Update security docs to address outdated cryptographic defaults, broken samples, and weak recommendations

[jeffhandley]

Summary

This PR refreshes .NET security documentation and related samples across cryptography and TLS. It updates the guidance to reflect current standards-based practices, clarifies compatibility-only behavior in legacy APIs and platform notes, and modernizes the samples so the examples remain accurate and runnable.

Scope

• Refresh the core security docs for encryption, decryption, cryptographic services, the cryptography model, CBC-mode vulnerabilities, XML encryption, and related walkthroughs.
• Refresh TLS and SSL guidance across SslStream, .NET Framework TLS docs, WCF configuration references, and legacy compatibility pages.
• Update analyzer and obsoletion docs that cover PBKDF2, strong crypto, and unsafe cipher modes.
• Modernize the related snippets and sample projects, including hardware crypto and data-protection examples.

What changes in practice

• Clarifies that the docs describe current security guidance separately from compatibility behavior that .NET still supports.
• Keeps the sample code self-contained and runnable for readers, while making the illustrative nature of embedded sample material explicit.
• Reframes the guidance around durable security properties such as integrity protection, current approved hash choices, and OS-default TLS negotiation.
• Updates older code examples to more current API usage patterns and clearer platform context.

Areas touched

• docs/standard/security/*
• docs/fundamentals/code-analysis/quality-rules/*
• docs/fundamentals/syslib-diagnostics/*
• docs/core/extensions/sslstream-best-practices.md
• docs/framework/network-programming/*
• related cryptography snippets and sample projects under docs/standard/security/snippets and samples/snippets

---

Internal previews

Toggle expand/collapse

📄 File	🔗 Preview link
docs/core/compatibility/cryptography/10.0/openssl-macos-unsupported.md	docs/core/compatibility/cryptography/10.0/openssl-macos-unsupported
docs/core/extensions/sslstream-best-practices.md	docs/core/extensions/sslstream-best-practices
docs/framework/configure-apps/file-schema/wcf/sslstreamsecurity.md	docs/framework/configure-apps/file-schema/wcf/sslstreamsecurity
docs/framework/migration-guide/mitigation-tls-protocols.md	docs/framework/migration-guide/mitigation-tls-protocols
docs/framework/network-programming/tls.md	docs/framework/network-programming/tls
docs/framework/network-programming/using-secure-sockets-layer.md	docs/framework/network-programming/using-secure-sockets-layer
docs/fundamentals/code-analysis/quality-rules/ca5358.md	docs/fundamentals/code-analysis/quality-rules/ca5358
docs/fundamentals/code-analysis/quality-rules/ca5361.md	docs/fundamentals/code-analysis/quality-rules/ca5361
docs/fundamentals/code-analysis/quality-rules/ca5387.md	docs/fundamentals/code-analysis/quality-rules/ca5387
docs/fundamentals/code-analysis/quality-rules/ca5388.md	docs/fundamentals/code-analysis/quality-rules/ca5388
docs/fundamentals/syslib-diagnostics/syslib0033.md	docs/fundamentals/syslib-diagnostics/syslib0033
docs/fundamentals/syslib-diagnostics/syslib0041.md	docs/fundamentals/syslib-diagnostics/syslib0041
docs/standard/security/cross-platform-cryptography.md	docs/standard/security/cross-platform-cryptography
docs/standard/security/cryptographic-services.md	docs/standard/security/cryptographic-services
docs/standard/security/cryptographic-signatures.md	docs/standard/security/cryptographic-signatures
docs/standard/security/cryptography-model.md	docs/standard/security/cryptography-model
docs/standard/security/decrypting-data.md	docs/standard/security/decrypting-data
docs/standard/security/encrypting-data.md	docs/standard/security/encrypting-data
docs/standard/security/how-to-access-hardware-encryption-devices.md	docs/standard/security/how-to-access-hardware-encryption-devices
docs/standard/security/how-to-encrypt-xml-elements-with-symmetric-keys.md	docs/standard/security/how-to-encrypt-xml-elements-with-symmetric-keys
docs/standard/security/vulnerabilities-cbc-mode.md	docs/standard/security/vulnerabilities-cbc-mode
docs/visual-basic/programming-guide/language-features/strings/walkthrough-encrypting-and-decrypting-strings.md	docs/visual-basic/programming-guide/language-features/strings/walkthrough-encrypting-and-decrypting-strings

[Copilot]

Pull request overview

This PR modernizes .NET security documentation and sample code to remove outdated cryptographic guidance, improve defaults, and fix correctness issues in several crypto-related snippets.

Changes:

• Updates docs to warn against legacy/weak algorithms and insecure modes (for example, 3DES, ECB, and unauthenticated CBC), and to point readers to current OWASP guidance for PBKDF2 recommendations.
• Modernizes encryption and signature samples (for example, AES key handling, RSA OAEP padding, RSA key sizes, and consistent UTF-8 usage).
• Fixes correctness bugs in sample code (for example, CryptoWalkThru decrypt length reads, and DPAPI entropy generation API usage).

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
samples/snippets/visualbasic/VS_Snippets_CLR/DPAPI-HowTO/vb/sample.vb	Fixes encoding API usage and replaces obsolete RNGCryptoServiceProvider usage with RandomNumberGenerator.Fill.
samples/snippets/csharp/VS_Snippets_CLR/DPAPI-HowTO/cs/sample.cs	Fixes encoding API usage and replaces obsolete RNGCryptoServiceProvider usage with RandomNumberGenerator.Fill.
samples/snippets/csharp/VS_Snippets_CLR/CryptoWalkThru/cs/Form1.cs	Fixes length field reads for decrypt path (3 bytes → 4 bytes).
docs/visual-basic/programming-guide/language-features/strings/walkthrough-encrypting-and-decrypting-strings.md	Adds warnings and updates guidance around 3DES usage in the walkthrough.
docs/standard/security/snippets/encrypting-data/vb/aes-encrypt.vb	Replaces hard-coded AES key with generated key and prints hex key for decrypt pairing.
docs/standard/security/snippets/encrypting-data/csharp/aes-encrypt.cs	Replaces hard-coded AES key with generated key and prints hex key for decrypt pairing.
docs/standard/security/snippets/decrypting-data/vb/aes-decrypt.vb	Switches AES key to command-line hex input for pairing with updated encrypt sample.
docs/standard/security/snippets/decrypting-data/csharp/aes-decrypt.cs	Switches AES key to command-line hex input for pairing with updated encrypt sample.
docs/standard/security/snippets/cryptographic-signatures/vb/Program.vb	Stops exporting private key parameters and aligns data encoding to UTF-8.
docs/standard/security/snippets/cryptographic-signatures/csharp/Program.cs	Aligns data encoding to UTF-8.
docs/standard/security/how-to-encrypt-xml-elements-with-symmetric-keys.md	Adds note about CBC limitations in XML Encryption 1.0 and points to padding-oracle guidance.
docs/standard/security/how-to-access-hardware-encryption-devices.md	Adds warning about obsolete APIs and SHA-1 usage in the legacy hardware crypto flow.
docs/standard/security/encrypting-data.md	Adds CBC-mode warning, updates AES guidance, and modernizes RSA example (OAEP SHA-256, ≥2048-bit).
docs/standard/security/decrypting-data.md	Adds CBC-mode warning and modernizes RSA example (OAEP SHA-256, ≥2048-bit).
docs/standard/security/cryptography-model.md	Adds PBKDF2 best-practice tip and links to OWASP for current iteration guidance and alternatives.
docs/standard/security/cryptographic-signatures.md	Aligns inline sample text with snippet fixes (UTF-8, and no private key export).
docs/standard/security/cryptographic-services.md	Adds warnings for deprecated algorithms, ECB insecurity, and MD5/SHA-1 usage.
docs/fundamentals/syslib-diagnostics/syslib0041.md	Strengthens PBKDF2 guidance and links to OWASP; references one-shot Pbkdf2 API guidance.
docs/fundamentals/code-analysis/quality-rules/ca5387.md	Adds tip that analyzer iteration thresholds might lag hardware improvements; links to OWASP.
docs/fundamentals/code-analysis/quality-rules/ca5388.md	Adds tip that analyzer iteration thresholds might lag hardware improvements; links to OWASP.

