Why is obsolete Rijndael used instead of AES? Can a proper AES codeunit be added for FIPS compliance?

[steveendow]

I am looking to implement symmetric encryption in Business Central SaaS. I see that a Rijndael codeunit is available:

https://github.com/microsoft/ALAppExtensions/blob/main/Modules/System/Cryptography%20Management/src/RijndaelCryptography.Codeunit.al

Is there a reason why Rijndael was implemented instead of the official AES standard?

Can an AES codeunit be added to Cryptography Management in BC SaaS?

While AES is based on the 1998 Rijndael submission, my understanding is that there are a few key differences between the two, and Rijndael is not a substitute for AES.

The differences that I'm aware of:

1. AES uses a fixed 128 bit block size (technical difference).

2. Rijndael is marked as obsolete in .NET, with a note that AES should be used instead.
   (see https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rijndael?view=net-6.0)

3. Rijndael is not FIPS 140-2 compliant. This is a problem for customers following the FIPS 140-2 guidelines, as the use of Rijndael will be considered an issue during a security audit, and applications that use Rijndael will not be compliant. I've been through this process with a customer security audit and had to retrofit applications that referenced Rijndael instead of AES.
   (see https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation)

Due to the similarity of AES to Rijndael, creating a new AES code unit should not be too difficult.

If this is a possibility, please let me know where I can submit a request to add a AES codeunit.

[pri-kise]

@JesperSchulz maybe you can add the right person to this discussion.

[JesperSchulz]

Rijndael was implemented by a partner, who needed that. We do have an AES Crypto Service Provider in the Cryptography Management module as well it seems? Does that implementation not suffice? If not, you are more than welcome to add a PR to the module :-)