Skip to content

Cross-platform cryptography guide update for .NET 10 #49615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 4, 2025
Merged

Cross-platform cryptography guide update for .NET 10 #49615

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e3bf132
Update docs for PQC algorithms introduced in .NET 10
vcsjones Nov 4, 2025
251127d
Change OpenSSL on macOS to indicate non-support
vcsjones Nov 4, 2025
8c30bd7
Review feedback
vcsjones Nov 4, 2025
cb2b2ab
Apply suggestions from code review
vcsjones Nov 4, 2025
5a78631
Update date.
vcsjones Nov 4, 2025
4ff7eee
Apply suggestions from code review
vcsjones Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
136 changes: 122 additions & 14 deletions docs/standard/security/cross-platform-cryptography.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: "Cross-platform cryptography in .NET"
description: Learn about cryptographic capabilities on platforms supported by .NET.
ms.date: "06/19/2020"
ms.date: "11/04/2025"
ms.subservice: standard-library
helpviewer_keywords:
- "cryptography, cross-platform"
Expand Down Expand Up @@ -81,14 +81,12 @@ Since authenticated encryption requires newer platform APIs to support the algor
| Cipher + Mode | Windows | Linux | macOS | iOS, tvOS, MacCatalyst | Android | Browser |
|-------------------|-------------------------|----------------|---------|------------------------|---------------|---------|
| AES-GCM | ✔️ | ✔️ | ✔️ | ⚠️ | ✔️ | ❌ |
| AES-CCM | ✔️ | ✔️ | ⚠️ | ❌ | ✔️ | ❌ |
| AES-CCM | ✔️ | ✔️ | | ❌ | ✔️ | ❌ |
| ChaCha20Poly1305 | Windows 10 Build 20142+ | OpenSSL 1.1.0+ | ✔️ | ⚠️ | API Level 28+ | ❌ |

### AES-CCM on macOS

On macOS, the system libraries don't support AES-CCM for third-party code, so the <xref:System.Security.Cryptography.AesCcm> class uses OpenSSL for support. Users on macOS need to obtain an appropriate copy of OpenSSL (libcrypto) for this type to function, and it must be in a path that the system would load a library from by default. We recommend that you install OpenSSL from a package manager such as Homebrew.

The `libcrypto.0.9.7.dylib` and `libcrypto.0.9.8.dylib` libraries included in macOS are from earlier versions of OpenSSL and will not be used. The `libcrypto.35.dylib`, `libcrypto.41.dylib`, and `libcrypto.42.dylib` libraries are from LibreSSL and will not be used.
Prior to .NET 10, AES-CCM worked if a supported version of OpenSSL was present and the dynamic library loader could locate it. OpenSSL support on macOS was removed in .NET 10.

### AES-GCM and ChaCha20Poly1305 on iOS, tvOS, and MacCatalyst

Expand Down Expand Up @@ -173,11 +171,11 @@ Padding and digest support vary by platform:
|--------------------------------------------------------------|---------|---------------|-----------------|-------------------------|-----------------|
| <xref:System.Security.Cryptography.RSACryptoServiceProvider> | ✔️ | ⚠️<sup>1</sup> | ⚠️<sup>1</sup> | ⚠️<sup>1</sup> | ⚠️<sup>1</sup> |
| <xref:System.Security.Cryptography.RSACng> | ✔️ | ❌ | ❌ | ❌ | ❌ |
| <xref:System.Security.Cryptography.RSAOpenSsl> | ❌ | ✔️ | ⚠️<sup>2</sup> | ❌ | ❌ |
| <xref:System.Security.Cryptography.RSAOpenSsl> | ❌ | ✔️ | <sup>2</sup> | ❌ | ❌ |

<sup>1</sup> On non-Windows, <xref:System.Security.Cryptography.RSACryptoServiceProvider> can be used for compatibility with existing programs. In that case, any method that requires OS interop, such as opening a named key, throws a <xref:System.PlatformNotSupportedException>.

<sup>2</sup> On macOS, <xref:System.Security.Cryptography.RSAOpenSsl> works if OpenSSL is installed and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
<sup>2</sup> On macOS, prior to .NET 10, <xref:System.Security.Cryptography.RSAOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.

### ECDSA

Expand Down Expand Up @@ -210,9 +208,9 @@ ECDSA key curves are defined by the OS libraries and are subject to their limita
| Type | Windows | Linux | macOS | iOS, tvOS, MacCatalyst | Android |
|--------------------------------------------------|---------|-------|-------|------------------------|---------|
| <xref:System.Security.Cryptography.ECDsaCng> | ✔️ | ❌ | ❌ | ❌ | ❌ |
| <xref:System.Security.Cryptography.ECDsaOpenSsl> | ❌ | ✔️ | ⚠️\* | ❌ | ❌ |
| <xref:System.Security.Cryptography.ECDsaOpenSsl> | ❌ | ✔️ | \* | ❌ | ❌ |

\* On macOS, <xref:System.Security.Cryptography.ECDsaOpenSsl> works if OpenSSL is installed in the system and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
\* On macOS, prior to .NET 10, <xref:System.Security.Cryptography.ECDsaOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.

