvider
, with the
exception of RNGCryptoServiceProvider
(which
implementation resides in the runtime).
* There is a bug in the PKCS1MaskGenerationMethod
class (in both framework 1.0 and 1.1). This means our
implementation isn't compatible with MS (but is compatible with
PKCS#1 v.2.1). However we get OAEP padding for every platform!
* Look at assembly Mono.Security.Win32 if you require more
compatiblity with the Microsoft implementation (like accessing
a particuliar keypair container inside a specific CSP).
CreateFromSignedFile
).
* The newer X509Certificate class included in Microsoft's Web
Service Enhancement (WSE) is a little better (as it includes
CryptoAPI's validation) when IsCurrent
is called.
See assembly Microsoft.Web.Services for more details.
* The class Mono.Security.X509.X509Certificate (in Mono.Security
assembly) is becoming a much better alternative - and will
continue to evolve to support the security tools.
* Microsoft implementation of X509Certificate
is
done by using CryptoAPI (unmanaged code). From the exceptions
thrown Authenticode(tm) support is done via COM.
machine.config
configuration file (and then only if this increased
compatibility is required by an application).
See the file /mcs/class/Mono.Security.Win32/README
for complete instructions.
*** Namespace: Mono.Security.Cryptography
**** Status
/dev/[u]random/
).
* Wrapper classes for unmanaged versions of hash algorithms:
MD2, MD4, MD5 and SHA1 are supported. note: some
algorithms shouldn't be used in new design (MD4 is broken,
MD2 and MD5 aren't considered safe for some usage). They are
included to preserve interoperability with older applications
(e.g. some old, but still valid, X.509 certificates use MD2).
Mono.Security.XXX
)
could be created for OpenSSL,
NSS,
crypto++,
cryptlib ... for
improved performance and/or HSM (Hardware Security Module) support
under Linux and/or Windows.
System.Security.Cryptography.Xml
) and X.509
certificates classes.
Note: WSE is distributed as an add-on because some specifications,
like WS-Security, aren't yet completed by
OASIS or
other committees.
[*] There are some licensing issues to consider before starting to
implement WS-Security. All contributors must sign an agreement with
Microsoft before commiting anything related to WS-Security into CVS.
*** Namespace: Microsoft.Web.Services.Security [*]
*** Namespace: Microsoft.Web.Services.Timestamp [*]
**** Status
secutil
is a tool to extract certificates and
strongnames from assemblies in a format that can be easily
re-used in source code (C# or VB.NET syntax).
* cert2spc
is a tool to transform multiple X.509
certificates and CRLs into a Software Publisher Certificate
(SPC) file - which is a long name for a simple PKCS#7 file.
* makecert
to create X.509 test certificates that
can be used (once transformed in SPC) to sign assemblies. It's
now possible to generate SSL certificates for web servers.
certview
is a certificate viewer for
System.Windows.Forms
(right now only working on
Windows), while gcertview
is the same viewer
implemented for GTK# (working on both Windows and Linux).
* sn
is a clone of the sn
to manage
strongnames. Current version is limited to creating new keypairs
and converting values.
* monosn
is a clone of the sn
to manage
strongnames. This tools is part of the runtime (not the class
library) and as such is written in C and won't run without Mono.
signcode
and chktrust
(in progress)
for signing and validating Authenticode(tm) signatures on
assemblies (or any PE file).
* Other tools like a, GUI-based, certificate manager...
monocov
does a great job at this! Now we just need to
complete the missing unit tests.
* Optimization can also be done on most algorithms as crypto
is never fast enough. Some have been done using the
Community Edition of BoundChecker (a free VisualStudio
addon) - recommanded! Just be sure to test every optimization
(using the unit tests) carefully - it's so fast to break an
algorithm ;-).
* Write some documentation on the cryptographic classes for
monodoc as I'm not a very good writer (at least in English).