Quantcast
Channel: CLR Security
Viewing all 70 articles
Browse latest View live

New Post: FIPS Validation ?

February 23, 2016, 8:48 am
$
0
0
Depending on what you mean, either yes or no :).

This library won't be submitted for FIPS validation; but this library doesn't provide any cryptographic implementations. It just defers into the Windows CNG libraries, which are FIPS validated. The same story is true of the cryptography types in the .NET Framework.

Some pieces of this library have started making their way into the .NET Framework; so (depending on what, in particular, you're after) you can either use this library, or the .NET Framework usage of this tech, and be using the same underlying validated library.
Search

New Post: NuGet Package

February 23, 2016, 8:59 am
$
0
0
The current focus for the tech in this library is to migrate it into the .NET Framework. As such, it does not feel like having this library available on nuget.org is the correct thing at this time.

Some pieces have already moved into .NET Core (https://github.com/dotnet/corefx/), which is distributed via NuGet. It has influenced System.Security.Cryptography.Algorithms; System.Security.Cryptography.Cng; and System.Security.Cryptography.X509Certificiates.

Things that you are using this library for that we don't have available in .NET Core would be good to know; please feel encouraged to open an issue on the github project to let us know what you want (for best results, keep issues focused; multi-feature wish-lists are hard to call "done").

New Post: CLR Security on Linux with .NET opensourced?

February 23, 2016, 9:09 am
$
0
0
As you surmised, this project won't work on Linux. However, tech and lessons learned from this project are the basis for feature work in the .NET Framework 4.6; and the main implementations of cryptography in .NET Core for Windows (https://github.com/dotnet/corefx/).

New Post: Public CngKey from an X509Certificate2 in the CertStore

February 23, 2016, 9:37 am
$
0
0
In the .NET Framework 4.6.1 we have GetECDsaPublicKey() and GetECDsaPrivateKey(). If what you're after is ECDH, though; it's a little trickier. You can do something like the following:
ECDsa ecdsa = cert.GetECDsaPublicKey();
ECDsaCng ecdsaCng = ecdsa as ECDsaCng;
ECDiffieHellmanPublicKey ecdhPublicKey = null;

if (ecdsaCng != null)
{
    byte[] blob = ecdsaCng.Key.Export(CngKeyBlobFormat.EccPublicBlob);

    // Blob should start with 0x45, 0x43, 0x53 (ECDSA).// We want to change it to 0x45, 0x43, 0x4B (ECDH).// If it happens to already say 0x4B, that's just fine!
    Debug.Assert(blob[2] == 0x53 || blob[2] == 0x4B);
    blob[2] = 0x4B;

    ecdhPublicKey = ECDiffieHellmanCngPublicKey.FromByteArray(blob, CngKeyBlobFormat.EccPublicBlob);
}

if (ecdhPublicKey == null)
{
    thrownew InvalidOperationException($"Cannot convert an ECDsa of type {ecdsa.GetType().FullName}");
}
Though I'm not sure how long-term stable that is... which is partly why it hasn't made it into the .NET Framework yet :).

New Post: CLR Security on Linux with .NET opensourced?

February 23, 2016, 10:22 am
$
0
0
Thanks Barton. It's still a bit confusing since we have the following
  1. a) .NET Framework vs
    b) .NET Core
  2. a) Windows vs
    b) Linux
  3. a) Security.Cryptography (CLR Security) vs
    b) System.Security.Cryptography (.NET Framework)
So it's not very clear what the platform will look for different permutations of the above. For example:
  • What are the cryptography library options on 2b ?
  • What will be the difference in cryptography support in 1a vs 1b ?
  • If 3a gets folded into 3b with .NET Framework 4.6+ what's the destination namespace for 3a APIs? Will it all be ported over?
IMHO, you should have a blog post addressing this in an informal manner vs a formal announcement of any sorts. If you've already covered the .NET cryptography roadmap somewhere, could you share the link?

Thanks for the phenomenal work!

New Post: CLR Security on Linux with .NET opensourced?

February 23, 2016, 10:54 am
$
0
0
Good questions.

On Linux the only offering is .NET Core. As far as cryptography is concerned, Linux and Windows are almost equivalent provided that you are talking about "algorithms", vs "implementations". (For example: Use RSA instead of RSACng; now possible because we put the Sign/Verify/Encrypt/Decrypt methods on the RSA class in .NET Framework 4.6). Places where they don't work the same, at the algorithm abstraction level, are bugs.

There are things that exist in .NET Framework that don't in .NET Core. The easiest way to explain it is to share what is in Core, which is described by https://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.Algorithms/ref/System.Security.Cryptography.Algorithms.cs (the metadata/API declaration file). It's supposed to be the case that if a method on .NET Framework and .NET Core have the same name, they work the same way. If it doesn't, it's a bug (or .NET Core has a behavior that we intentionally changed and are trying to get back into .NET Framework). (There are libraries other than Algorithms. Primitives - enums and structures like RSAParameters; Csp - the *CryptoServiceProvider types; Cng - the *Cng types; OpenSsl - the Unix/OpenSsl interop types; X509Certificates - X.509 Certificates. But the question felt like Algorithms had the answers you were looking for)

Cryptography in .NET Framework is System.Security.Cryptography. The CLRSecurity project code isn't just copied over as-is; it gets merged in. Security.Cryptography.RSACng and System.Security.Cryptography.RSACng are both RSA using CNG; but they have slightly different API surface because of new information learned between their implementations.