[Copilot]

Pull request overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

samples/snippets/csharp/VS_Snippets_CLR/CryptoWalkThru/cs/Form1.cs:213

• After reading lenK/lenIV from the file, the code allocates arrays directly from those untrusted values and then uses Stream.Read, which isn't guaranteed to fill the buffers. Consider validating lenK/lenIV (non-negative and within a reasonable maximum) and using ReadExactly for the KeyEncrypted and IV reads to avoid partial reads or excessive allocations on malformed input files.

                inFs.ReadExactly(LenK, 0, 4);
                inFs.ReadExactly(LenIV, 0, 4);

                // Convert the lengths to integer values.
                int lenK = BitConverter.ToInt32(LenK, 0);
                int lenIV = BitConverter.ToInt32(LenIV, 0);

[Copilot]

Pull request overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.

[krwq]

Might be worth to just updade this doc to use new terminology since we have tools for that but perhaps separate PR might be better idea

[bartonjs]

The rewritten sentence (currently line 25) is good. The warning feels superfluous. [I advise that we should just] delete it.

[krwq]

honestly the old statement which didn't mention specific version seemed better. We don't know how long TLS 1.2 will be recommended

[krwq]

what's this? I don't think we changed it elsewhere - probably should be consistent (either everywhere or nowhere)

[krwq]

this sample should probably mention that RSA+PKCS1 is for illustrative purposes only

[krwq]

(RSA-PSS or ECDSA with P-256 curve would be better choice but we should likely not go specific)

[bartonjs]

RSAES-PKCS1 is bad, everyone agrees. Use RSAES-OAEP.

RSASSA-PKCS1, OTOH, is "uh... well... we made PSS when we made OAEP... so... use PSS, maybe?". RSASSA-PSS has... not great... industry penetration.

So, if we're putting weasel words here, it would be "This sample uses RSASSA-PKCS1-v1_5. When using RSA signatures, choose a padding mode that is appropriate to your needs."

[krwq]

perhaps it's me being non-native English speaker but this sounds weird to me "deprecates MD5, SHA-1 for digital signatures, DES, and 3DES"

[krwq]

specifically that "for digital signatures" before DES and 3 DES

[bartonjs]

It's because that document says

Use	Status
Digital signature generation	Disallowed, except where specifically allowed by NIST protocol-specific guidance.
Digital signature verification	Legacy use
Non-digital-signature applications	Acceptable

So it can't appeal to that document saying "SHA-1 is deprecated".

I'd just delete the appeal to authority. The weasel words are "this is saying what's available, not what's good". End there.

[krwq]

IMO more future proof without last sentence

[bartonjs]

IMO, much better without the warning at all. It's describing block ciphers, and says DES, DES-EDE, and AES are block ciphers. It doesn't say "use DES", or even "you can use DES".

To stick with strained analogies:

"A type of weapon called a projectile weapon is used to transmit an object from one party with the intent of striking another while remaining afar. Projectile weapons such as a slingshot, M16, and Glock 19 are typically used in a more-or-less horizontal fashion, while alternatives such as a trebuchet are fired in a high arc.

Warning: Early model M16 guns are/were prone to jamming. Do not use early model M16s for new combat."

It's just... so out of place.

[krwq]

perhpas refer to NIST standards rather than "Encrypt-then-MAC" since at some point they might recommend to always use bundled together algo and not recommend to do it manually at all

[bartonjs]

It already says "ECB mode is not considered secure."

Don't double down.

[krwq]

"FIPS approved" is a function with time domain so more correct will be "at time of writing this document" - especially with quantum on the horizon

[bartonjs]

Just delete the last sentence.