### ECDH

Expand All @@ -230,7 +228,7 @@ The <xref:System.Security.Cryptography.ECDiffieHellman> class supports the "raw"

ECDH key curves are defined by the OS libraries and are subject to their limitations.

| Elliptic Curve | Windows 10 | Windows 7 - 8.1 | Linux | macOS | iOS, tvOS, MacCatalyst | Android |
| Elliptic Curve | Windows 10+ | Windows 7 - 8.1 | Linux | macOS | iOS, tvOS, MacCatalyst | Android |
|------------------------------------|----------------|-----------------|----------------|-----------------|------------------------|----------------|
| NIST P-256 (secp256r1) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| NIST P-384 (secp384r1) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
Expand All @@ -255,9 +253,9 @@ ECDH key curves are defined by the OS libraries and are subject to their limitat
| Type | Windows | Linux | macOS | iOS, tvOS, MacCatalyst | Android |
|------------------------------------------------------------|---------|-------|-------|------------------------|----------|
| <xref:System.Security.Cryptography.ECDiffieHellmanCng> | ✔️ | ❌ | ❌ | ❌ | ❌ |
| <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> | ❌ | ✔️ | ⚠️\* | ❌ | ❌ |
| <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> | ❌ | ✔️ | \* | ❌ | ❌ |

\* On macOS, <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> works if OpenSSL is installed and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
\* On macOS, prior to .NET 10, <xref:System.Security.Cryptography.ECDiffieHellmanOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.

### DSA

Expand Down Expand Up @@ -290,11 +288,103 @@ DSA (Digital Signature Algorithm) key generation is performed by the system libr
|--------------------------------------------------------------|---------|----------------|-----------------|------------------------|----------------|
| <xref:System.Security.Cryptography.DSACryptoServiceProvider> | ✔️ | ⚠️<sup>1</sup> | ⚠️<sup>1</sup> | ❌ | ⚠️<sup>1</sup> |
| <xref:System.Security.Cryptography.DSACng> | ✔️ | ❌ | ❌ | ❌ | ❌ |
| <xref:System.Security.Cryptography.DSAOpenSsl> | ❌ | ✔️ | ⚠️<sup>2</sup> | ❌ | ❌ |
| <xref:System.Security.Cryptography.DSAOpenSsl> | ❌ | ✔️ | <sup>2</sup> | ❌ | ❌ |

<sup>1</sup> On non-Windows, <xref:System.Security.Cryptography.DSACryptoServiceProvider> can be used for compatibility with existing programs. In that case, any method that requires system interop, such as opening a named key, throws a <xref:System.PlatformNotSupportedException>.

<sup>2</sup> On macOS, <xref:System.Security.Cryptography.DSAOpenSsl> works if OpenSSL is installed and an appropriate libcrypto dylib can be found via dynamic library loading. If an appropriate library can't be found, exceptions will be thrown.
<sup>2</sup> On macOS, prior to .NET 10, <xref:System.Security.Cryptography.DSAOpenSsl> worked if OpenSSL was installed and an appropriate libcrypto dylib could be found via dynamic library loading. This support was removed in .NET 10.

## Post-quantum cryptography

Post-quantum algorithms are available starting in .NET 10. They're also available for .NET Framework using the Microsoft.Bcl.Cryptography NuGet package. The following support table indicates the platform support for the built-in operating system cryptographic components, such as those created from `Generate` or `ImportFromPem`. Implementations that derive from the base class might have different support behaviors.

For the built-in algorithms, an `IsSupported` static property is available to determine if the platform supports any of the parameter sets.

The native interop types for post-quantum algorithms do not support key generation or importing. They exist specifically for interop scenarios with the native platform types, such as an `EVP_PKEY` on OpenSSL or `CngKey` on Windows.

### ML-KEM

| Algorithm | Windows | Linux | Apple | Android | Browser |
|--------------|-------------------------------|----------------|-------|---------|---------|
| ML-KEM-512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| ML-KEM-768 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| ML-KEM-1024 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |

#### Native interop ML-KEM

* <xref:System.Security.Cryptography.MLKemOpenSsl>: OpenSSL 3.5.0+
* <xref:System.Security.Cryptography.MLKemCng>: Windows 11 Insiders (Latest)

### ML-DSA

ML-DSA has a pure and prehash variant (HashML-DSA). The following table reflects both the pure and prehash variants.

| Algorithm | Windows | Linux | Apple | Android | Browser |
|---------------------------------------------|-------------------------------|----------------|-------|---------|---------|
| ML-DSA-44 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| ML-DSA-65 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| ML-DSA-87 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| ML-DSA-44 External Mu (&#x3BC;)<sup>1</sup> | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| ML-DSA-65 External Mu (&#x3BC;)<sup>1</sup> | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| ML-DSA-87 External Mu (&#x3BC;)<sup>1</sup> | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |

<sup>1</sup> External Mu support is for signing and verifying Mu only. Computation of Mu isn't supported.

