CORE CNG Provider Developer's Guide

CNG Provider

CORE supports Cryptography Next Generation (CNG) for .NET Framework 4.6 and later with a CNG Provider for signing and encrypting operations using RSA and EC keys. For instructions on using the CNG API, refer to Cryptographic Services.

Configuring the CORE CNG Provider

The Unbound CNG Provider is installed and registered, as part of the standard CORE Client installation.

Using the Unbound CNG Provider

The name of Unbound’s CNG Provider is "Dyadic Security Key Storage Provider". The following code snippet uses the CNG API to create an RSA key and to use it for encryption.

// open provider
CngProvider provider = new CngProvider("Dyadic Security Key Storage Provider");

// generate new test key pair
CngKeyCreationParameters creation = new CngKeyCreationParameters();
creation.Provider = provider;
CngKey privateKey = CngKey.Create(new CngAlgorithm("RSA"), "RSA Test Key Name",creation);

// export public key
byte[] publicKeyBlob = privateKey.Export(CngKeyBlobFormat.GenericPublicBlob);
CngKey publicKey = CngKey.Import(publicKeyBlob, CngKeyBlobFormat.GenericPublicBlob);
// encrypt test data
RSACng publicRsaKey = new RSACng(publicKey);
byte[] encrypted = publicRsaKey.Encrypt(testBytes, RSAEncryptionPadding.OaepSHA256);

// decrypt
RSACng privateRsaKey = new RSACng(privateKey);
byte[] decrypted = privateRsaKey.Decrypt(encrypted, RSAEncryptionPadding.OaepSHA256);

// compare
String decryptedString = Encoding.ASCII.GetString(decrypted);
bool result = (decryptedString == testString);
Console.WriteLine("Encryption is " + (result ? "good" : "bad"));

// delete test key pair
privateKey.Delete();

Using Custom Partition and User Credentials

By default, the Unbound CNG provider uses partition in slot 0. To specify the partition by name, use one of the following options:

Hardcoded - use the NCRYPT_READER_PROPERTY constant. In this case CORE emulates the smartcard reader's name.
Flexible - use the EKMEnterprise Key Management - previous name of the product._PARTITION environment variable.

To restrict the use of your application to authenticated users only, set the NCRYPT_PIN_PROPERTY to a password string. The password value follows the rules specified in CKU_USER and CKU_SO.

Key Lookup in the CNG API

Use the UCLUnbound Command Language or the CORE Management Console to retrieve the key name for creating or looking for a key in the CNG API. There is an example of a key lookup in the above CNG API sample code under // generate new test key pair: the CngKey privateKey line shows the usage of the RSA Test Key Name.

You can also use the key’s UID for its retrieval. Use the full UID, including the leading “0x00” prefix. For example, if ucl displays the following key details:

Private RSA key : UID=89d0d1abcb19cc4c

Use the string 0x0089d0d1abcb19cc4c as the key alias.