.NET framework 加密模型.NET Framework Cryptography Model

.NET Framework 提供了许多标准加密算法的实现。The .NET Framework provides implementations of many standard cryptographic algorithms. 这些算法易于使用且具有最安全的可能默认属性。These algorithms are easy to use and have the safest possible default properties. 此外,对象继承、流设计和配置的 .NET Framework 加密模型完全可扩展。In addition, the .NET Framework cryptography model of object inheritance, stream design, and configuration is extremely extensible.

对象继承Object Inheritance

.NET Framework 安全系统实现派生类继承的可扩展模式。The .NET Framework security system implements an extensible pattern of derived class inheritance. 层次结构如下所示:The hierarchy is as follows:

使用此模式派生类,可轻松添加新算法或现有算法的新实现。Using this pattern of derived classes, it is easy to add a new algorithm or a new implementation of an existing algorithm. 例如,要创建新的公共密钥算法,你会继承 AsymmetricAlgorithm 类。For example, to create a new public-key algorithm, you would inherit from the AsymmetricAlgorithm class. 要创建特定算法的新实现,将需要创建该算法的非抽象派生类。To create a new implementation of a specific algorithm, you would create a non-abstract derived class of that algorithm.

算法在 .NET Framework 中的实现方式How Algorithms Are Implemented in the .NET Framework

作为可用于一种算法的不同实现的示例,请考虑对称算法。As an example of the different implementations available for an algorithm, consider symmetric algorithms. 所有对称算法都基于 SymmetricAlgorithm,它由以下算法继承:The base for all symmetric algorithms is SymmetricAlgorithm, which is inherited by the following algorithms:

Aes 由两个类继承:AesCryptoServiceProviderAesManagedAes is inherited by two classes: AesCryptoServiceProvider and AesManaged. AesCryptoServiceProvider 类是围绕 Aes 的 Windows 加密 API (CAPI) 实现的包装器,而 AesManaged 类完全用托管代码编写。The AesCryptoServiceProvider class is a wrapper around the Windows Cryptography API (CAPI) implementation of Aes, whereas the AesManaged class is written entirely in managed code. 除托管和 CAPI 实现外,还有第三种类型的实现,即下一代加密技术 (CNG)。There is also a third type of implementation, Cryptography Next Generation (CNG), in addition to the managed and CAPI implementations. CNG 算法的一个示例是 ECDiffieHellmanCngAn example of a CNG algorithm is ECDiffieHellmanCng. CNG 算法在 Windows Vista 和更高版本中都可用。CNG algorithms are available on Windows Vista and later.

你可以选择最适合自己的实现。You can choose which implementation is best for you. 托管实现在支持 .NET Framework 的所有平台上可用。The managed implementations are available on all platforms that support .NET Framework. CAPI 实现在较早版本的操作系统上可用,不再进行开发。The CAPI implementations are available on older operating systems and are no longer being developed. CNG 是要在其中进行新开发的最新实现。CNG is the latest implementation where new development will take place. 但是,托管实现未获得美国联邦信息处理标准 (FIPS) 认证,并且可能比包装器类更慢。However, the managed implementations are not certified by the Federal Information Processing Standards (FIPS), and may be slower than the wrapper classes.

流设计Stream Design

公共语言运行时使用面向流的设计实现对称算法和哈希算法。The common language runtime uses a stream-oriented design for implementing symmetric algorithms and hash algorithms. 这种设计的核心是 CryptoStream 类,该类派生自 Stream 类。The core of this design is the CryptoStream class, which derives from the Stream class. 基于流的加密对象支持用于处理对象的数据传输部分的单个标准接口 (CryptoStream)。Stream-based cryptographic objects support a single standard interface (CryptoStream) for handling the data transfer portion of the object. 由于所有对象都基于标准接口,因此可以将多个对象(例如,一个哈希对象后跟一个加密对象)链接起来,且无需任何中间存储来对数据执行多个操作。Because all the objects are built on a standard interface, you can chain together multiple objects (such as a hash object followed by an encryption object), and you can perform multiple operations on the data without needing any intermediate storage for it. 使用流模型还可以从更小的对象生成对象。The streaming model also enables you to build objects from smaller objects. 例如,尽管该对象可能从一组流对象中生成,组合的加密和哈希算法仍可视为单个流对象。For example, a combined encryption and hash algorithm can be viewed as a single stream object, although this object might be built from a set of stream objects.

加密配置Cryptographic Configuration

使用加密配置可将算法的特定实现解析为算法名称,从而允许 .NET Framework 加密类扩展性。Cryptographic configuration lets you resolve a specific implementation of an algorithm to an algorithm name, allowing extensibility of the .NET Framework cryptography classes. 可以添加自己算法的硬件或软件实现,并将该实现映射到所选择的算法名称。You can add your own hardware or software implementation of an algorithm and map the implementation to the algorithm name of your choice. 如果配置文件中未指定算法,则使用默认设置。If an algorithm is not specified in the configuration file, the default settings are used. 有关加密配置的详细信息,请参阅配置加密类For more information about cryptographic configuration, see Configuring Cryptography Classes.

选择算法Choosing an Algorithm

可以出于各种原因选择一种算法:例如,为了保护数据完整性,为了保护数据隐私或为了生成密钥。You can select an algorithm for different reasons: for example, for data integrity, for data privacy, or to generate a key. 为了保护完整性(防止更改)或保护隐私(防止查看),对称算法和哈希算法用于保护数据。Symmetric and hash algorithms are intended for protecting data for either integrity reasons (protect from change) or privacy reasons (protect from viewing). 哈希算法主要用于保护数据完整性。Hash algorithms are used primarily for data integrity.

下面是按应用程序分类的建议算法列表:Here is a list of recommended algorithms by application:

另请参阅See also