#### Native interop ML-DSA

* <xref:System.Security.Cryptography.MLDsaOpenSsl>: OpenSSL 3.5.0+
* <xref:System.Security.Cryptography.MLDsaCng>: Windows 11 Insiders (latest)

### SLH-DSA

SLH-DSA has a pure and prehash variant (HashSLH-DSA). The following table reflects both the pure and prehash variants.

| Algorithm | Windows | Linux | Apple | Android | Browser |
|---------------------|---------|----------------|-------|---------|---------|
| SLH-DSA-SHA2-128f | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHA2-128s | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHA2-192f | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHA2-192s | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHA2-256f | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHA2-256s | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHAKE-128f | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHAKE-128s | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHAKE-192f | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHAKE-192s | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHAKE-256f | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| SLH-DSA-SHAKE-256s | ❌ | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |

#### Native interop SLH-DSA

* <xref:System.Security.Cryptography.SlhDsaOpenSsl>: OpenSSL 3.5.0+
* <xref:System.Security.Cryptography.SlhDsaCng>: Not supported

### Composite ML-DSA

| Algorithm | Windows | Linux | Apple | Android | Browser |
|----------------------------------------|-------------------------------|----------------|-------|---------|---------|
| MLDSA44-RSA2048-PSS-SHA256 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA44-RSA2048-PKCS15-SHA256 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA44-Ed25519-SHA512 | ❌ | ❌ | ❌ | ❌ | ❌ |
| MLDSA44-ECDSA-P256-SHA256 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-RSA3072-PSS-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-RSA3072-PKCS15-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-RSA4096-PSS-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-RSA4096-PKCS15-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-ECDSA-P256-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-ECDSA-P384-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-ECDSA-brainpoolP256r1-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA65-Ed25519-SHA512 | ❌ | ❌ | ❌ | ❌ | ❌ |
| MLDSA87-ECDSA-P384-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA87-ECDSA-brainpoolP384r1-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA87-Ed448-SHAKE256 | ❌ | ❌ | ❌ | ❌ | ❌ |
| MLDSA87-RSA3072-PSS-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA87-RSA4096-PSS-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |
| MLDSA87-ECDSA-P521-SHA512 | Windows 11 Insiders (Latest) | OpenSSL 3.5.0+ | ❌ | ❌ | ❌ |

#### Native interop composite ML-DSA

* <xref:System.Security.Cryptography.CompositeMLDsaCng>: Not supported

## X.509 Certificates

Expand Down Expand Up @@ -411,6 +501,24 @@ macOS doesn't support Offline CRL utilization, so `X509RevocationMode.Offline` i

macOS doesn't support a user-initiated timeout on CRL (Certificate Revocation List) / OCSP (Online Certificate Status Protocol) / AIA (Authority Information Access) downloading, so `X509ChainPolicy.UrlRetrievalTimeout` is ignored.

### Post-quantum cryptography certificates and PKCS12/PFX

Post-quantum certificate support also requires support from the primitive algorithm.

| Operation | Algorithm | Windows | Linux | Apple | Android | Browser |
|-------------------------|-----------|---------|-------|-------|---------|---------|
| PKCS#12 Import | ML-DSA | ✔️ | ✔️ | ❌ | ❌ | ❌ |
| PKCS#12 Export | ML-DSA | ✔️ | ✔️ | ❌ | ❌ | ❌ |
| Private Key Association | ML-DSA | ✔️ | ✔️ | ❌ | ❌ | ❌ |
| &nbsp; | | | | | | |
| PKCS#12 Import | ML-KEM | ❌ | ✔️ | ❌ | ❌ | ❌ |
| PKCS#12 Export | ML-KEM | ❌ | ✔️ | ❌ | ❌ | ❌ |
| Private Key Association | ML-KEM | ❌ | ✔️ | ❌ | ❌ | ❌ |
| &nbsp; | | | | | | |
| PKCS#12 Import | SLH-DSA | ❌ | ✔️ | ❌ | ❌ | ❌ |
| PKCS#12 Export | SLH-DSA | ❌ | ✔️ | ❌ | ❌ | ❌ |
| Private Key Association | SLH-DSA | ❌ | ✔️ | ❌ | ❌ | ❌ |

## Additional resources

* [.NET Cryptography Model](cryptography-model.md)
Expand Down