[krwq]

nit: this could be replaced by https://learn.microsoft.com/en-us/dotnet/api/system.io.stream.readexactly?view=net-10.0

[krwq]

If we're changing this perhaps RandomNumberGenerator.GetBytes

[krwq]

s.ReadExactly

[krwq]

this should mention it's for illustrative purposes also ECDSA might be better choice if we want to change this at all

[krwq]

I don't know about those changes in DPAPI samples, I think this should focus on making statement that algos are for illustrative purpose because we should make sure all samples actually can run and I'm not certain AI tested all that

[bartonjs]

The metadata says this is "Learn about the impact and mitigation for the TLS Protocol changes beginning with .NET Framework 4.6.". I don't understand why we'd include "Warning: Knives are sharp." in such a document.

[bartonjs]

Suggested change

A value of `false` for `Switch.System.Net.DontEnableSchUseStrongCrypto` causes your app to use strong cryptography. A value of `false` for `DontEnableSchUseStrongCrypto` uses modern network protocols, such as TLS 1.2 and TLS 1.3 when available, and blocks protocols that are not secure. For more info, see [The SCH_USE_STRONG_CRYPTO flag](#the-sch_use_strong_crypto-flag). A value of `true` disables strong cryptography for your app. This switch affects only client (outgoing) connections in your application.

A value of `false` for `Switch.System.Net.DontEnableSchUseStrongCrypto` causes your app to use strong cryptography. A value of `false` for `DontEnableSchUseStrongCrypto` uses modern TLS versions, and blocks protocols that are not secure. For more info, see [The SCH_USE_STRONG_CRYPTO flag](#the-sch_use_strong_crypto-flag). A value of `true` disables strong cryptography for your app. This switch affects only client (outgoing) connections in your application.

Don't mention versions if you can help it, that way we don't have to come back in a few years and debate "should this 'and 1.3' also include 1.4 now?, or was it point-in-time?"

[bartonjs]

What is the "Also consider" about? The diagnostic here is "you passed too low a number". The warning is explaining "if the diagnostic goes off, you're too low. If it doesn't... you might still be too low."

It feels like we have a diagnostic of COLDSTEAK: Your steak is below 125 F. Then, a warning "Steak below 125 F is not considered food, don't eat it. The CDC is concerned that Rare (125-130 F) is not sufficient to kill all foodborne pathogens, consult with your medical provider for advice on your minimum steak temperature. Also, consider cutting your steak with a knife."

[bartonjs]

Same irrelevant "Also consider"

[bartonjs]

SYSLIB0060 is "we obsoleted all the constructors, call the static Pbkdf2 method instead". It doesn't have anything to do with FIPS-Approved.

Maybe the sentence is trying to mean "Call Pbkdf2, like SYSLIB0060 says, also, when doing so, use a good hash algorithm", but the order of "FIPS-approved" and "recommended" make it sound like SYSLIB0060 is an authority.

If we're trying to update this to be a full present recommendation, then the whole "Workaround" needs to be rewritten to say to call Pbkdf2 instead of "a different constructor". But, if this is intended to be useful to someone upgrading to a point between 0041 and 0060, then it'd stand.

So, I think the change should be something like

## Workaround

Use a different constructor overload, or the newer [Rfc2898DeriveBytes.Pbkdf2](link) static method, where both the iteration count and the hash algorithm can be specified.

For compatibility with older values, such as reproducing a key used to encrypt persisted data, specify an iteration count of 1000 and a digest algorithm of SHA-1.
When deriving new keys, specify a sufficiently strong iteration count and a sufficiently strong hash algorithm.  For more information on choosing an iteration count and/or a hash algorithm for PBKDF2, see [the one and only one place we talk about it](link).

[bartonjs]

Hallucinated/typoed link. (Missing a / between 131 and a)

Suggested change

	> The following tables show platform support, not recommendations for new development. Some algorithms and modes remain available for standards conformance and backward compatibility even though current guidance deprecates them for new systems. For example, [NIST SP 800-131A](https://csrc.nist.gov/pubs/sp/800/131a/r2/final) deprecates MD5, SHA-1 for digital signatures, DES, and 3DES.
	> The following tables show platform support, not recommendations for new development. Some algorithms and modes remain available for standards conformance and backward compatibility even though current guidance deprecates them for new systems. For example, [NIST SP 800-131A](https://csrc.nist.gov/pubs/sp/800/131/a/r2/final) deprecates MD5, SHA-1 for digital signatures, DES, and 3DES.

