All geek questions in one place

Cryptographic Accelerator and .NET

Is .NET detecting and using a hardware cryptographic accelerator for its cryptographic operations (a way to detect a GPU and use it for graphic operations)?

If not, what managed library do you offer?

+4
source share
3 answers

.NET is pretty big.

On Microsoft.NET for Windows, you will find types named:

  • *Managed , for example. SHA1Managed , which are fully managed by implementations. There will not be any hardware acceleration on them;

  • *CryptoServiceProvider , for example. SHA1CryptoServiceManager that will use the CryptoAPI (native) code. If the built-in CSP has hardware acceleration, you will get it.

  • in new versions of the frameworks, *CNG ( Next Generation Cryptography ). What is the replacement for CryptoAPI - the same rules apply (if your own code can use hardware acceleration, you will get it).

In Mono, on all platforms, by default you completely control the implementation (regardless of the type name).

Now in both cases (MS and Mono) you can also use your own (or third-party) implementation. It can even be completely transparent for your application when you use CryptoConfig.CreateFrom (directly or indirectly, for example SHA1.Create ), and your machine.config contains a link to an alternative implementation. This allows (or anyone else) to add (or replace) any implementation with another (including hardware accelerated) implementation.

Note. Platform version 4.0 makes this even easier with the new AddAlgorithm method.

+5
source

It depends. Some HSMs (Hardware Security Module) come with additional implementations for CAPI and / or CNG . All of them usually come with PKCS driver No. 11 (C-based).

State-of-the-art equipment will replace your default CNG vendors with your custom implementation, which will practically cause you to request automatic discovery.

For HSMs that do not support this, you will either have to register the providers manually, or in the worst case, if no custom provider is offered, you will have to manually connect to PKCS # 11 or use something like this .

+2
source

Some equipment vendors will be able to replace their own SChannel and other providers. If they do, then .NET will use replacements instead of equity providers. But there is no way to automatically detect and use cryptographic equipment.

Most accelerators can be used through the PKCS # 11 interface. In general, you can use our SecureBlackbox, which will use such accelerators through PKCS # 11, but you will have to manually specify PKCS # 11 DLLs to call (auto-detection is impossible, since such DLLs not registered in the system).

+1
source

Source: https://habr.com/ru/post/1396164/

More articles: