Thursday, July 10, 2008

Security.Cryptography.dll & Security.Cryptography.Debug.dll from the CLR Security Team (with full source)

CodePlex - CLR Security

"Introduction

Welcome to the CLR security team's Codeplex site. On this site you'll find a set of projects that extend the security APIs shipped with the .NET framework to provide additional functionality. We also have some tools to help in debugging security related problems in your code.

Project Description: Security.Cryptography.dll
Security.Cryptography.dll provides a new set of algorithm implementations to augment the built in .NET framework supported algorithms. It also provides some APIs to extend the existing framework cryptography APIs. Within this project you will find:

  • A CNG implementation of the AES, RSA, and TripleDES encryption algorithms
  • A CNG implementation of a random number generator
  • A class that allows dynamically creating algorithms both from this library as well as all of the algorithms that ship with .NET 3.5
  • An enumerator over all of the installed CNG providers on the current machine
  • Extension methods that allow access to all of the keys installed in a CNG provider, as well as all of the algorithms the provider supports

...

Project Description: Security.Cryptography.Debug.dll
Have you ever run into an indecipherable cryptographic exception complaining about "Padding is invalid and cannot be removed" when using the .NET Framework's symmetric algorithms? Since nearly all bugs relating to symmetric algorithms tend to result in this same exception, it can be incredibly difficult to track down exactly what went wrong to cause the exception. Security.Cryptography.Debug.dll is a tool that can be used in these circumstances in order to help you figure out the root cause of your cryptographic exception.

..." [Description leached almost in full]

I think more important than the release of these projects and the fact that they were released with source, is the trend behind it.

Microsoft seems to be really "walking the walk." The Microsoft and the DevDiv have been talking allot about being transparent and releasing source where they could. But so far it seems a little patchy. The Scott Gu Secret Ninja Army has been one group that seems, from the outside at least, to be leading the way. But what's important to me is that more groups now seem to be following. For example, the Sandcastle who recently released their source, CLR Security Team releasing these projects and the debug/PDB .Net source reference. Plus the many other teams who also seem to be releasing their source...

This is a very cool trend that I hope continues... Hats off to the teams who have released their source and to those who are working to do the same. You officially rock!  :)

 

(via .NET Security Blog - CLR Security Team CodePlex Site)

No comments: