Specifying a Custom Crypto Algorithm

WCF allows you to specify a custom crypto algorithm to use when encrypting data or computing digital signatures. This is done by the following steps:

  1. Derive a class from SecurityAlgorithmSuite

  2. Register the algorithm

  3. Configure the binding with the SecurityAlgorithmSuite-derived class.

Derive a class from SecurityAlgorithmSuite

The SecurityAlgorithmSuite is an abstract base class that allows you to specify the algorithm to use when performing various security related operations. For example, computing a hash for a digital signature or encrypting a message. The following code shows how to derive a class from SecurityAlgorithmSuite:

public class MyCustomAlgorithmSuite : SecurityAlgorithmSuite  
    {  
        public override string DefaultAsymmetricKeyWrapAlgorithm  
        {  
            get { return SecurityAlgorithms.RsaOaepKeyWrap; }  
        }  

        public override string DefaultAsymmetricSignatureAlgorithm  
        {  
            get { return SecurityAlgorithms.RsaSha1Signature; }  
        }  

        public override string DefaultCanonicalizationAlgorithm  
        {  
            get { return SecurityAlgorithms.ExclusiveC14n; ; }  
        }  

        public override string DefaultDigestAlgorithm  
        {  
            get { return SecurityAlgorithms.MyCustomHashAlgorithm; }  
        }  

        public override string DefaultEncryptionAlgorithm  
        {  
            get { return SecurityAlgorithms.Aes128Encryption; }  
        }  

        public override int DefaultEncryptionKeyDerivationLength  
        {  
            get { return 128; }  
        }  

        public override int DefaultSignatureKeyDerivationLength  
        {  
            get { return 128; }  
        }  

        public override int DefaultSymmetricKeyLength  
        {  
            get { return 128; }  
        }  

        public override string DefaultSymmetricKeyWrapAlgorithm  
        {  
            get { return SecurityAlgorithms.Aes128Encryption; }  
        }  

        public override string DefaultSymmetricSignatureAlgorithm  
        {  
            get { return SecurityAlgorithms.HmacSha1Signature; }  
        }  

        public override bool IsAsymmetricKeyLengthSupported(int length)  
        {  
            return length >= 1024 && length <= 4096;  
        }  

        public override bool IsSymmetricKeyLengthSupported(int length)  
        {  
            return length >= 128 && length <= 256;  
        }  
    }  

Register the Custom Algorithm

Registration can be done in a configuration file or in imperative code. Registering a custom algorithm is done by creating a mapping between a class that implements a crypto service provider and an alias. The alias is then mapped to a URI which is used when specifying the algorithm in the WCF service’s binding. The following configuration snippet illustrates how to register a custom algorithm in config:

<configuration>  
   <mscorlib>  
      <cryptographySettings>  
         <cryptoNameMapping>  
           <cryptoClasses>  
              <cryptoClass SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />  
           </cryptoClasses>  
           <nameEntry name="http://constoso.com/CustomAlgorithms/CustomHashAlgorithm"  
              class="SHA256CSP" />  
           </cryptoNameMapping>  
        </cryptographySettings>  
    </mscorlib>  
</configuration>  

The section under the <cryptoClasses> element creates the mapping between the SHA256CryptoServiceProvider and the alias "SHA256CSP". The <nameEntry> element creates the mapping between the "SHA256CSP" alias and the specified URL (http://constoso.com/CustomAlgorithms/CustomHashAlgorithm ).

To register the custom algorithm in code use the AddAlgorithm System.String[])?qualifyHint=False&autoUpgrade=True method. This method creates both mappings. The following example shows how to call this method:

// Register the custom URI string defined for the hashAlgorithm in MyCustomAlgorithmSuite class to create the   
// SHA256CryptoServiceProvider hash algorithm object.  
CryptoConfig.AddAlgorithm(typeof(SHA256CryptoServiceProvider), "http://constoso.com/CustomAlgorithms/CustomHashAlgorithm");  

Configure the Binding

You configure the binding by specifying the custom SecurityAlgorithmSuite-derived class in the binding settings as shown in the following code snippet:

WSHttpBinding binding = new WSHttpBinding();  
            binding.Security.Message.AlgorithmSuite = new MyCustomAlgorithmSuite();  

For a complete code example, see the Cryptographic Agility in WCF Security sample.

See Also

Securing Services and Clients
Securing Services
Security Overview
Security Concepts