Microsoft cranks up encryption in .Net Framework

.Net Framework 4.6.2 improves the Base Class Library, SQL client, Windows Communication Foundation, and CLR

Microsoft cranks up encryption in .Net Framework
Perspecsys Photos via Flickr

Microsoft has released .Net Framework 4.6.2, tightening security in multiple areas, including the BCL (Base Class Library). The new version also makes improvements to the SQL client, Windows Communication Foundation, the CLR (Common Language Runtime), and the ASP.Net web framework.

The security focus in the BCL impacts PKI capabilities, and X.509 certificates now support the FIPS 186-3 digital signature algorithm. "This support enables X.509 certificates with keys that exceed 1024-bit," Microsoft's Stacey Haffner said. "It also enables computing signatures with the SHA-2 family of hash algorithms (SHA256, SHA384, and SHA512)."

The library also supports persisted-key symmetric encryption. "The Windows Cryptography Library (CNG) supports storing persisted symmetric keys on software and hardware devices. The .Net Framework now exposes this CNG capability," said Haffner.

In the SQL client, the .Net Framework Data Provider for SQL Server -- System.Data.SqlClient -- introduces enhancements for the Always Encrypted feature for protecting sensitive data, such as credit card numbers. To improve performance, encryption metadata for query parameters is now cached, and for security, column encryption key entries in the key cache are evicted after a configurable time interval.

The Windows Communication Foundation framework, for service-oriented applications, no longer has SSL 3 as a default protocol for negotiating secure connections when using NetTCP and a credential type of certificate because SSL 3 was no longer considered secure. "In most cases there should be no impact to existing applications, since TLS 1.0 has always been included in the default protocol list for NetTcp," Haffner said. All existing clients should be able to negotiate a connection using at least TLS 1.0.

ClickOnce, for application deployment, now supports TLS 1.1 and 1.2. "SSL and TLS 1.0 are no longer recommended or supported by some organizations," Haffner noted. ClickOnce will keep supporting TLS 1.0 for applications that cannot or do not upgrade, and ClickOnce applications can be hosted in virtual directories with SSL enabled and client certificates required.

Version 4.6.2 also features improved async capabilities in ASP.Net. Async scenarios have been enabled through improvements in SessionStateModule and Output-CacheModule. "The team is working on releasing async versions of both modules via NuGet, which will need to be imported into an existing project. Both NuGet packages are anticipated to release within the coming weeks," said Haffner. Output caching can improve performance of ASP.Net applications, while session state enables storage and retrieval of user data.

In the CLR, Microsoft is working on improvements pertaining to NullReferenceException, an exception that occurs when there's an attempt to de-reference a null object reference. "We are partway through partnering with the Visual Studio team to provide a better debugging experience for null references in a future Visual Studio release," Haffner said. Debugging in Visual Studio relies on CLR debugging APIs for low-level interaction with code.

Also in the BCL, version 4.6.2 fixes the 260-character file name length limitation in System.IO APIs. The limitation has been more common in developer machines building deeply nested source trees or using specialized Unix tools.

Microsoft's Windows Presentation Foundation UI framework, meanwhile, features group sorting capabilities in the upgrade. An application requesting a CollectionView class to group data can now be explicit in declaring how to sort the groups. This solves issues with unintuitive ordering and speeds up the group creation process. Also, WPF applications are enabled for per-monitor DPI awareness.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform