diff --git a/DataProtection.sln b/DataProtection.sln
index a516327b4a..3437c905a7 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 14
-VisualStudioVersion = 14.0.22115.0
+VisualStudioVersion = 14.0.22609.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
@@ -15,20 +15,68 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-9
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Test", "test\Microsoft.AspNet.Security.DataProtection.Test\Microsoft.AspNet.Security.DataProtection.Test.kproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal", "src\Microsoft.AspNet.Cryptography.Internal\Microsoft.AspNet.Cryptography.Internal.kproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation", "src\Microsoft.AspNet.Cryptography.KeyDerivation\Microsoft.AspNet.Cryptography.KeyDerivation.kproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNet.Cryptography.KeyDerivation.Test\Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
 		Debug|x86 = Debug|x86
+		Release|Any CPU = Release|Any CPU
 		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|Any CPU.Build.0 = Release|Any CPU
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.ActiveCfg = Release|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.Build.0 = Release|Any CPU
 		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|x86.ActiveCfg = Release|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|Any CPU.Build.0 = Release|Any CPU
 		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|x86.ActiveCfg = Release|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Release|Any CPU.Build.0 = Release|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Release|x86.ActiveCfg = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|x86.Build.0 = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|x86.ActiveCfg = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|x86.Build.0 = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|x86.Build.0 = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|Any CPU.Build.0 = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|x86.ActiveCfg = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|x86.Build.0 = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|x86.Build.0 = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|x86.ActiveCfg = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -38,5 +86,8 @@ Global
 		{DF3671D7-A9B1-45F1-A195-0AD596001735} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{421F0383-34B1-402D-807B-A94542513ABA} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{42C97F52-8D56-46BD-A712-4F22BED157A7} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 	EndGlobalSection
 EndGlobal
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
index 5909ddd9f9..ec1d410922 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/cc562981(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
index 1660bea5a4..31d7d468fc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
@@ -4,8 +4,9 @@
 using System;
 using System.Globalization;
 using System.Runtime.InteropServices;
+using Microsoft.AspNet.Cryptography.Internal;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375525(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
index 13d76f2f12..f7ce3c86e9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
index 477e9c4725..a23edac263 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375370(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
similarity index 84%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
index 9d46755dec..61cee2f864 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     [Flags]
     internal enum BCryptEncryptFlags
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
similarity index 87%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
index 2fef69b319..f3cb337d48 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // from bcrypt.h
     [Flags]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
index db47ba9b67..6fcf2cf9b5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // from bcrypt.h
     internal enum BCryptKeyDerivationBufferType
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
index 5afd9e2512..3256965416 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     internal unsafe static class BCryptUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
index ba6f5df025..78a6bef2f5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     /// <summary>
     /// Provides cached CNG algorithm provider instances, as calling BCryptOpenAlgorithmProvider is expensive.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
similarity index 89%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
index b45b21809b..5ddc695ab9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     [Flags]
     internal enum NCryptEncryptFlags
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
similarity index 87%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
index c42535428e..aace9f7b33 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
@@ -2,13 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Diagnostics;
-using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     internal static class OSVersionUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/Constants.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
index 8d40b3b7f1..135ea56ec5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     // The majority of these are from bcrypt.h
     internal static class Constants
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
index e71807fdee..1b2932789f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
@@ -6,19 +6,15 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
-using System.Text;
 
 #if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     internal unsafe static class CryptoUtil
     {
-        // UTF8 encoding that fails on invalid chars
-        public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
-
         // This isn't a typical Debug.Assert; the check is always performed, even in retail builds.
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         public static void Assert(bool condition, string message)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs b/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
index 16589279ed..132b420e57 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj b/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj
new file mode 100644
index 0000000000..37f5345c21
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>E2779976-A28C-4365-A4BB-4AD854FAF23E</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..3f612d6db3
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// we only ever p/invoke into DLLs known to be in the System32 folder
+[assembly: DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection.Test")]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
new file mode 100644
index 0000000000..a33deb5f8a
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
@@ -0,0 +1,62 @@
+// <auto-generated />
+namespace Microsoft.AspNet.Cryptography.Internal
+{
+    using System.Globalization;
+    using System.Reflection;
+    using System.Resources;
+
+    internal static class Resources
+    {
+        private static readonly ResourceManager _resourceManager
+            = new ResourceManager("Microsoft.AspNet.Cryptography.Internal.Resources", typeof(Resources).GetTypeInfo().Assembly);
+
+        /// <summary>
+        /// A provider could not be found for algorithm '{0}'.
+        /// </summary>
+        internal static string BCryptAlgorithmHandle_ProviderNotFound
+        {
+            get { return GetString("BCryptAlgorithmHandle_ProviderNotFound"); }
+        }
+
+        /// <summary>
+        /// A provider could not be found for algorithm '{0}'.
+        /// </summary>
+        internal static string FormatBCryptAlgorithmHandle_ProviderNotFound(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("BCryptAlgorithmHandle_ProviderNotFound"), p0);
+        }
+
+        /// <summary>
+        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
+        /// </summary>
+        internal static string BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength
+        {
+            get { return GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"); }
+        }
+
+        /// <summary>
+        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
+        /// </summary>
+        internal static string FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(object p0, object p1, object p2, object p3)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
+        }
+
+        private static string GetString(string name, params string[] formatterNames)
+        {
+            var value = _resourceManager.GetString(name);
+
+            System.Diagnostics.Debug.Assert(value != null);
+
+            if (formatterNames != null)
+            {
+                for (var i = 0; i < formatterNames.Length; i++)
+                {
+                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
+                }
+            }
+
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx b/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
new file mode 100644
index 0000000000..351535df12
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="BCryptAlgorithmHandle_ProviderNotFound" xml:space="preserve">
+    <value>A provider could not be found for algorithm '{0}'.</value>
+  </data>
+  <data name="BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength" xml:space="preserve">
+    <value>The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
index f8fe267f88..8f89eba6bb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
@@ -3,10 +3,12 @@
 
 using System;
 using System.Diagnostics;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.Win32.SafeHandles;
+using System.Globalization;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.Internal;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal unsafe sealed class BCryptAlgorithmHandle : BCryptHandle
     {
@@ -139,7 +141,8 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
             // error checking
             if (ntstatus == STATUS_NOT_FOUND)
             {
-                throw Error.BCryptAlgorithmHandle_ProviderNotFound(algorithmId);
+                string message = String.Format(CultureInfo.CurrentCulture, Resources.BCryptAlgorithmHandle_ProviderNotFound, algorithmId);
+                throw new CryptographicException(message);
             }
             UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
             CryptoUtil.AssertSafeHandleIsValid(algHandle);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
index a5001cb26f..65a6b97cb1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal unsafe abstract class BCryptHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
index af30a1b3a0..9760d30440 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal unsafe sealed class BCryptHashHandle : BCryptHandle
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
index d03777d5da..088f7a0994 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal sealed class BCryptKeyHandle : BCryptHandle
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
index a7add3bb9a..305f1ba34b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.InteropServices;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle returned by LocalAlloc.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
index fff0f360f4..f2782aa2fa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal sealed class NCryptDescriptorHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
index c36caa7cdc..dbfc561884 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.CompilerServices;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal sealed class SafeCertContextHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index 59202a0c5c..9c53390775 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -2,8 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Diagnostics;
-using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Security;
 using Microsoft.Win32.SafeHandles;
@@ -12,7 +10,7 @@ using Microsoft.Win32.SafeHandles;
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle to a Windows module (DLL).
@@ -92,8 +90,6 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
         /// </summary>
         public TDelegate GetProcAddress<TDelegate>(string lpProcName, bool throwIfNotFound = true) where TDelegate : class
         {
-            Debug.Assert(typeof(Delegate).IsAssignableFrom(typeof(TDelegate)), "TDelegate must be a delegate type!");
-
             IntPtr pfnProc = UnsafeNativeMethods.GetProcAddress(this, lpProcName);
             if (pfnProc == IntPtr.Zero)
             {
@@ -115,7 +111,9 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
         /// </summary>
         public static SafeLibraryHandle Open(string filename)
         {
-            SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibraryEx(filename, IntPtr.Zero, 0);
+            const uint LOAD_LIBRARY_SEARCH_SYSTEM32 = 0x00000800U; // from libloaderapi.h
+
+            SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibraryEx(filename, IntPtr.Zero, LOAD_LIBRARY_SEARCH_SYSTEM32);
             if (handle == null || handle.IsInvalid)
             {
                 UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
index 6b2bacaf6e..a2a325d560 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
@@ -6,7 +6,7 @@ using System.Runtime.InteropServices;
 using Microsoft.Win32.SafeHandles;
 
 #if ASPNETCORE50
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a managed view over an NCRYPT_KEY_HANDLE.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index 34cca9d1e4..a4ce4b3dcc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -10,7 +10,7 @@ using System.Security;
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle returned by LocalAlloc.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
index ef6a69bdbc..7bb265b4ec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -4,13 +4,13 @@
 using System;
 using System.Runtime.CompilerServices;
 using System.Threading;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 #if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     internal unsafe static class UnsafeBufferUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
index 372578fa84..a7bfe972e3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -7,15 +7,16 @@ using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using System.Threading;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
 #if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
 #if !ASPNETCORE50
     [SuppressUnmanagedCodeSecurity]
@@ -23,13 +24,19 @@ namespace Microsoft.AspNet.Security.DataProtection
     internal unsafe static class UnsafeNativeMethods
     {
         private const string BCRYPT_LIB = "bcrypt.dll";
-        private static readonly SafeLibraryHandle _bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
+        private static readonly Lazy<SafeLibraryHandle> _lazyBCryptLibHandle = GetLazyLibraryHandle(BCRYPT_LIB);
 
         private const string CRYPT32_LIB = "crypt32.dll";
-        private static readonly SafeLibraryHandle _crypt32LibHandle = SafeLibraryHandle.Open(CRYPT32_LIB);
+        private static readonly Lazy<SafeLibraryHandle> _lazyCrypt32LibHandle = GetLazyLibraryHandle(CRYPT32_LIB);
 
         private const string NCRYPT_LIB = "ncrypt.dll";
-        private static readonly SafeLibraryHandle _ncryptLibHandle = SafeLibraryHandle.Open(NCRYPT_LIB);
+        private static readonly Lazy<SafeLibraryHandle> _lazyNCryptLibHandle = GetLazyLibraryHandle(NCRYPT_LIB);
+
+        private static Lazy<SafeLibraryHandle> GetLazyLibraryHandle(string libraryName)
+        {
+            // We don't need to worry about race conditions: SafeLibraryHandle will clean up after itself
+            return new Lazy<SafeLibraryHandle>(() => SafeLibraryHandle.Open(libraryName), LazyThreadSafetyMode.PublicationOnly);
+        }
 
         /*
          * BCRYPT.DLL
@@ -346,7 +353,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         [MethodImpl(MethodImplOptions.NoInlining)]
         private static void ThrowExceptionForBCryptStatusImpl(int ntstatus)
         {
-            string message = _bcryptLibHandle.FormatMessage(ntstatus);
+            string message = _lazyBCryptLibHandle.Value.FormatMessage(ntstatus);
             throw new CryptographicException(message);
         }
 
@@ -355,7 +362,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             int lastError = Marshal.GetLastWin32Error();
             Debug.Assert(lastError != 0, "This method should only be called if there was an error.");
 
-            string message = _crypt32LibHandle.FormatMessage(lastError);
+            string message = _lazyCrypt32LibHandle.Value.FormatMessage(lastError);
             throw new CryptographicException(message);
         }
 
@@ -372,7 +379,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         [MethodImpl(MethodImplOptions.NoInlining)]
         private static void ThrowExceptionForNCryptStatusImpl(int ntstatus)
         {
-            string message = _ncryptLibHandle.FormatMessage(ntstatus);
+            string message = _lazyNCryptLibHandle.Value.FormatMessage(ntstatus);
             throw new CryptographicException(message);
         }
     }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs b/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
index 638fdc6231..8aaf9c73bb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
@@ -1,8 +1,11 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
 using System.Diagnostics;
 using System.Threading;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     internal static class WeakReferenceHelpers
     {
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
new file mode 100644
index 0000000000..da2f2d3a77
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -0,0 +1,26 @@
+{
+    "version": "1.0.0-*",
+    "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
+    "dependencies": {
+    },
+    "frameworks": {
+        "net451": { },
+        "aspnet50": { },
+        "aspnetcore50": {
+            "dependencies": {
+                "System.Diagnostics.Debug": "4.0.10-beta-*",
+                "System.Globalization": "4.0.10-beta-*",
+                "System.Resources.ResourceManager": "4.0.0-beta-*",
+                "System.Runtime": "4.0.20-beta-*",
+                "System.Runtime.Handles": "4.0.0-beta-*",
+                "System.Runtime.InteropServices": "4.0.20-beta-*",
+                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Threading": "4.0.10-beta-*"
+            }
+        }
+    },
+    "compilationOptions": {
+        "allowUnsafe": true,
+        "warningsAsErrors": true
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
similarity index 65%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
index 79cb1e6370..8e2a4db593 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.PBKDF2;
+using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
     public static class KeyDerivation
     {
@@ -13,23 +13,23 @@ namespace Microsoft.AspNet.Security.DataProtection
             // parameter checking
             if (password == null)
             {
-                throw new ArgumentNullException("password");
+                throw new ArgumentNullException(nameof(password));
             }
             if (salt == null)
             {
-                throw new ArgumentNullException("salt");
+                throw new ArgumentNullException(nameof(salt));
             }
             if (prf < KeyDerivationPrf.Sha1 || prf > KeyDerivationPrf.Sha512)
             {
-                throw new ArgumentOutOfRangeException("prf");
+                throw new ArgumentOutOfRangeException(nameof(prf));
             }
             if (iterationCount <= 0)
             {
-                throw new ArgumentOutOfRangeException("iterationCount");
+                throw new ArgumentOutOfRangeException(nameof(iterationCount));
             }
             if (numBytesRequested <= 0)
             {
-                throw new ArgumentOutOfRangeException("numBytesRequested");
+                throw new ArgumentOutOfRangeException(nameof(numBytesRequested));
             }
 
             return Pbkdf2Util.Pbkdf2Provider.DeriveKey(password, salt, prf, iterationCount, numBytesRequested);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
index 196aed9523..0f8556eb10 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
     /// <summary>
     /// Specifies the PRF which should be used for the key derivation algorithm.
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj
new file mode 100644
index 0000000000..122f0410ea
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>421F0383-34B1-402D-807B-A94542513ABA</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
similarity index 89%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
index 6e353d48c8..c19837c871 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// Internal interface used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
index 527bdc5119..cc6f7d17ec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
@@ -6,7 +6,7 @@ using System.Diagnostics;
 using System.Security.Cryptography;
 using System.Text;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the managed hash algorithm classes as PRFs.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
index d33a3d71ca..3e0d1a0c3a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Cryptography.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// Internal base class used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
index 62d1cef6d4..629f568fcb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
@@ -4,10 +4,10 @@
 using System;
 using System.Diagnostics;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the Win7 API BCryptDeriveKeyPBKDF2.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
similarity index 88%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
index 02a33fb705..d2ff0ce174 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
@@ -3,11 +3,12 @@
 
 using System;
 using System.Diagnostics;
+using System.Runtime.CompilerServices;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the Win8 API BCryptKeyDerivation.
@@ -32,13 +33,28 @@ namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
                 {
                     fixed (byte* pbRetVal = retVal)
                     {
-                        Pbkdf2Win8ImplStep2(keyHandle, algorithmName, pbSalt, (uint)salt.Length, (ulong)iterationCount, pbRetVal, (uint)retVal.Length);
+                        DeriveKeyCore(keyHandle, algorithmName, pbSalt, (uint)salt.Length, (ulong)iterationCount, pbRetVal, (uint)retVal.Length);
                     }
                     return retVal;
                 }
             }
         }
 
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static uint GetTotalByteLengthIncludingNullTerminator(string input)
+        {
+            if (input == null)
+            {
+                // degenerate case
+                return 0;
+            }
+            else
+            {
+                uint numChars = (uint)input.Length + 1U; // no overflow check necessary since Length is signed
+                return checked(numChars * sizeof(char));
+            }
+        }
+
         private static BCryptKeyHandle PasswordToPbkdfKeyHandle(string password, BCryptAlgorithmHandle pbkdf2AlgHandle, KeyDerivationPrf prf)
         {
             byte dummy; // CLR doesn't like pinning zero-length buffers, so this provides a valid memory address when working with zero-length buffers
@@ -136,7 +152,7 @@ namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
             }
         }
 
-        private static void Pbkdf2Win8ImplStep2(BCryptKeyHandle pbkdf2KeyHandle, string hashAlgorithm, byte* pbSalt, uint cbSalt, ulong iterCount, byte* pbDerivedBytes, uint cbDerivedBytes)
+        private static void DeriveKeyCore(BCryptKeyHandle pbkdf2KeyHandle, string hashAlgorithm, byte* pbSalt, uint cbSalt, ulong iterCount, byte* pbDerivedBytes, uint cbDerivedBytes)
         {
             // First, build the buffers necessary to pass (hash alg, salt, iter count) into the KDF
             BCryptBuffer* pBuffers = stackalloc BCryptBuffer[3];
@@ -153,7 +169,7 @@ namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
             {
                 pBuffers[2].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
                 pBuffers[2].pvBuffer = (IntPtr)pszHashAlgorithm;
-                pBuffers[2].cbBuffer = hashAlgorithm.GetTotalByteLengthIncludingNullTerminator();
+                pBuffers[2].cbBuffer = GetTotalByteLengthIncludingNullTerminator(hashAlgorithm);
 
                 // Add the header which points to the buffers
                 BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..1810781789
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -0,0 +1,7 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
new file mode 100644
index 0000000000..6582d52581
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -0,0 +1,21 @@
+{
+    "version": "1.0.0-*",
+    "description": "ASP.NET 5 utilities for key derivation.",
+    "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*"
+    },
+    "frameworks": {
+        "net451": { },
+        "aspnet50": { },
+        "aspnetcore50": {
+            "dependencies": {
+                "System.Runtime.Extensions": "4.0.10-beta-*",
+                "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*"
+            }
+        }
+    },
+    "compilationOptions": {
+        "allowUnsafe": true,
+        "warningsAsErrors": true
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 6a2808e70d..6c61f43316 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -3,7 +3,6 @@
 
 using System;
 using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
index 763c8f6e93..a8767fdc0f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
index 9db38c5070..171d0ce3cd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
@@ -2,8 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
index e47a6cd4f1..f673cd2ff9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
index 3007f2eb72..5070ad7728 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
index d8cd278490..2b3cca4ae8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
@@ -2,8 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
index d826c54b3e..64d9ca4280 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
index e636713040..ac7a984083 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
index 673f0e2646..0d58cfbfc9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Reflection;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Managed;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
index bdfbdccdc2..15410c8f42 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
index 6ce50391f1..9919cc2644 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index 9c7567a4da..f44143cdfa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index e5762f1190..ee641fccab 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -7,7 +7,8 @@ using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index d6b99f69c0..802f8feab9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -2,8 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
index 14f22b52b1..1e84b49be4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
@@ -32,7 +31,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         {
             try
             {
-                byte[] unprotectedDataAsBytes = CryptoUtil.SecureUtf8Encoding.GetBytes(unprotectedData);
+                byte[] unprotectedDataAsBytes = EncodingUtil.SecureUtf8Encoding.GetBytes(unprotectedData);
                 byte[] protectedDataAsBytes = protector.Protect(unprotectedDataAsBytes);
                 return WebEncoders.Base64UrlEncode(protectedDataAsBytes);
             }
@@ -58,7 +57,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             {
                 byte[] protectedDataAsBytes = WebEncoders.Base64UrlDecode(protectedData);
                 byte[] unprotectedDataAsBytes = protector.Unprotect(protectedDataAsBytes);
-                return CryptoUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
+                return EncodingUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
             }
             catch (Exception ex) when (ex.RequiresHomogenization())
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
index d1e0f56124..71d14b4a64 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -5,9 +5,9 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.Dpapi;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
 using Microsoft.AspNet.Security.DataProtection.Repositories;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
index a4b400e5e0..9689d11c45 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.Dpapi
 {
@@ -28,7 +29,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
             using (var memoryStream = new MemoryStream())
             {
                 memoryStream.Write(_combinedPurposes, 0, _combinedPurposes.Length);
-                using (var writer = new BinaryWriter(memoryStream, CryptoUtil.SecureUtf8Encoding, leaveOpen: true))
+                using (var writer = new BinaryWriter(memoryStream, EncodingUtil.SecureUtf8Encoding, leaveOpen: true))
                 {
                     writer.Write(purpose);
                 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs
new file mode 100644
index 0000000000..84a8822900
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs
@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal unsafe static class EncodingUtil
+    {
+        // UTF8 encoding that fails on invalid chars
+        public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
index 8b87083b2c..179d3f15a2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Error.cs b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
index 8571a4074c..74fa5221d2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Error.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
@@ -9,12 +9,6 @@ namespace Microsoft.AspNet.Security.DataProtection
 {
     internal static class Error
     {
-        public static CryptographicException BCryptAlgorithmHandle_ProviderNotFound(string algorithmId)
-        {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.BCryptAlgorithmHandle_ProviderNotFound, algorithmId);
-            return new CryptographicException(message);
-        }
-
         public static ArgumentException Common_BufferIncorrectlySized(string parameterName, int actualSize, int expectedSize)
         {
             string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_BufferIncorrectlySized, actualSize, expectedSize);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index ecb87dad75..97841ca503 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -4,8 +4,8 @@
 using System;
 using System.Diagnostics;
 using System.IO;
-using System.Security.Cryptography;
 using System.Threading;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
@@ -279,7 +279,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
             // Strings should never contain invalid UTF16 chars, so we'll use a secure encoding.
             private static readonly byte[] _guidBuffer = new byte[sizeof(Guid)];
 
