0

Is there a logical reason why the minimum requirements for CNG in .NET and in unmanaged code are so inconsistent? For example,

NCryptDeleteKey (unmanaged CNG) requires Windows Vista or Server 2008:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa376251(v=vs.85).aspx

But CngKey.delete (apparently managed CNG) requires only .NET 3.5 which is accessible from Windows 7:

https://msdn.microsoft.com/en-us/library/system.security.cryptography.cngkey.delete(v=vs.110).aspx

Some of the requirements are as steep as 4.6.2 depending on the call, Example:

The AesCng Constructor to access an existing AES CNG key:

https://msdn.microsoft.com/en-us/library/mt693435(v=vs.110).aspx

But you can still call that from a properly updated Windows 7 machine. So why is there such a difference?

Is it possible that a properly updated Windows 7 machine could reliably call NCryptDeleteKey?

Timothy John Laird
  • 1,101
  • 2
  • 13
  • 24
  • They are *not* inconsistent. They are *different* providers. The unmanaged ones are provided by the OS. If the OS doesn't have them, it can't provide them. On the other hand the earliest supported .NET version is 4.5.2. The earliest supported Windows version is 2012 for servers, if not later. You can assume all providers are available – Panagiotis Kanavos Mar 05 '18 at 14:19
  • BTW you shouldn't call the providers directly. All of them implement the same interfaces which means you can specify them by name when creating them or even through configuration. – Panagiotis Kanavos Mar 05 '18 at 14:20
  • My organization wishes to maximize legacy support. I have to have a good reason for not supporting a fully upgraded Windows 7, which is why I asked the question. So...if I understand correctly, the .NET framework adds functionality that is not available at the OS level? That is the difference? – Timothy John Laird Mar 05 '18 at 14:26
  • 1
    @TimothyJohnLaird exactly. – Daniel A. White Mar 05 '18 at 14:27
  • 1
    @TimothyJohnLaird yes and nonono. "Unmanaged" providers may be the smart card provider for your secure laptop. That's provided by the OS. Newer providers in the OS provide better support for SSE2 commands. The KMS services provided by clouds may appear as OS providers or managed providers, whatever the vendor provides. They are *different* providers. If you want to be compatible. *Don't* refer to them directly. Specify them in config – Panagiotis Kanavos Mar 05 '18 at 14:29

1 Answers1

1

Managed means they are implemented in the .NET Framework. Unmanaged means they have to be provided by the operating system and Microsoft has been evolving what has shipped with Windows over time.

Daniel A. White
  • 187,200
  • 47
  • 362
  • 445
  • Excellent. So what do I gain from coding CNG in c++? If the majority of my code is written in c#, is there any good reason to use unmanaged C++ CNG? – Timothy John Laird Mar 05 '18 at 14:21
  • @TimothyJohnLaird unmanaged would likely have better performance. – Daniel A. White Mar 05 '18 at 14:21
  • @TimothyJohnLaird you'll gain nothing at all by coding in C++. You'll probably pay an extra overhead when you try to marshal the results to your app improperly. .NET already works with the unmanaged providers just fine. The cost comes from the cryptographic calculations, not how you pass a single buffer to them – Panagiotis Kanavos Mar 05 '18 at 14:31
  • @PanagiotisKanavos hey, could you shine some light in regards to classes like `SHA1Managed` and instances created via the factory method `SHA1.Create()`? What is the difference? Do both of them use the CNG API? And if not - the one that is unmnanaged - is it implemented via COM, or P/Invoke? Just curious, thank you so much for reading. – SpiritBob Nov 30 '20 at 13:46
  • @SpiritBob if you want to ask something, post a question. – Panagiotis Kanavos Nov 30 '20 at 13:58
  • @PanagiotisKanavos I [have](https://stackoverflow.com/questions/65036928/why-are-classes-like-sha1managed-sha256managed-hidden-from-my-intellisense) done so, I'd love to hear your thoughts about it! – SpiritBob Nov 30 '20 at 14:02