Enigma.Cryptography
5.0.0
dotnet add package Enigma.Cryptography --version 5.0.0
NuGet\Install-Package Enigma.Cryptography -Version 5.0.0
<PackageReference Include="Enigma.Cryptography" Version="5.0.0" />
<PackageVersion Include="Enigma.Cryptography" Version="5.0.0" />
<PackageReference Include="Enigma.Cryptography" />
paket add Enigma.Cryptography --version 5.0.0
#r "nuget: Enigma.Cryptography, 5.0.0"
#:package Enigma.Cryptography@5.0.0
#addin nuget:?package=Enigma.Cryptography&version=5.0.0
#tool nuget:?package=Enigma.Cryptography&version=5.0.0
Enigma.Cryptography
A comprehensive .NET cryptography library built on top of BouncyCastle.Cryptography, providing a clean and easy-to-use API for common cryptographic operations.
What's new in 5.0 — RSA-OAEP encryption, selectable PBKDF2 PRF, X.509 CRL revocation checking, and
net10.0added to the target frameworks. This is a major release with breaking changes (Argon2 enum parameters, factory-method renames, UTF-8 default inEncodingExtensions, and more). See the release notes for the full migration guide.
Features
- Block Ciphers — AES, DES, 3DES, Blowfish, Twofish, Serpent, Camellia, and more (CBC, ECB, GCM, SIC/CTR modes)
- Stream Ciphers — ChaCha20, ChaCha20-RFC7539, Salsa20
- Public-Key Cryptography — RSA encryption, signing, and PEM key management
- Post-Quantum Cryptography — ML-DSA (CRYSTALS-Dilithium) and ML-KEM (CRYSTALS-Kyber)
- X.509 Certificates — Self-signed generation, CSR creation, certificate issuance, PEM/DER/PFX support, chain validation
- Hashing — MD5, SHA-1, SHA-256, SHA-512, SHA-3
- HMAC — HMAC-SHA1, HMAC-SHA256, HMAC-SHA512 (byte-array and streaming)
- One-Time Passwords — HOTP (RFC 4226), TOTP (RFC 6238), and
otpauth://provisioning URIs - Key Derivation — PBKDF2 and Argon2
- Padding — PKCS7, ISO 7816-4, ISO 10126, X9.23
- Data Encoding — Base64, hexadecimal, and Base32 (RFC 4648) encoding/decoding
Async, progress reporting & cancellation
Stream-based modules (Block Ciphers, Stream Ciphers, Hashing) are fully async and accept optional IProgress<int> and CancellationToken parameters for progress reporting and cooperative cancellation:
var cts = new CancellationTokenSource();
var progress = new Progress<int>(bytesProcessed =>
Console.WriteLine($"Processed {bytesProcessed} bytes"));
await service.EncryptAsync(input, output, parameters, progress, cts.Token);
Progress reports per-chunk byte deltas (not cumulative totals), making it straightforward to build progress bars for large-file processing.
Installation
dotnet add package Enigma.Cryptography
Supported target frameworks: netstandard2.0, net8.0, and net10.0. Built on BouncyCastle.Cryptography 2.6.2.
Desktop application (GUI)
The repository also ships Enigma.Cryptography.Desktop, an Avalonia desktop app that
exercises the whole library through one page per module — a hands-on way to try every algorithm without writing code. It
uses the library directly via a project reference (dogfooding), so it always tracks the in-development API.
Run it from the repository root:
dotnet run --project src/Enigma.Cryptography.Desktop
Pages:
- Block Cipher / Stream Cipher — symmetric encryption/decryption with file-or-text I/O, progress and cancel.
- Hash / HMAC — digests and keyed digests over text or files.
- KDF — PBKDF2 and Argon2 key derivation.
- Data Encoding — Base64, Hex and Base32 encode/decode.
- Random Bytes — cryptographically secure random generation.
- Padding — PKCS7, ISO 7816-4, ISO 10126 and X9.23 pad/unpad.
- Stream Tools — build and inspect length-value / tag-length-value containers.
- OTP — HOTP/TOTP generation and verification plus
otpauth://provisioning URIs. - Keys / RSA — RSA key management (PEM) and encrypt/decrypt/sign/verify.
- Post-Quantum — ML-DSA signatures and ML-KEM key encapsulation.
- X.509 — self-signed certificates, CSR create/verify, certificate issuance, chain validation, inspection, and PEM/DER/PFX round-trips.
Command-line application (CLI)
The repository also ships Enigma.Cryptography.Cli, a cross-platform command-line tool (assembly/executable name
enigma-crypto) that exposes every library module as a scriptable subcommand. Like the desktop app it references
the library directly (no shared layer), so it doubles as a direct-usage reference.
Run it from the repository root:
dotnet run --project src/Enigma.Cryptography.Cli -- --help
Commands accept input from an --in file, inline --text/--value arguments, or standard input, and write results as
raw bytes (--out) or encoded text on stdout; diagnostics and progress go to standard error, and processes return
scriptable exit codes (0 success, 1 cryptographic failure, 2 usage/I/O error, 130 cancelled). Command groups:
block, stream, hash, hmac, kdf, encode/decode, pad/unpad, container, rand, hotp/totp/otp,
rsa, mldsa/mlkem, and cert.
# Hash stdin, generate an RSA key pair, and run a full X.509 PKI flow
echo -n abc | dotnet run --project src/Enigma.Cryptography.Cli -- hash --algo sha256
dotnet run --project src/Enigma.Cryptography.Cli -- cert self-signed --subject "CN=Example CA, O=Acme" --out ca.pem --key-out ca.key
See src/Enigma.Cryptography.Cli/README.md for the full command
reference — per-command option and exit-code tables, examples, and self-contained publish commands.
Block ciphers
Supported algorithms
| Cipher Name | Block Size (bits) | Supported Key Size(s) (bits) | Notes |
|---|---|---|---|
| AES | 128 | 128, 192, 256 | Current global standard. Recommended for new applications. |
| DES | 64 | 56 (effective) | Insecure. Broken due to small key size. Do not use. |
| 3DES (TripleDES) | 64 | 112, 168 (effective) | Slow, small block size. Largely superseded by AES. Use with caution. |
| Blowfish | 64 | 32 - 448 (variable) | Older cipher, 64-bit block size can be problematic (Sweet32). |
| Twofish | 128 | 128, 192, 256 | AES finalist. Strong, but less widely adopted than AES. |
| Serpent | 128 | 128, 192, 256 | AES finalist. Known for conservative security margin, slower in software. |
| Camellia | 128 | 128, 192, 256 | ISO/NESSIE/CRYPTREC standard. Similar performance/security to AES. |
| CAST-128 (CAST5) | 64 | 40 - 128 (variable) | Used in older PGP/GPG. 64-bit block size limitation. |
| IDEA | 64 | 128 | Used in older PGP. Patented until ~2012. 64-bit block size limit. |
| SEED | 128 | 128 | South Korean standard. |
| ARIA | 128 | 128, 192, 256 | South Korean standard, successor to SEED. |
| SM4 | 128 | 128 | Chinese national standard. |
Classes
BlockCipherService— Service for encryption/decryption with block ciphersBlockCipherServiceFactory—IBlockCipherServicefactoryBlockCipherEngineFactory—IBlockCipherfactoryBlockCipherPaddingFactory—IBlockCipherPaddingfactoryBlockCipherParametersFactory—ICipherParametersfactory
Usage
Create a block cipher service with an algorithm string:
var service = new BlockCipherService("AES/CBC/PKCS7Padding");
// or without padding:
var service = new BlockCipherService("AES/CBC/NoPadding");
Create a block cipher service with factories:
var engineFactory = new BlockCipherEngineFactory();
var paddingFactory = new BlockCipherPaddingFactory();
// With padding
var service = new BlockCipherServiceFactory().CreateCbcService(engineFactory.CreateAesEngine, paddingFactory.CreatePkcs7Padding);
// Without padding
var service = new BlockCipherServiceFactory().CreateCbcService(engineFactory.CreateAesEngine);
AES-256 GCM example
var service = new BlockCipherService("AES/GCM");
var key = RandomUtils.GenerateRandomBytes(32);
var nonce = RandomUtils.GenerateRandomBytes(12);
var parameters = new BlockCipherParametersFactory().CreateGcmParameters(key, nonce, "associated data".GetUtf8Bytes());
var data = "This is a secret message !".GetUtf8Bytes();
// Encrypt
using var inputEnc = new MemoryStream(data);
using var outputEnc = new MemoryStream();
await service.EncryptAsync(inputEnc, outputEnc, parameters);
var encrypted = outputEnc.ToArray();
// Decrypt
using var inputDec = new MemoryStream(encrypted);
using var outputDec = new MemoryStream();
await service.DecryptAsync(inputDec, outputDec, parameters);
var decrypted = outputDec.ToArray();
AES-256 CBC example
var service = new BlockCipherService("AES/CBC/PKCS7Padding");
var key = RandomUtils.GenerateRandomBytes(32);
var iv = RandomUtils.GenerateRandomBytes(16);
var parameters = new BlockCipherParametersFactory().CreateCbcParameters(key, iv);
var data = "This is a secret message !".GetUtf8Bytes();
// Encrypt
using var inputEnc = new MemoryStream(data);
using var outputEnc = new MemoryStream();
await service.EncryptAsync(inputEnc, outputEnc, parameters);
var encrypted = outputEnc.ToArray();
// Decrypt
using var inputDec = new MemoryStream(encrypted);
using var outputDec = new MemoryStream();
await service.DecryptAsync(inputDec, outputDec, parameters);
var decrypted = outputDec.ToArray();
Stream ciphers
Supported algorithms
| Cipher Name | Key Size (bits) | Nonce Size (bits) | Notes |
|---|---|---|---|
| ChaCha20 | 256 | 64 | High-performance software cipher. |
| ChaCha20-RFC7539 | 256 | 96 | IETF variant of ChaCha20 (RFC 7539 / RFC 8439). |
| Salsa20 | 128, 256 | 64 | Predecessor to ChaCha20. |
Classes
StreamCipherService— Service for encryption/decryption with stream ciphersStreamCipherServiceFactory—IStreamCipherServicefactory
ChaCha20-RFC7539 example
var service = new StreamCipherServiceFactory().CreateChaCha7539Service();
var key = RandomUtils.GenerateRandomBytes(32);
var nonce = RandomUtils.GenerateRandomBytes(12);
var data = "This is a secret message !".GetUtf8Bytes();
// Encrypt
using var inputEnc = new MemoryStream(data);
using var outputEnc = new MemoryStream();
await service.EncryptAsync(inputEnc, outputEnc, key, nonce);
var encrypted = outputEnc.ToArray();
// Decrypt
using var inputDec = new MemoryStream(encrypted);
using var outputDec = new MemoryStream();
await service.DecryptAsync(inputDec, outputDec, key, nonce);
var decrypted = outputDec.ToArray();
Public-key cryptography
Classes
PublicKeyService— Service for public-key encryption/decryption and signing/verifyingPublicKeyServiceFactory—IPublicKeyServicefactory
RSA example
var service = new PublicKeyServiceFactory().CreateRsaService();
// Generate a 4096-bit key pair
var keyPair = service.GenerateKeyPair(4096);
var data = "This is a secret message".GetUtf8Bytes();
// Encrypt/decrypt with PKCS#1 v1.5 (the service created above)
var enc = service.Encrypt(data, keyPair.Public);
var dec = service.Decrypt(enc, keyPair.Private);
// For new applications, prefer OAEP (SHA-256 by default) over PKCS#1 v1.5:
var oaep = new PublicKeyServiceFactory().CreateRsaOaepService(); // or CreateRsaOaepService(RsaOaepHash.Sha512)
var encOaep = oaep.Encrypt(data, keyPair.Public);
var decOaep = oaep.Decrypt(encOaep, keyPair.Private);
// Sign/verify
var signature = service.Sign(data, keyPair.Private);
var verified = service.Verify(data, signature, keyPair.Public);
// Save public key in PEM format
using var publicOutput = new MemoryStream();
PemUtils.SaveKey(keyPair.Public, publicOutput);
// Save and encrypt private key in PEM format
using var privateOutput = new MemoryStream();
PemUtils.SavePrivateKey(keyPair.Private, privateOutput, "yourpassword", algorithm: "AES-256-CBC");
// Load public key from PEM
using var publicInput = new MemoryStream(publicOutput.ToArray());
var publicKey = PemUtils.LoadKey(publicInput);
// Load and decrypt private key from PEM
using var privateInput = new MemoryStream(privateOutput.ToArray());
var privateKey = PemUtils.LoadPrivateKey(privateInput, "yourpassword");
Post-Quantum Cryptography (PQC)
Classes
MLDsaService— Module-Lattice-Based digital signature algorithm (ML-DSA / CRYSTALS-Dilithium)MLDsaServiceFactory—IMLDsaServicefactoryMLKemService— Module-Lattice-Based key-encapsulation mechanism (ML-KEM / CRYSTALS-Kyber)MLKemServiceFactory—IMLKemServicefactory
ML-DSA example
var service = new MLDsaServiceFactory().CreateDsa65Service(); // deterministic: false (default)
var keyPair = service.GenerateKeyPair();
var data = "Data to sign".GetUtf8Bytes();
// Sign/verify
var signature = service.Sign(data, keyPair.Private);
var verified = service.Verify(data, signature, keyPair.Public);
// Save public key in PEM format
using var publicOutput = new MemoryStream();
PemUtils.SaveKey(keyPair.Public, publicOutput);
// Save and encrypt private key in PEM format
using var privateOutput = new MemoryStream();
PemUtils.SavePrivateKey(keyPair.Private, privateOutput, "yourpassword", algorithm: "AES-256-CBC");
// Load public key from PEM
using var publicInput = new MemoryStream(publicOutput.ToArray());
var publicKey = PemUtils.LoadKey(publicInput);
// Load and decrypt private key from PEM
using var privateInput = new MemoryStream(privateOutput.ToArray());
var privateKey = PemUtils.LoadPrivateKey(privateInput, "yourpassword");
ML-KEM example
var service = new MLKemServiceFactory().CreateKem1024Service();
var keyPair = service.GenerateKeyPair();
// Encapsulate a shared secret
var (encapsulation, secret) = service.Encapsulate(keyPair.Public);
// Decapsulate the shared secret
var secretDec = service.Decapsulate(encapsulation, keyPair.Private);
// Save public key in PEM format
using var publicOutput = new MemoryStream();
PemUtils.SaveKey(keyPair.Public, publicOutput);
// Save and encrypt private key in PEM format
using var privateOutput = new MemoryStream();
PemUtils.SavePrivateKey(keyPair.Private, privateOutput, "yourpassword", algorithm: "AES-256-CBC");
// Load public key from PEM
using var publicInput = new MemoryStream(publicOutput.ToArray());
var publicKey = PemUtils.LoadKey(publicInput);
// Load and decrypt private key from PEM
using var privateInput = new MemoryStream(privateOutput.ToArray());
var privateKey = PemUtils.LoadPrivateKey(privateInput, "yourpassword");
X.509 Certificates
Classes
X509CertificateService— Service for certificate generation, CSR creation, certificate issuance, and chain validationX509CertificateServiceFactory—IX509CertificateServicefactoryX509Utils— Static utilities for loading, saving, and inspecting certificates (PEM, DER, PFX)CertificateInfo— Read-only certificate information (subject, issuer, validity, extensions, etc.)
Self-signed certificate example
var certService = new X509CertificateServiceFactory().CreateX509CertificateService();
var rsaService = new PublicKeyServiceFactory().CreateRsaService();
// Generate RSA key pair and self-signed certificate
var keyPair = rsaService.GenerateKeyPair(2048);
var cert = certService.GenerateSelfSignedCertificate(
keyPair,
new X509Name("CN=example.com,O=MyOrg"),
DateTime.UtcNow.AddDays(-1),
DateTime.UtcNow.AddYears(1),
keyUsage: KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment,
basicConstraintsCa: false,
subjectAlternativeNames: new GeneralNames(new GeneralName(GeneralName.DnsName, "example.com")));
// Save certificate to PEM
using var pemOutput = new MemoryStream();
X509Utils.SaveCertificateToPem(cert, pemOutput);
// Load certificate from PEM
using var pemInput = new MemoryStream(pemOutput.ToArray());
var loaded = X509Utils.LoadCertificateFromPem(pemInput);
// Save/load certificate in DER format
var derBytes = X509Utils.SaveCertificate(cert);
var fromDer = X509Utils.LoadCertificate(derBytes);
// Export to PFX (certificate + private key)
var pfxData = X509Utils.ExportToPfx("mycert", cert, keyPair.Private, "password");
// Import from PFX
var (pfxCert, pfxKey) = X509Utils.LoadFromPfx(pfxData, "password");
// Inspect certificate
var info = X509Utils.GetCertificateInfo(cert);
Console.WriteLine($"Subject: {info.Subject}");
Console.WriteLine($"Valid: {info.NotBefore} - {info.NotAfter}");
Console.WriteLine($"Is CA: {info.IsCa}");
CSR and certificate issuance example
var certService = new X509CertificateServiceFactory().CreateX509CertificateService();
var rsaService = new PublicKeyServiceFactory().CreateRsaService();
// Create a CA
var caKeyPair = rsaService.GenerateKeyPair(2048);
var caCert = certService.GenerateSelfSignedCertificate(
caKeyPair,
new X509Name("CN=My CA"),
DateTime.UtcNow.AddDays(-1),
DateTime.UtcNow.AddYears(10),
keyUsage: KeyUsage.KeyCertSign | KeyUsage.CrlSign,
basicConstraintsCa: true);
// Generate a CSR for a leaf certificate
var leafKeyPair = rsaService.GenerateKeyPair(2048);
var csr = certService.GenerateCsr(leafKeyPair, new X509Name("CN=leaf.example.com"));
// Issue the certificate from the CSR
var leafCert = certService.IssueCertificate(
csr, caKeyPair, new X509Name("CN=My CA"),
DateTime.UtcNow.AddDays(-1),
DateTime.UtcNow.AddYears(1),
keyUsage: KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment,
basicConstraintsCa: false);
// Validate the chain (signature, trust anchor, path, and validity period).
// Revocation is NOT checked by default; pass CRLs to enable it:
// certService.ValidateChain(leafCert, new[] { caCert }, crls);
var isValid = certService.ValidateChain(leafCert, new[] { caCert });
Hashing
Supported algorithms
| Algorithm | Output Size (bits) | Notes |
|---|---|---|
| MD5 | 128 | Broken. For checksums only, not security use. |
| SHA-1 | 160 | Deprecated for security use. |
| SHA-256 | 256 | Widely used. Recommended for most use cases. |
| SHA-512 | 512 | Stronger variant of SHA-2. |
| SHA-3 | 224, 256, 384, 512 | Latest NIST standard. Keccak-based. |
Classes
HashService— Hash serviceHashServiceFactory—IHashServicefactory
Usage
var data = "Data to hash".GetUtf8Bytes();
var service = new HashServiceFactory().CreateSha3Service();
using var input = new MemoryStream(data);
var hash = await service.HashAsync(input);
HMAC
Supported algorithms
| Algorithm | Output Size (bits) |
|---|---|
| HMAC-SHA1 | 160 |
| HMAC-SHA256 | 256 |
| HMAC-SHA512 | 512 |
Classes
HmacService— HMAC computation service (synchronousbyte[]and async streaming)HmacServiceFactory—IHmacServicefactory
Usage
var key = "shared-secret".GetUtf8Bytes();
var service = new HmacServiceFactory().CreateHmacSha256Service(key);
// Byte array
var mac = service.ComputeHmac("message".GetUtf8Bytes());
// Streaming
using var input = new MemoryStream("message".GetUtf8Bytes());
var macFromStream = await service.ComputeHmacAsync(input);
// The key is caller-owned; clear it when no longer needed
Array.Clear(key, 0, key.Length);
One-Time Passwords (HOTP / TOTP)
Counter-based (HOTP, RFC 4226) and time-based (TOTP, RFC 6238) one-time passwords, plus otpauth://
provisioning URIs for enrolling authenticator apps. QR-code image generation is out of scope.
Classes
HotpService/HotpServiceFactory— HOTP (RFC 4226), counter-basedTotpService/TotpServiceFactory— TOTP (RFC 6238), time-basedOtpProvisioning— Static helpers: secret generation, otpauth URI build/parseOtpAuthParameters— Parsed otpauth URI parametersOtpHashAlgorithm— HMAC algorithm selector (Sha1,Sha256,Sha512)
TOTP example
var hotpFactory = new HotpServiceFactory(new HmacServiceFactory());
// Enroll: generate a secret and build a provisioning URI for the authenticator app
var secret = OtpProvisioning.GenerateSecret();
var uri = OtpProvisioning.BuildUri("Example", "alice@example.com", secret);
// otpauth://totp/Example:alice%40example.com?secret=...&issuer=Example&algorithm=SHA1&digits=6&period=30
// Generate and verify codes
var totp = new TotpServiceFactory(hotpFactory).CreateTotpService(secret);
var code = totp.Generate();
var isValid = totp.Verify(code); // default drift window of ±1 time step
// Reject replays using the matched time step
if (totp.Verify(code, window: 1, out var matchedStep))
{
// accept only if matchedStep is greater than the last accepted step, then store it
}
// Seconds remaining before the current code rolls over
var remaining = totp.GetRemainingSeconds();
// The secret is caller-owned; clear it when no longer needed
Array.Clear(secret, 0, secret.Length);
HOTP example
var secret = OtpProvisioning.GenerateSecret();
var service = new HotpServiceFactory(new HmacServiceFactory()).CreateHotpService(secret);
var code = service.Generate(counter: 0);
var isValid = service.Verify(code, counter: 0, window: 1);
Key Derivation (KDF)
Classes
Pbkdf2Service— PBKDF2 key derivation servicePbkdf2ServiceFactory—IPbkdf2ServicefactoryArgon2Service— Argon2 password-based key derivation serviceArgon2ServiceFactory—IArgon2Servicefactory
PBKDF2 example
var service = new Pbkdf2Service();
var salt = "5775ada0513d7d7d7316de8d72d1f4d2".FromHexString();
// Derive a 32-byte key from a password and salt
var key = service.GenerateKey(size: 32, password: "yourpassword", salt);
// Select the PRF (HMAC digest); defaults to HMAC-SHA-1 for compatibility,
// HMAC-SHA-256 or stronger is recommended for new use.
