From d433e242333a68bb87dbbc353a3161a6c7273c1b Mon Sep 17 00:00:00 2001
From: Luke Latham <1622880+guardrex@users.noreply.github.com>
Date: Tue, 19 Sep 2017 11:40:47 -0500
Subject: [PATCH] Link patch (#4328)

cc/ @blowdart
---
 .../security/data-protection/implementation/context-headers.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/security/data-protection/implementation/context-headers.md b/aspnetcore/security/data-protection/implementation/context-headers.md
index 2eea07488b..f009130c11 100644
--- a/aspnetcore/security/data-protection/implementation/context-headers.md
+++ b/aspnetcore/security/data-protection/implementation/context-headers.md
@@ -18,7 +18,7 @@ uid: security/data-protection/implementation/context-headers
 
 ## Background and theory
 
-In the data protection system, a "key" means an object that can provide authenticated encryption services. Each key is identified by a unique id (a GUID), and it carries with it algorithmic information and entropic material. It is intended that each key carry unique entropy, but the system cannot enforce that, and we also need to account for developers who might change the key ring manually by modifying the algorithmic information of an existing key in the key ring. To achieve our security requirements given these cases the data protection system has a concept of [cryptographic agility](https://www.microsoft.com/research/publication/cryptographic-agility-and-its-relation-to-circular-encryption/?from=http%3A%2F%2Fresearch.microsoft.com%2Fapps%2Fpubs%2Fdefault.aspx%3Fid%3D121045), which allows securely using a single entropic value across multiple cryptographic algorithms.
+In the data protection system, a "key" means an object that can provide authenticated encryption services. Each key is identified by a unique id (a GUID), and it carries with it algorithmic information and entropic material. It is intended that each key carry unique entropy, but the system cannot enforce that, and we also need to account for developers who might change the key ring manually by modifying the algorithmic information of an existing key in the key ring. To achieve our security requirements given these cases the data protection system has a concept of [cryptographic agility](https://www.microsoft.com/en-us/research/publication/cryptographic-agility-and-its-relation-to-circular-encryption/), which allows securely using a single entropic value across multiple cryptographic algorithms.
 
 Most systems which support cryptographic agility do so by including some identifying information about the algorithm inside the payload. The algorithm's OID is generally a good candidate for this. However, one problem that we ran into is that there are multiple ways to specify the same algorithm: "AES" (CNG) and the managed Aes, AesManaged, AesCryptoServiceProvider, AesCng, and RijndaelManaged (given specific parameters) classes are all actually the same thing, and we'd need to maintain a mapping of all of these to the correct OID. If a developer wanted to provide a custom algorithm (or even another implementation of AES!), they'd have to tell us its OID. This extra registration step makes system configuration particularly painful.