So there's a wee-bit of adjustment pain on the part of users of this library to switch to their .NET Framework / .NET Core equivalents as they come online; but the fact that they're using this library makes them a bit of an advanced user already :)


A writeup does sound like a good idea, though... I guess I get to add that to my todo list :)

Updated Wiki: Home

March 14, 2016, 5:17 pm
$
0
0
Introduction

Welcome to the CLR security team's Codeplex site. On this site you'll find a set of projects that extend the security APIs shipped with the .NET framework to provide additional functionality. We also have some tools to help in debugging security related problems in your code.

The latest rollup package of all of the assemblies on this site can be found here: CLR Security June 2010 Release. Note that this release will be the final release of the CLR Security CodePlex project which supports Visual Studio 2008 and the .NET Framework v3.5.

Did you know?

Elements from this project have started making their way into the .NET Framework, and .NET Core. Most notably, RSACng was added in .NET 4.6 and brought with it changes to the RSA base class so that the two implementations can be used polymorphically.

Further improvements are in progress. If there's functionality that you depend on in Security.Cryptography.dll which has not yet been added to .NET Framework and/or .NET Core, find (or create) an issue at https://github.com/dotnet/corefx/issues and let the .NET team know!

Project Description: Security.dll
Security.dll provides a set of extension methods to ease working with the Code Access Security system in the .NET Framework. Within this project you will find:
  • Methods to create partially trusted instances of objects
  • Methods to determine the grant set of an assembly or AppDomain
  • Methods to help in creating and examining simple sandbox domains
  • Methods to make working with classes like Evidence and SecurityElement easier
Download Security 1.2

Project Description: Security.Cryptography.dll
Security.Cryptography.dll provides a new set of algorithm implementations to augment the built in .NET framework supported algorithms. It also provides some APIs to extend the existing framework cryptography APIs. Within this project you will find:
  • A CNG implementation of the AES, RSA, HMACSHA2, and TripleDES encryption algorithms
  • A CNG implementation of a random number generator
  • A CNG implementation of the PBKDF2 key derivation algorithm
  • A CNG implementation of authenticated symmetric encryption.
  • A class that allows dynamically creating algorithms both from this library as well as all of the algorithms that ship with .NET 3.5
  • An enumerator over all of the installed CNG providers on the current machine
  • Extension methods that allow access to all of the keys installed in a CNG provider, as well as all of the algorithms the provider supports
  • Extension methods to access X509Certificates that store their key with CNG, as well as create self signed X509Certificates.
  • Other utility types and methods
Note: Since functionality from Security.Cryptography.dll is migrating into the .NET Framework it may, in the interest of clarity, cease being available from this library in whatever future releases there may be.

Download Security.Cryptography 1.7.2

Project Description: Security.Cryptography.Debug.dll
Have you ever run into an indecipherable cryptographic exception complaining about "Padding is invalid and cannot be removed" when using the .NET Framework's symmetric algorithms? Since nearly all bugs relating to symmetric algorithms tend to result in this same exception, it can be incredibly difficult to track down exactly what went wrong to cause the exception. Security.Cryptography.Debug.dll is a tool that can be used in these circumstances in order to help you figure out the root cause of your cryptographic exception.

Download Security.Cryptography.Debug 1.1

Project Description: PTRunner.exe
PTRunner is a host application which runs programs in a sandbox. It allows you to choose from a set of standard CLR sandboxes (such as Execution, Internet and LocalIntranet), or provide your own custom permission sets. Additionally, PTRunner allows you to expose a set of fully trusted assemblies to the code in the sandboxed AppDomain.

PTRunner is a .NET 4.0 application, and requires the .NET Framework v4.0 beta 1 in order to run.

Download PTRunner 1.0

Created Unassigned: Add support for signing XML files [11073]

March 22, 2016, 11:17 am
$
0
0
It'd be nice if some supported was added to sign XML files. We were using Mage.exe with our old certificates to sign ClickOnce and VSTO files. With the new certificates, Mage.exe doesn't work and I haven't been able to find another option.

Mage.exe uses the SecurityUtilities.SignFile method from Microsoft.Build.Tasks.v4.0.dll in order to sign these files but it fails because it uses the X509Certificate2.PrivateKey property.
Search

Commented Unassigned: Add support for signing XML files [11073]

March 31, 2016, 2:59 pm
$
0
0
It'd be nice if some supported was added to sign XML files. We were using Mage.exe with our old certificates to sign ClickOnce and VSTO files. With the new certificates, Mage.exe doesn't work and I haven't been able to find another option.

Mage.exe uses the SecurityUtilities.SignFile method from Microsoft.Build.Tasks.v4.0.dll in order to sign these files but it fails because it uses the X509Certificate2.PrivateKey property.
Comments: ** Comment from web user: bartonjs **

Right now the efforts behind this library is not to add more, but to move the features into .NET proper.

http://connect.microsoft.com/VisualStudio (Report a bug, make sure to pick ".NET Framework" (which right now identifies itself as version 4.6)).

We've been increasing CNG support throughout the 4.6 series of .NET (and just announced 4.6.2 Preview: https://blogs.msdn.microsoft.com/dotnet/2016/03/30/announcing-the-net-framework-4-6-2-preview/). If your scenario still fails with CNG keys in 4.6.2 preview, we'd definitely want to hear about it.

Reviewed: Security.Cryptography 1.6 (Jul 14, 2016)

July 14, 2016, 12:45 pm
$
0
0
Rated 4 Stars (out of 5) - I would like to have a cryptic blockchain so it can put out the limit of bitcoins so that I can make a fortune accepting and donating bitcoins for all of mankind.
Viewing all 70 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>