var key256 = service.GenerateKey(size: 32, password: "yourpassword", salt, prf: Pbkdf2Prf.HmacSha256);
Argon2 example
var service = new Argon2Service();
var passwordData = "yourpassword".GetUtf8Bytes();
var salt = RandomUtils.GenerateRandomBytes(16);
// Derive a 32-byte key from a password and salt
var key = service.GenerateKey(32, passwordData, salt);
// The caller is responsible for clearing sensitive input when done
Array.Clear(passwordData, 0, passwordData.Length);
Padding
Supported schemes
| Scheme | Standard | Notes |
|---|---|---|
| PKCS7 | RFC 5652 | Most widely used padding scheme. |
| ISO 7816-4 | ISO/IEC 7816-4 | Used in smart card applications. |
| ISO 10126 | ISO/IEC 10126 | Pads with random bytes; the final byte holds the pad length. Withdrawn/legacy. |
| X9.23 | ANSI X9.23 | Pads with zero bytes; the final byte holds the pad length. |
Classes
NoPaddingService— No-op padding servicePaddingService— Padding servicePaddingServiceFactory—IPaddingServicefactory
Usage
var data = "Data to pad".GetUtf8Bytes();
var service = new PaddingServiceFactory().CreatePkcs7Service();
// Pad/unpad with a 16-byte block size
var padded = service.Pad(data, blockSize: 16);
var unpadded = service.Unpad(padded, blockSize: 16);
Data encoding
Classes
Base64Service— Base64 encoding/decoding serviceHexService— Hexadecimal encoding/decoding serviceBase32Service— Base32 (RFC 4648) encoding/decoding service (paddedEncode;Decodetolerant of case, whitespace, and missing padding)
Usage
var data = "This is some data".GetUtf8Bytes();
// Hex encoding
var hex = new HexService();
var hexEncoded = hex.Encode(data);
var hexDecoded = hex.Decode(hexEncoded);
// Base64 encoding
var base64 = new Base64Service();
var base64Encoded = base64.Encode(data);
var base64Decoded = base64.Decode(base64Encoded);
// Base32 encoding
var base32 = new Base32Service();
var base32Encoded = base32.Encode(data);
var base32Decoded = base32.Decode(base32Encoded);
With extension methods:
var data = "This is some data".GetUtf8Bytes();
var hexEncoded = data.ToHexString();
var hexDecoded = hexEncoded.FromHexString();
var base64Encoded = data.ToBase64String();
var base64Decoded = base64Encoded.FromBase64String();
var base32Encoded = data.ToBase32String();
var base32Decoded = base32Encoded.FromBase32String();
Stream extensions
StreamExtensions (namespace Enigma.Cryptography.Extensions) adds typed read/write helpers to any
Stream, plus length-value (LV) and tag-length-value (TLV) framing for building and parsing binary
containers. Integers are written little-endian, every read fully populates its buffer (partial reads
are handled), and both synchronous and ...Async variants are provided.
- Typed values —
WriteBool/ReadBool,WriteShort/ReadShortandWriteUShort/ReadUShort,WriteInt/ReadIntandWriteUInt/ReadUInt,WriteLong/ReadLongandWriteULong/ReadULong,WriteFloat/ReadFloat,WriteDouble/ReadDouble. - Raw bytes —
WriteBytes(bytes)/ReadBytes(count), plus asyncWriteByteAsync/ReadByteAsync. - Length-Value —
WriteLengthValue(value)/ReadLengthValue(maxLength = 10 MB): writes a 4-byte length prefix followed by the bytes; the read guards against negative or oversized lengths. - Tag-Length-Value —
WriteTagLengthValue(tag, value)/ReadTagLengthValue(maxLength = 10 MB): aushorttag followed by a length-value block; the read returns a(ushort tag, byte[] value)tuple.
using var stream = new MemoryStream();
// Write a small container: a typed header value, then two tagged fields
stream.WriteInt(1); // e.g. a format version
stream.WriteTagLengthValue(1, "alice".GetUtf8Bytes());
stream.WriteTagLengthValue(2, RandomUtils.GenerateRandomBytes(16));
// Read it back
stream.Position = 0;
var version = stream.ReadInt(); // 1
var (tag1, value1) = stream.ReadTagLengthValue(); // (1, "alice")
var (tag2, value2) = stream.ReadTagLengthValue(); // (2, 16 random bytes)
Synchronous
Stream.WriteByte(byte)/ReadByte()are not provided as extensions — theSystem.IO.Streaminstance methods of those names take precedence. Use those built-ins, or the asyncWriteByteAsync/ReadByteAsync.
