Cross-platform cryptography guide update for .NET 10 (#49615)

vcsjones · web-flow · commit 6ce910ae46a2 · 2025-11-04T22:19:37.000Z
diff --git a/docs/standard/security/cross-platform-cryptography.md b/docs/standard/security/cross-platform-cryptography.md
@@ -1,7 +1,7 @@
 ---
 title: "Cross-platform cryptography in .NET"
 description: Learn about cryptographic capabilities on platforms supported by .NET.
-ms.date: "06/19/2020"
+ms.date: "11/04/2025"
 ms.subservice: standard-library
 helpviewer_keywords:
   - "cryptography, cross-platform"
@@ -81,14 +81,12 @@ Since authenticated encryption requires newer platform APIs to support the algor
 | Cipher + Mode     | Windows                 | Linux          | macOS   | iOS, tvOS, MacCatalyst | Android       | Browser |
 |-------------------|-------------------------|----------------|---------|------------------------|---------------|---------|
 | AES-GCM           | ✔️                      | ✔️            | ✔️      | ⚠️                     | ✔️            | ❌      |
-| AES-CCM           | ✔️                      | ✔️            | ⚠️      | ❌                     | ✔️            | ❌      |
+| AES-CCM           | ✔️                      | ✔️            | ❌      | ❌                     | ✔️            | ❌      |
 | ChaCha20Poly1305  | Windows 10 Build 20142+ | OpenSSL 1.1.0+ | ✔️      | ⚠️                     | API Level 28+ | ❌      |
 
 ### AES-CCM on macOS
 
-On macOS, the system libraries don't support AES-CCM for third-party code, so the <xref:System.Security.Cryptography.AesCcm> class uses OpenSSL for support. Users on macOS need to obtain an appropriate copy of OpenSSL (libcrypto) for this type to function, and it must be in a path that the system would load a library from by default. We recommend that you install OpenSSL from a package manager such as Homebrew.
-
-The `libcrypto.0.9.7.dylib` and `libcrypto.0.9.8.dylib` libraries included in macOS are from earlier versions of OpenSSL and will not be used. The `libcrypto.35.dylib`, `libcrypto.41.dylib`, and `libcrypto.42.dylib` libraries are from LibreSSL and will not be used.
+Prior to .NET 10, AES-CCM worked if a supported version of OpenSSL was present and the dynamic library loader could locate it. OpenSSL support on macOS was removed in .NET 10.
 
 ### AES-GCM and ChaCha20Poly1305 on iOS, tvOS, and MacCatalyst
 
@@ -173,11 +171,11 @@ Padding and digest support vary by platform:
 |--------------------------------------------------------------|---------|---------------|-----------------|-------------------------|-----------------|
 | <xref:System.Security.Cryptography.RSACryptoServiceProvider> | ✔️     | ⚠️<sup>1</sup> | ⚠️<sup>1</sup> | ⚠️<sup>1</sup>          | ⚠️<sup>1</sup>  |
 | <xref:System.Security.Cryptography.RSACng>                   | ✔️     | ❌             | ❌             | ❌                      | ❌              |
-| <xref:System.Security.Cryptography.RSAOpenSsl>               | ❌     | ✔️             | ⚠️<sup>2</sup> | ❌                      | ❌              |
+| <xref:System.Security.Cryptography.RSAOpenSsl>               | ❌     | ✔️             | ❌<sup>2</sup> | ❌                      | ❌              |
 
 <sup>1</sup> On non-Windows, <xref:System.Security.Cryptography.RSACryptoServiceProvider> can be used for compatibility with existing programs. In that case, any method that requires OS interop, such as opening a named key, throws a <xref:System.PlatformNotSupportedException>.
 
-<sup>2</sup> On macOS, <xref:System.Security.Cryptography.RSAOpenSsl> works if OpenSSL is installed and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
+<sup>2</sup> On macOS, prior to .NET 10, <xref:System.Security.Cryptography.RSAOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.
 
 ### ECDSA
 
@@ -210,9 +208,9 @@ ECDSA key curves are defined by the OS libraries and are subject to their limita
 | Type                                             | Windows | Linux | macOS | iOS, tvOS, MacCatalyst | Android |
 |--------------------------------------------------|---------|-------|-------|------------------------|---------|
 | <xref:System.Security.Cryptography.ECDsaCng>     | ✔️      | ❌   | ❌    | ❌                     | ❌      |
-| <xref:System.Security.Cryptography.ECDsaOpenSsl> | ❌      | ✔️   | ⚠️\*  | ❌                     | ❌      |
+| <xref:System.Security.Cryptography.ECDsaOpenSsl> | ❌      | ✔️   | ❌\*  | ❌                     | ❌      |
 
-\* On macOS, <xref:System.Security.Cryptography.ECDsaOpenSsl> works if OpenSSL is installed in the system and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
+\* On macOS, prior to .NET 10, <xref:System.Security.Cryptography.ECDsaOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.
 