-            public PurposeBinaryWriter(MemoryStream stream) : base(stream, CryptoUtil.SecureUtf8Encoding, leaveOpen: true) { }
+            public PurposeBinaryWriter(MemoryStream stream) : base(stream, EncodingUtil.SecureUtf8Encoding, leaveOpen: true) { }
 
             public new void Write7BitEncodedInt(int value)
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
index 37d576c063..a4efcce090 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -5,6 +5,7 @@ using System;
 using System.Diagnostics;
 using System.Linq;
 using System.Threading;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
index 27dff11346..ef8a95a5db 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -8,6 +8,7 @@ using System.Globalization;
 using System.Linq;
 using System.Reflection;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.Repositories;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
index eec421cfd8..e88b3cdffb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.Managed
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index f10003ece2..ba53330486 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
index 48c8860ee1..197f9fe3ac 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.Managed
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
index 0427ff6e62..b6aa7680ed 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Runtime.InteropServices;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
index f1d2151ed5..35f9a8dc33 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
@@ -10,38 +10,6 @@ namespace Microsoft.AspNet.Security.DataProtection
         private static readonly ResourceManager _resourceManager
             = new ResourceManager("Microsoft.AspNet.Security.DataProtection.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
-        /// <summary>
-        /// A provider could not be found for algorithm '{0}'.
-        /// </summary>
-        internal static string BCryptAlgorithmHandle_ProviderNotFound
-        {
-            get { return GetString("BCryptAlgorithmHandle_ProviderNotFound"); }
-        }
-
-        /// <summary>
-        /// A provider could not be found for algorithm '{0}'.
-        /// </summary>
-        internal static string FormatBCryptAlgorithmHandle_ProviderNotFound(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("BCryptAlgorithmHandle_ProviderNotFound"), p0);
-        }
-
-        /// <summary>
-        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
-        /// </summary>
-        internal static string BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength
-        {
-            get { return GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"); }
-        }
-
-        /// <summary>
-        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
-        /// </summary>
-        internal static string FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(object p0, object p1, object p2, object p3)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
-        }
-
         /// <summary>
         /// An error occurred during a cryptographic operation.
         /// </summary>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
index 8029969b2a..044df24e82 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
@@ -117,12 +117,6 @@
   <resheader name="writer">
     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
-  <data name="BCryptAlgorithmHandle_ProviderNotFound" xml:space="preserve">
-    <value>A provider could not be found for algorithm '{0}'.</value>
-  </data>
-  <data name="BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength" xml:space="preserve">
-    <value>The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).</value>
-  </data>
   <data name="CryptCommon_GenericError" xml:space="preserve">
     <value>An error occurred during a cryptographic operation.</value>
   </data>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index 1ffa2e21f8..a31317918b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Managed;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index 11750100c5..eee810f44c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index 7778e03013..903b6f095c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -2,7 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
index a163834603..119bd1ec73 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -2,8 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
index 30af954f1e..34c506756a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -2,8 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Secret.cs b/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
index ddb8acdab1..06905c39c1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
@@ -2,9 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Managed;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
deleted file mode 100644
index f081611b3f..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.CompilerServices;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal static class StringExtensions
-    {
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static uint GetTotalByteLengthIncludingNullTerminator(this string input)
-        {
-            if (input == null)
