.NET 4.6.2 Security Enhancements

Latest release of .NET brings stronger encryption and FIPS support

.NET 4.6.2, released earlier this month, is loaded with great enhancements and updates. In particular, it seems that Microsoft was very focused on security. Being a "dot" release, it is compatible with 4.6 and with 4.0 on your IIS servers. Because of the great new security enhancements, I would highly encourage any .NET shop to upgrade and start taking advantage of the new security features.

With that, I'll dive in to some of the latest security features with this release. There are of course many other non-security related enhancements as well — which can be found on the Microsoft .NET blog announcement.

X509 Certificates Now Support FIPS 186-3 Digital Signature Algorithm

FIPS 186-3 means that X509 certificates can now use keys that exceed 1024-bit. It also enables computing signatures with the SHA-2 family of hash algorithms (SHA256, SHA384, and SHA512).

Improved Usability of Elliptic Curve Diffie-Hellman Key Derivation Routines

The usability of the ECDiffieHellmanCng class has been improved. The .NET Framework Elliptic Curve Diffie-Hellman (ECDH) Key Agreement implementation includes three different Key Derivation Function (KDF) routines. These KDF routines are now represented and supported by three different methods.

Support for Persisted-Key Symmetric Encryption

The Windows Cryptography Library (CNG) supports storing persisted symmetric keys on software and hardware devices. Persisted-key symmetric encryption has been added for the AES and 3DES algorithms.

SignedXml Support for SHA-2 Hashing

The .NET Framework SignedXml implementation now supports the following SHA-2 Hashing algorithms:

ClickOnce Transport Layer Security (TLS) 1.1 and 1.2 Support

As part of this release, support for TLS 1.1 and 1.2 protocols has been added to ClickOnce for .NET Framework versions 4.6.2, 4.6.1, 4.6 and 4.5.2. See the KB articles for links to download the hotfix .NET Framework versions 4.6, 4.6.1 and 4.5.2.

ClickOnce Client Certificate Support

ClickOnce applications can now be hosted in virtual directories with SSL enabled and with client certificates required. In that configuration, end users will be prompted to select their certificate when accessing an application. ClickOnce will not prompt for a certificate if the Client Certificates setting is set to “Ignore”.

SQL Always Encrypted Enhancements

Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers that are stored in a database. It allows clients to encrypt sensitive data inside client applications, never revealing the encryption keys to the database engine. As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access).

TransportDefaults No Longer Supports SSL 3

The SSL 3 protocol is no longer a default protocol used for negotiating a secure connection when using NetTcp with transport security and a credential type of certificate. In most cases there should be no impact to existing applications, since TLS 1.0 has always been included in the default protocol list for NetTcp. All existing clients should be able to negotiate a connection using at least TLS 1.0.

Transport Security for Windows Cryptography Library (CNG)

Transport Security now supports certificates stored using the Windows cryptography library (CNG). Currently, this support is limited to using certificates with a public key which has an exponent no more than 32bits in length.