 ### ECDH
 
@@ -230,7 +228,7 @@ The <xref:System.Security.Cryptography.ECDiffieHellman> class supports the "raw"
 
 ECDH key curves are defined by the OS libraries and are subject to their limitations.
 
-| Elliptic Curve                     | Windows 10     | Windows 7 - 8.1 | Linux          | macOS           | iOS, tvOS, MacCatalyst | Android        |
+| Elliptic Curve                     | Windows 10+    | Windows 7 - 8.1 | Linux          | macOS           | iOS, tvOS, MacCatalyst | Android        |
 |------------------------------------|----------------|-----------------|----------------|-----------------|------------------------|----------------|
 | NIST P-256 (secp256r1)             | ✔️             | ✔️              | ✔️             | ✔️             | ✔️                     | ✔️             |
 | NIST P-384 (secp384r1)             | ✔️             | ✔️              | ✔️             | ✔️             | ✔️                     | ✔️             |
@@ -255,9 +253,9 @@ ECDH key curves are defined by the OS libraries and are subject to their limitat
 | Type                                                       | Windows | Linux | macOS | iOS, tvOS, MacCatalyst | Android  |
 |------------------------------------------------------------|---------|-------|-------|------------------------|----------|
 | <xref:System.Security.Cryptography.ECDiffieHellmanCng>     | ✔️     | ❌    | ❌    | ❌                     | ❌       |
-| <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> | ❌     | ✔️    | ⚠️\*  | ❌                     | ❌       |
+| <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> | ❌     | ✔️    | ❌\*  | ❌                     | ❌       |
 
-\* On macOS, <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> works if OpenSSL is installed and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
+\* On macOS, prior to .NET 10, <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.
 
 ### DSA
 
@@ -290,11 +288,103 @@ DSA (Digital Signature Algorithm) key generation is performed by the system libr
 |--------------------------------------------------------------|---------|----------------|-----------------|------------------------|----------------|
 | <xref:System.Security.Cryptography.DSACryptoServiceProvider> | ✔️      | ⚠️<sup>1</sup> | ⚠️<sup>1</sup>  | ❌                    | ⚠️<sup>1</sup> |
 | <xref:System.Security.Cryptography.DSACng>                   | ✔️      | ❌             | ❌              | ❌                    | ❌             |
-| <xref:System.Security.Cryptography.DSAOpenSsl>               | ❌      | ✔️             | ⚠️<sup>2</sup>  | ❌                    | ❌             |
+| <xref:System.Security.Cryptography.DSAOpenSsl>               | ❌      | ✔️             | ❌<sup>2</sup>  | ❌                    | ❌             |
 
 <sup>1</sup> On non-Windows, <xref:System.Security.Cryptography.DSACryptoServiceProvider> can be used for compatibility with existing programs. In that case, any method that requires system interop, such as opening a named key, throws a <xref:System.PlatformNotSupportedException>.
 
