From the latest MSDN magazine’s Security Briefs column (link):
Recommended Cryptographic algorithms for use in encryption/decryption and hashing of data:
| Do not use | Ok | Best practice | |
| Hash | SHA-0 (SHA), SHA-1, MD2, MD4, MD5 | SHA-2 | SHA-2 (includes: SHA-256, SHA-384, SHA-512) |
| Symmetric Block | DES, DESX, RC2, SKIPJACK | 3DES (2 or 3 key) | AES (>=128 bit) |
| Symmetric Stream | SEAL, CYLINK_MEK, RC4 (<128bit) | RC4 (>= 128bit) | Symmetric Block is preferred |
| Asymmetric | RSA (<2048 bit), Diffie-Hellman (<2048 bit) | RSA (>=2048bit ), Diffie-Hellman (>=2048bit) | RSA (>=2048bit), Diffie-Hellman (>=2048bit), ECC (>=256bit) |
| HMAC Key Lengths | <112bit | >= 112bit | >= 128bit |
Some other things to remember:
Cng class of algorithms are typically faster (eg: SHA512Cng as opposed to SHA512CryptoServiceProvider and SHA512Managed).
Cng class of algorithms are only available on Vista, Windows Server 2008 and Windows 7.
Managed class of algorithms are not Federal Information Processing Standards (FIPS) certified. This means that they might not be available on machines, where they have been banned for use by a machine policy. (read FIPS validated cryptographic algorithms in .NET)
(the above information is true as of this writing and can change at any time – because weaknesses in Cryptographic algorithms are found all the time).
No comments:
Post a Comment