[bartonjs]

Delete. The document already says it's representing "available", not "good".

[bartonjs]

My redundant rage has built up, I apologize. But:

THIS WAS ALREADY SAID BY THE PREVIOUS PARAGRAPH! OH MY FREAKING GOSH STOP SAYING A THING THEN SAYING "WARNING: THAT THING I SAID!"

[bartonjs]

Ah, semantics. RandomNumberGenerator as an instantiable class is the same as an interface: it just provides syntax, no semantics. It is intended to be a CSPRNG, but it can't guarantee it.

The static methods on RandomNumberGenerator use the CSPRNG provided by the underlying OS/platform.

The object returned by RandomNumberGenerator.Create() (unless you're on NetFX and have overridden it with CryptoConfig) is (sort of) an implementation of a CSPRNG.

The best fix, I think is

Suggested change

	The <xref:System.Security.Cryptography.RandomNumberGenerator> class is an implementation of a cryptographically secure random number generation algorithm.
	Use the static methods of <xref:System.Security.Cryptography.RandomNumberGenerator> to obtain cryptographically secure random numbers.

[bartonjs]

I don't think we need to bother mentioning third-party alternatives.

[bartonjs]

This is just... word salad.

The code comments already have the "2048 is for illustrative purposes", so don't need to be here. It doesn't need to describe using OAEP here, since the code and code comments do that, too.

Suggested change

The following example uses public key information to encrypt a symmetric key and IV. An <xref:System.Security.Cryptography.RSA> key pair is generated (the 2048-bit key size shown is for illustration—choose a size that matches your security requirements per [NIST SP 800-57](https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final)). The public key from one party is used to encrypt the symmetric key and IV generated by an <xref:System.Security.Cryptography.Aes> instance, using OAEP padding for security.

The following example uses public key information to encrypt a symmetric key and an IV. The encrypting-party uses the public key of the indented recipient. In this example, the public key is represented by the **RSAParameters** type, but file format such as X.509 Subject Public Key Info is more likely to be used in real-world applications.

[bartonjs]

No, it's not "!IMPORTANT". Nothing mentions Pkcs1, so it's not worth mentioning here.

If the example stayed as Pkcs1 encryption, then the warning would be justified.

[bartonjs]

The export/import part is actually important to this example... otherwise it looks like you need to create a public/private pair to encrypt.

[bartonjs]

Suggested change

	> This article applies to Windows. The <xref:System.Security.Cryptography.CspParameters> and <xref:System.Security.Cryptography.RSACryptoServiceProvider> classes are Windows-specific APIs for accessing CAPI-based hardware cryptographic providers such as smart cards.
	> This article applies to Windows. The <xref:System.Security.Cryptography.CspParameters> and <xref:System.Security.Cryptography.RSACryptoServiceProvider> classes are Windows-specific APIs for accessing CAPI-based hardware cryptographic providers.

As written, it implies all smart cards are CAPI-based.

[bartonjs]

Suggested change

2. Create a new instance of the <xref:System.Security.Cryptography.RNGCryptoServiceProvider>, passing the <xref:System.Security.Cryptography.CspParameters> object to the constructor. Note that <xref:System.Security.Cryptography.RNGCryptoServiceProvider> is obsolete starting in .NET 6 (SYSLIB0023); however, it remains necessary for targeting a specific CAPI-based hardware random number generator. For software-based random number generation, use <xref:System.Security.Cryptography.RandomNumberGenerator?displayProperty=nameWithType> instead.

2. Create a new instance of the <xref:System.Security.Cryptography.RNGCryptoServiceProvider>, passing the <xref:System.Security.Cryptography.CspParameters> object to the constructor. Note that <xref:System.Security.Cryptography.RNGCryptoServiceProvider> is obsolete starting in .NET 6 (SYSLIB0023); however, it remains necessary for targeting specific CAPI-based hardware random number generators. For software-based random number generation, use <xref:System.Security.Cryptography.RandomNumberGenerator?displayProperty=nameWithType> instead.

used plural of generators rather than implying there's only one that someone would use this for. (In fact, I think there are zero, but, whatever).