Security on Strathweb. A free flowing tech monologue.

Introducing AgentGuard - declarative guardrails for .NET AI agents

Tue, 24 Mar 2026 07:00:00 +0000

As AI agents become more common in .NET applications, the question of how to keep them safe and well-behaved keeps coming up. Prompt injection, PII leakage, topic drift, tool call abuse - these are all problems that every team building with agents ends up having to deal with, often by hand-rolling ad-hoc checks. Python developers have had libraries like NeMo Guardrails and Guardrails AI to help with this for a while now, but the .NET side has been largely left to fend for itself.

Today I would like to introduce AgentGuard, a library I have been working on to fill that gap - composable, declarative guardrails and safety controls for .NET AI agents.

Pure Post Quantum Cryptography TLS with ASP.NET Core

Mon, 02 Mar 2026 07:06:14 +0000

Over the last few years, I have dedicated a lot of space on this blog to the topic of Post-Quantum Cryptography (PQC). Today, we will peek into the TLS 1.3 handshake.

While hybrid mode TLS is the pragmatic choice for today’s internet, understanding how to construct a fully quantum-safe connection is critical for preparing for the deprecation of classical algorithms.

In this post, we are going to explore a “pure” PQC TLS stack: Post-Quantum Key Exchange, with Post-Quantum Authentication. We will configure an ASP.NET Core application running on Linux to use ML-DSA-65 for authentication and ML-KEM-768 for key exchange.

(Maybe) LibOQS.NET 0.3.0: with liboqs 0.15.0, full suite of algorithms and other new features

Fri, 23 Jan 2026 07:30:00 +0000

Following the initial introduction of (Maybe) LibOQS.NET a few months ago, the post-quantum cryptography landscape has continued to move rapidly. To keep pace with these developments, the library has undergone significant updates to provide broader algorithm support and deeper integration with the underlying native tooling.

Today marks the release of version 0.3.0, a major milestone that brings the wrapper up to date with liboqs 0.15.0. This release is more than just a version bump; it exposes pretty much all of the liboqs algorithms to .NET developers and adds support for signature context strings, as well as the ability to perform deterministic (derandomized) KEM operations.

Introducing (Maybe) LibOQS.NET - a post quantum cryptography library for .NET

Tue, 23 Sep 2025 07:06:14 +0000

Over recent years I have been involved in the post-quantum cryptography community, especially from the .NET angle - trying to streamline integration of PQC into .NET space and raise the awareness of developers via various projects, samples and articles.

In this spirit, I would like to announce today a library called (Maybe) LibOQS.NET, which is a thin wrapper around liboqs, a C library providing implementations for all post-quantum cryptography algorithms. This includes both the standardized ones, like ML-KEM, ML-DSA and SLH-DSA, as well as the ones currently undergoing standarization and under active research and development.

ML-KEM and ML-DSA Post-Quantum Cryptography in Windows

Thu, 28 Aug 2025 07:06:14 +0000

Following up on my recent posts about ML-KEM and ML-DSA post-quantum cryptography in .NET using BouncyCastle.NET, I wanted to share an interesting development on the Windows side. Microsoft has recently announced post-quantum cryptography support in Windows through their Cryptography API: Next Generation (CNG) libraries.

This development provides an alternative to third-party libraries for quantum-resistant cryptography on Windows systems. The implementation offers direct OS integration and follows standard .NET patterns for cryptographic operations.

ML-KEM and ML-DSA Post-Quantum Cryptography in .NET

Fri, 14 Feb 2025 07:06:14 +0000

Some time ago, I wrote a post about post-quantum cryptography in .NET, where I introduced the concept of post-quantum cryptography and discussed the early BouncyCastle.NET implementation of Kyber and Dilithium. Today I would like to revisit this post, as both of these algorithms have been officially standardized as ML-KEM and ML-DSA.