Utilities
The Enigma.Cryptography.Utils namespace holds stateless helpers used throughout the library:
RandomUtils—RandomUtils.GenerateRandomBytes(size)returns cryptographically secure random bytes from a thread-local BouncyCastleSecureRandom. Use it for keys, IVs/nonces, and salts (as in the cipher and KDF examples above).PemUtils— load/save PEM-encoded keys (see the Public-key and PQC examples).X509Utils— load/save/inspect X.509 certificates in PEM, DER, and PFX (see the X.509 examples).
// 32 bytes for an AES-256 key, 12 for a GCM nonce
var key = RandomUtils.GenerateRandomBytes(32);
var nonce = RandomUtils.GenerateRandomBytes(12);
Copyright (c) 2026 Josué Clément
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
| .NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
| .NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
| .NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
| MonoAndroid | monoandroid was computed. |
| MonoMac | monomac was computed. |
| MonoTouch | monotouch was computed. |
| Tizen | tizen40 was computed. tizen60 was computed. |
| Xamarin.iOS | xamarinios was computed. |
| Xamarin.Mac | xamarinmac was computed. |
| Xamarin.TVOS | xamarintvos was computed. |
| Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 2.0
- BouncyCastle.Cryptography (>= 2.6.2)
- System.Buffers (>= 4.6.1)
-
net10.0
- BouncyCastle.Cryptography (>= 2.6.2)
-
net8.0
- BouncyCastle.Cryptography (>= 2.6.2)
NuGet packages (3)
Showing the top 3 NuGet packages that depend on Enigma.Cryptography:
| Package | Downloads |
|---|---|
|
Enigma.Cryptography.DataEncryption
Stream-based encryption and decryption services for .NET, built on Enigma.Cryptography. Supports password-based (PBKDF2, Argon2id), RSA hybrid, and post-quantum ML-KEM-1024 key exchange, combined with AES-256, Twofish-256, Serpent-256, and Camellia-256 in GCM mode. |
|
|
Enigma.LicenseManager
Software license management library for .NET with RSA and ML-DSA (post-quantum) signature support, device binding, wildcard product matching, and async persistence. |
|
|
Carbon.Avalonia.Desktop
A comprehensive Avalonia UI control library for .NET desktop applications. Includes navigation, docking, ribbon, editors, calendar/scheduling, and 2D display controls, along with a CollectionView data subsystem and dialog/overlay services. Built on Avalonia 11.3 with Fluent theme (Dark & Light variants), full MVVM support, and dependency injection integration. |
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 5.0.0 | 131 | 7/10/2026 |
| 4.4.0 | 94 | 7/10/2026 |
| 4.3.0 | 187 | 4/1/2026 |
| 4.2.1 | 216 | 3/15/2026 |
| 4.2.0 | 125 | 3/15/2026 |
| 4.1.0 | 121 | 3/9/2026 |
| 4.0.3 | 299 | 11/28/2025 |
| 4.0.2 | 238 | 10/30/2025 |
| 4.0.1 | 433 | 8/5/2025 |
| 4.0.0 | 231 | 7/4/2025 |
| 3.5.3 | 237 | 6/30/2025 |
| 3.5.2 | 304 | 4/25/2025 |
| 3.5.1 | 307 | 4/21/2025 |
| 3.5.0 | 269 | 4/20/2025 |
| 3.4.0 | 290 | 4/16/2025 |
| 3.3.0 | 203 | 4/11/2025 |
| 3.2.0 | 252 | 4/3/2025 |
| 3.1.1 | 237 | 3/30/2025 |
| 3.1.0 | 244 | 3/30/2025 |
v5.0.0 — major release with breaking changes. Highlights: RSA-OAEP encryption, selectable PBKDF2 PRF, X.509 CRL revocation checking, and net10.0 added to the target frameworks. Breaking: Argon2 int parameters replaced by enums, factory-method renames (Create*Service), EncodingExtensions now defaults to UTF-8 on every TFM, removed dead synchronous stream extensions, and sealed service/factory classes. See RELEASENOTES.md for the full migration guide.