Cryptographic accelerator and .NET

Question

Does .NET detect and use Hardware Cryptographic Accelerator for its cryptography operations (the way that it detects GPU and uses it for graphic operations)?

If not, what managed library do you suggest?

Answer 1

.NET is pretty large.

In Microsoft .NET, under Windows, you'll find types named:

• *Managed, e.g. SHA1Managed that are fully managed implementations. There won't be any hardware acceleration on them;

• *CryptoServiceProvider, e.g. SHA1CryptoServiceManager that will use CryptoAPI (native) code. If the native CSP has hardware acceleration then you'll get it.

• on newer frameworks versions, *CNG (Cryptography Next Generation). That's the replacement for CryptoAPI - same rules applies (if the native code can use hardware acceleration you'll get it).

In Mono, all platforms, you'll have fully managed implementations (whatever the name of the type) by default.

Now, in both (MS and Mono), cases you can also use your own (or a third party) implementation. That can even be totally transparent to your application when you use CryptoConfig.CreateFrom (directly or indirectly, e.g. SHA1.Create) and your machine.config file includes a reference to the alternative implementation. This allow you (or anyone else) to add (or replace) any implementation with another (including hardware accelerated) implementation.

Note: version 4.0 of the framework makes this even easier with the new AddAlgorithm method.

Answer 2

It depends. Some HSMs (Hardware Security Module) come with extra provider implementations for CAPI and/or CNG. All of them usually come with a PKCS#11 driver (C-based).

Modern hardware will replace your default CNG providers with their custom implementation, practically resulting in the kind of auto-detection you asked for.

For HSMs that do not support this, you will either have to register the providers manually, or in the worst case, if no custom provider is offered, you will have to interface to PKCS#11 manually or use something like this.