Building a chat app with Blazor WASM, SignalR and post-quantum end-to-end encryption

Fri, 30 Aug 2024 07:06:14 +0000

I previously blogged about post-quantum cryptography on this blog a few times. Among other things, I released a set of helper libraries for working with Dilithium in .NET and Duende Identity Server, as well as shared some general samples on post-quantum cryptography in .NET.

Earlier this month, in a big milestone, NIST released the first 3 finalized Post-Quantum encryption standards. I thought it might be nice to celebrate this by building a simple chat application with Blazor WASM and SignalR, that uses post-quantum cryptography for end-to-end encryption.

Strathweb.Dilithium for Duende Identity Server now supports automatic key management

Fri, 23 Aug 2024 07:06:14 +0000

Earlier this week, I released version 0.2.0 of my post-quantum cryptography helper library .NET, Strathweb.Dilithium, which introduces a new feature - automatic key management support in Duende Identity Server. This feature plugs into the automatic key management capabilities of Duende Identity Server, and allows you to automatically generate and manage Dilithium keys for token signing purposes, without having to manually handle the key generation and rotation.

Announcing Strathweb.Dilithium - a set of ASP.NET helper libraries for post quantum cryptography

Tue, 22 Aug 2023 18:00:14 +0000

Earlier this year I blogged about post-quantum cryptography in .NET using Dilithium and Kyber. This was then followed by another post, which showed how Dilithium can be wired into a popular .NET Identity Server, Duende Identity Server, for token signing purposes.

Today I would like to announce Strathweb.Dilithium, a set of .NET helper libraries to facilitate working with Dilithium in ASP.NET Core projects.

Post-quantum token signing with Dilithium using Duende Identity Server

Fri, 24 Mar 2023 11:06:14 +0000

On March 12th, a new IETF draft JOSE and COSE Encoding for Dilithium was published. It describes JSON serializations for CRYSTALS-Dilithium, a post-quantum cryptography suite. This in turn allows using post-quantum cryptography for tasks like signing JSON Web Tokens in a standardized fashion.

I previously blogged about using CRYSTALS-Dilithium from .NET applications, so in this post let’s see how we can apply this new draft to one of the most popular .NET OpenID Connect / OAuth 2.0 servers, Duende Identity Server

Beware of the default ASP.NET Core Identity settings

Thu, 02 Mar 2023 11:06:14 +0000

The other day I was involved in setting up a new project based on ASP.NET Core Identity, when I noticed something related to the default configuration that I thought would be worth sharing here.

Of course, while in general it is not great to rely on default settings of any product (especially when it is the security backbone of your application!) one also expects sensible defaults to be provided.

Let’s have a look.

Post quantum cryptography in .NET

Tue, 21 Feb 2023 11:06:14 +0000

I have written extensively about quantum computing on this blog before. Quantum computing has the potential to break many of the cryptographic systems that we use today. Shor’s algorithm, for example, can efficiently factor large numbers, which would make widely-used asymmetric cryptography schemes such as RSA and elliptic curves insecure.

In this post, we’ll explore how to use post-quantum cryptography from a C# program, using CRYSTALS-Kyber and CRYSTALS-Dilithium as examples.

Initiating User Registration via OpenID Connect with Duende Identity Server

Wed, 28 Sep 2022 12:39:30 +0000

There is a new proposal for an extension to OpenID Connect Authentication Framework, called Initiating User Registration via OpenID Connect. It went into public review just last week, which is expected to close later this year.

This very useful extension defines how a client application can indicate to the OpenID Provider that a new user account should be created, rather than triggering the typical login procedure.

In this post we will look at how to support it with Duende Identity Server.

Self-issuing an IdentityServer4 token in an IdentityServer4 service

Tue, 10 Oct 2017 15:00:29 +0000

When building logic around the IdentityServer4 extensibility points, it is sometimes necessary to dynamically issue a token, with which your code can then call some external endpoints or dependencies.

Turns out that rather than round-tripping back to same IdentityServer4 instance over the network to get that token, there is a more efficient and quicker way to do it. Let’s have a look.