SHA-256 and Cryptographic Service Provider Types

How to fix System.Security.Cryptography.CryptographicException: Invalid algorithm specified error when using Cryptographic Service Provider.

By Tim TrottC# ASP.Net MVC • August 13, 2011
SHA-256 and Cryptographic Service Provider Types

Dealing with System.Security.Cryptography.CryptographicException can be frustrating, especially when it interrupts the smooth execution of your .NET application. In this article, we'll look at the common causes behind this exception and provide practical solutions to resolve it effectively.

What is a Cryptographic Service Provider?

A Cryptographic Service Provider is a software library that implements the Microsoft CryptoAPI. CSPs implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email.

How to fix Invalid Algorithm Specified

SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider. When trying to sign data using SHA-256 on another provider type you may encounter the exception System.Security.Cryptography.CryptographicException: Invalid algorithm specified.

If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.

One method to perform this conversion is to use OpenSSL.

Windows binaries are available for download. Refer to the OpenSSL Wiki.

The following command outputs information about the private key and certificate including the CSP.

openssl pkcs12 -in idp.pfx

Enter Import Password:
MAC verified OK
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19
Key Attributes
    X509v3 Key Usage: 10
 
The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.

The PFX can be recreated specifying the required CSP. Firstly, it must be converted from PKCS12 to PEM format.

openssl pkcs12 -in idp.pfx -out idp.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Loading 'screen' into random state - done
Enter pass phrase for idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.

About the Author

Tim Trott is a senior software engineer with over 20 years of experience in designing, building, and maintaining software systems across a range of industries. Passionate about clean code, scalable architecture, and continuous learning, he specialises in creating robust solutions that solve real-world problems. He is currently based in Edinburgh, where he develops innovative software and collaborates with teams around the globe.

Related ArticlesThese articles may also be of interest to you

Simple String Encryption and Decryption with C#
Calculate MD5 Checksum for a File using C#
An Introduction and Brief History of Cryptography and Codebreaking

CommentsShare your thoughts in the comments below

My website and its content are free to use without the clutter of adverts, popups, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

This post has only 1 comment. Why not join the discussion!

New comments for this post are currently closed.