Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

User Guide
Release Notes

All

All

Advanced Topics

Advisory Notes and Best Practices

Please Note:

User Guide
Quick Start
Tasks
- Create an NAE Session
- Setting up SSL with CipherTrust Manager
- Add Multiple CipherTrust Manager Servers
- Key Operations
  - Creating a Key
  - Creating a New Version of the Versioned Key
  - Using a Versioned Key to Decrypt, SignV, and MACV
  - Getting an Instance of a Key Object
  - Alternative Method to Get an Instance of a Key Object
  - Deleting a Key using the Key Name
  - Exporting a Key
  - Exporting a Wrapped Key
  - Setting a Key Mode and Padding
  - Getting Attributes of a Key
  - Exporting Versioned Key
  - Fetching Key Version using ID
  - Fetching Key Names
- Generate and Verify MAC
- Encrypt a String Using an AES Key
- Decrypt a String Using an AES Key
- Encrypt a String Using an RSA Key
- Decrypt a String Using an RSA Key
- Encrypting/Decrypting a File
- Sign and SignVerify Data using an EC Key
- Sign and SignVerify Data using an RSA Key
- Enable Connection Pooling
- Enable Symmetric Key Caching
- Enable Asymmetric Key Caching
- Set Logging Parameters
- Change the Default Value of Connection Timeout
- Setting Transaction ID in Logs
- Logging to Syslog Server
- Refresh Cached Keys
- CryptoHeader Module
- AES/GCM Interoperability
- Upgrade from PA/CAP to CADP
- Migrate from KeySecureHeaderModule to CryptoHeaderModule
Advanced Topics
- Configuration
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Caching Parameters
  - Logging Parameters
  - Syslog Advanced Configuration Parameters
  - SSL Configuration Parameters
  - Miscellaneous Configuration Parameters
- Connection Pooling
- Load Balancing Group
- Multi-tier Load Balancing Group
- Symmetric/Asymmetric Key Caching
- Persistent Key Caching
- Supported Services & Operations
- Supported Algorithms
- NAE Supported Functions
  - Supporting Calls
  - Connection Calls
  - Key-related Calls
  - MAC/Hash-related Calls
  - Security Considerations
- Format Preserving Encryption
- FPE/AES/Unicode Cardinality Block-Size Table
- API Definitions
- Key Permissions on Groups
- CryptoDataUtility
- Error Messages
- Advisory Notes and Best Practices
Troubleshooting

CADP for .NET Core
User Guide
Advanced Topics
Advisory Notes and Best Practices

Advisory Notes and Best Practices

This page lists some constraints, requirements and best practices with respect to security to be followed when using CADP for .Net Core.

Single DES and two-key Triple DES should not be used unless the EMV standard requires it.
SHA-1 shall not be used to hash a message for signature purpose.
When using block ciphers, CBC mode is preferable to ECB when data exceeds the block size. More specifically: when using block ciphers , you should always use these ciphers in CBC mode, unless you have a compelling reason to use ECB mode.
For RSA encryption, the Optimal Asymmetric Encryption Padding (OAEP) should be used.
IV should not be re-used.
Use cipher suites with strong key exchange for SSL communication.
It is recommended to avoid using cipher algorithms RSA for Key Exchange, CBC mode, SHA1 in TLSv1.2 protocol while communicating with Key Manager.
It is recommended to use only trusted Third party signed certificates for TLS channel.
For AES-GCM algorithm, same combination of nonce (IV) and key must not be reused during encryption/decryption operations.

On this page

CADP for .NET Core

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Support Contacts
- Text Conventions
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com