-            {
-                // degenerate case
-                return 0;
-            }
-            else
-            {
-                uint numChars = (uint)input.Length + 1U; // no overflow check necessary since Length is signed
-                return checked(numChars * sizeof(char));
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
index bf42b34c45..a3542d71bb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index d0c2f8bade..5b08a6e1fb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 25526f61dd..acbd0c3f79 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -6,9 +6,10 @@ using System.Globalization;
 using System.IO;
 using System.Security.Principal;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index e6376dbec0..cef503b7e2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index f2dae82986..efceec02ae 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 971c304e51..a0e70f0a0a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -2,6 +2,7 @@
     "version": "1.0.0-*",
     "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
     "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.Framework.DependencyInjection": "1.0.0-*",
         "Microsoft.Framework.OptionsModel": "1.0.0-*"
     },
@@ -24,6 +25,7 @@
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
                 "System.IO": "4.0.10-beta-*",
+                "System.Reflection.TypeExtensions": "4.0.0-beta-*",
                 "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
new file mode 100644
index 0000000000..e435d081dc
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.Testing.xunit;
+
+namespace Microsoft.AspNet.Cryptography
+{
+    public class ConditionalRunTestOnlyIfBcryptAvailableAttribute : Attribute, ITestCondition
+    {
+        private static readonly SafeLibraryHandle _bcryptLibHandle = GetBCryptLibHandle();
+
+        private readonly string _requiredExportFunction;
+
+        public ConditionalRunTestOnlyIfBcryptAvailableAttribute(string requiredExportFunction = null)
+        {
+            _requiredExportFunction = requiredExportFunction;
+        }
+
+        public bool IsMet
+        {
+            get
+            {
+                if (_bcryptLibHandle == null)
+                {
+                    return false; // no bcrypt.dll available
+                }
+
+                return (_requiredExportFunction == null || _bcryptLibHandle.DoesProcExist(_requiredExportFunction));
+            }
+        }
+
+        public string SkipReason
+        {
+            get
+            {
+                return (_bcryptLibHandle != null)
+                    ? String.Format(CultureInfo.InvariantCulture, "Export {0} not found in bcrypt.dll", _requiredExportFunction)
+                    : "bcrypt.dll not found on this platform.";
+            }
+        }
+
+        private static SafeLibraryHandle GetBCryptLibHandle()
+        {
+            try
+            {
+                return SafeLibraryHandle.Open("bcrypt.dll");
+            }
+            catch
+            {
+                // If we're not on an OS with BCRYPT.DLL, just bail.
+                return null;
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj
new file mode 100644
index 0000000000..02588fc1d9
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>42c97f52-8d56-46bd-a712-4f22bed157a7</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
rename to test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index 6fed8294d7..6fc684797d 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.PBKDF2;
+using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
     public class Pbkdf2Tests
     {
@@ -40,8 +40,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF. We only use 5 iterations so
         // that our unit tests are fast.
-        [ConditionalTheory]
-        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptDeriveKeyPBKDF2")]
+        [Theory]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..3f8188a594
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
@@ -0,0 +1,8 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+// for unit testing
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
new file mode 100644
index 0000000000..ebed517c17
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -0,0 +1,18 @@
+{
+    "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+        "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
+        "Microsoft.AspNet.Testing": "1.0.0-*",
+        "Moq": "4.2.1312.1622",
+        "xunit.runner.kre": "1.0.0-*"
+    },
+    "frameworks": {
+        "aspnet50": { }
+    },
+    "commands": {
+        "test": "xunit.runner.kre"
+    },
+    "compilationOptions": {
+        "allowUnsafe": true
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index 34fa81a08c..4e2b8b4373 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index fb73ec6c61..e9ab3f545f 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
index eb6cc86e0e..168ae7075a 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Globalization;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Testing.xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test