-<sup>2</sup> On macOS, <xref:System.Security.Cryptography.DSAOpenSsl> works if OpenSSL is installed and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
+<sup>2</sup> On macOS, prior to .NET 10, <xref:System.Security.Cryptography.DSAOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.
+
+## Post-quantum cryptography
+
+Post-quantum algorithms are available starting in .NET 10. They're also available for .NET Framework using the Microsoft.Bcl.Cryptography NuGet package. The following support table indicates the platform support for the built-in operating system cryptographic components, such as those created from `Generate` or `ImportFromPem`. Implementations that derive from the base class might have different support behaviors.
+
+For the built-in algorithms, an `IsSupported` static property is available to determine if the platform supports any of the parameter sets.
+
+The native interop types for post-quantum algorithms do not support key generation or importing. They exist specifically for interop scenarios with the native platform types, such as an `EVP_PKEY` on OpenSSL or `CngKey` on Windows.
+
+### ML-KEM
+
+| Algorithm    | Windows                       | Linux          | Apple | Android | Browser |
+|--------------|-------------------------------|----------------|-------|---------|---------|
+| ML-KEM-512   | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| ML-KEM-768   | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| ML-KEM-1024  | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+
+#### Native interop ML-KEM
+
+* <xref:System.Security.Cryptography.MLKemOpenSsl>: OpenSSL 3.5.0+
+* <xref:System.Security.Cryptography.MLKemCng>: Windows 11 Insiders (Latest)
+
+### ML-DSA
+
+ML-DSA has a pure and prehash variant (HashML-DSA). The following table reflects both the pure and prehash variants.
+
+| Algorithm                                   | Windows                       | Linux          | Apple | Android | Browser |
+|---------------------------------------------|-------------------------------|----------------|-------|---------|---------|
+| ML-DSA-44                                   | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| ML-DSA-65                                   | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| ML-DSA-87                                   | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| ML-DSA-44 External Mu (&#x3BC;)<sup>1</sup> | ❌                            | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| ML-DSA-65 External Mu (&#x3BC;)<sup>1</sup> | ❌                            | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| ML-DSA-87 External Mu (&#x3BC;)<sup>1</sup> | ❌                            | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+
+<sup>1</sup> External Mu support is for signing and verifying Mu only. Computation of Mu isn't supported.
+
+#### Native interop ML-DSA
+
+* <xref:System.Security.Cryptography.MLDsaOpenSsl>: OpenSSL 3.5.0+
+* <xref:System.Security.Cryptography.MLDsaCng>: Windows 11 Insiders (latest)
+
+### SLH-DSA
+
+SLH-DSA has a pure and prehash variant (HashSLH-DSA). The following table reflects both the pure and prehash variants.
+
+| Algorithm           | Windows | Linux          | Apple | Android | Browser |
+|---------------------|---------|----------------|-------|---------|---------|
+| SLH-DSA-SHA2-128f   | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHA2-128s   | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHA2-192f   | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHA2-192s   | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHA2-256f   | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHA2-256s   | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHAKE-128f  | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHAKE-128s  | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHAKE-192f  | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHAKE-192s  | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHAKE-256f  | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+| SLH-DSA-SHAKE-256s  | ❌      | OpenSSL 3.5.0+ | ❌    | ❌      | ❌       |
+
+#### Native interop SLH-DSA
+
+* <xref:System.Security.Cryptography.SlhDsaOpenSsl>: OpenSSL 3.5.0+
+* <xref:System.Security.Cryptography.SlhDsaCng>: Not supported
+
+### Composite ML-DSA
+
+| Algorithm                              | Windows                       | Linux          | Apple | Android | Browser |
+|----------------------------------------|-------------------------------|----------------|-------|---------|---------|
+| MLDSA44-RSA2048-PSS-SHA256             | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA44-RSA2048-PKCS15-SHA256          | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA44-Ed25519-SHA512                 | ❌                            | ❌             | ❌    | ❌      | ❌      |
+| MLDSA44-ECDSA-P256-SHA256              | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-RSA3072-PSS-SHA512             | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-RSA3072-PKCS15-SHA512          | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-RSA4096-PSS-SHA512             | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-RSA4096-PKCS15-SHA512          | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-ECDSA-P256-SHA512              | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-ECDSA-P384-SHA512              | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-ECDSA-brainpoolP256r1-SHA512   | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA65-Ed25519-SHA512                 | ❌                            | ❌             | ❌    | ❌      | ❌      |
+| MLDSA87-ECDSA-P384-SHA512              | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA87-ECDSA-brainpoolP384r1-SHA512   | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA87-Ed448-SHAKE256                 | ❌                            | ❌             | ❌    | ❌      | ❌      |
+| MLDSA87-RSA3072-PSS-SHA512             | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA87-RSA4096-PSS-SHA512             | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+| MLDSA87-ECDSA-P521-SHA512              | Windows 11 Insiders (Latest)  | OpenSSL 3.5.0+ | ❌    | ❌      | ❌      |
+
+#### Native interop composite ML-DSA
+
+* <xref:System.Security.Cryptography.CompositeMLDsaCng>: Not supported
 
 ## X.509 Certificates
 
@@ -411,6 +501,24 @@ macOS doesn't support Offline CRL utilization, so `X509RevocationMode.Offline` i
 
 macOS doesn't support a user-initiated timeout on CRL (Certificate Revocation List) / OCSP (Online Certificate Status Protocol) / AIA (Authority Information Access) downloading, so `X509ChainPolicy.UrlRetrievalTimeout` is ignored.
 
+### Post-quantum cryptography certificates and PKCS12/PFX
+
+Post-quantum certificate support also requires support from the primitive algorithm.
+
+| Operation               | Algorithm | Windows | Linux | Apple | Android | Browser |
+|-------------------------|-----------|---------|-------|-------|---------|---------|
+| PKCS#12 Import          | ML-DSA    | ✔️      | ✔️    | ❌     | ❌      | ❌      |
+| PKCS#12 Export          | ML-DSA    | ✔️      | ✔️    | ❌     | ❌      | ❌      |
+| Private Key Association | ML-DSA    | ✔️      | ✔️    | ❌     | ❌      | ❌      |
+| &nbsp;                  |           |         |       |       |         |         |
+| PKCS#12 Import          | ML-KEM    | ❌      | ✔️    | ❌     | ❌      | ❌      |
+| PKCS#12 Export          | ML-KEM    | ❌      | ✔️    | ❌     | ❌      | ❌      |
+| Private Key Association | ML-KEM    | ❌      | ✔️    | ❌     | ❌      | ❌      |
+| &nbsp;                  |           |         |       |       |         |         |
+| PKCS#12 Import          | SLH-DSA   | ❌      | ✔️    | ❌     | ❌      | ❌      |
+| PKCS#12 Export          | SLH-DSA   | ❌      | ✔️    | ❌     | ❌      | ❌      |
+| Private Key Association | SLH-DSA   | ❌      | ✔️    | ❌     | ❌      | ❌      |
+
 ## Additional resources
 
 * [.NET Cryptography Model](cryptography-model.md)
