Arno van der Meer Arno van der Meer - 3 months ago 23
C# Question

Difference between SHA256CryptoServiceProvider and SHA256Managed

The .Net

SHA256Managed
class is supported in all framework versions while the
SHA256CryptoServiceProvider
class is only supported from framework 3.5 and above.

Why is the
SHA256CryptoServiceProvider
introduced ? It seems to do the same as the
SHA256Managed
class, but the latter performs better.

What am I missing and why should I use the
SHA256CryptoServiceProvider
?

Answer

It has nothing to do with performance - SHA256CryptoServiceProvider uses the FIPS 140-2 validated (FIPS = Federal Information Processing Standards) Crypto Service Provider (CSP) while SHA256Managed does not. SHA256Managed is a pure managed implementation while SHA256CryptoServiceProvider does presumably the same thing but wraps the CryptoAPI.

This has big ramifications if you're going to operate on US federal or many state government systems as it is a requirement for software vendors. In the eyes of NIST, using a non-FIPS validated cryptographic module, like the SHA256Managed implementation, is no different than not using any encryption at all.

If you don't care about FIPS validation then the SHA256Managed is fine.

Everything that ends in Cng stands for "Crytographic API: Next Generation" which refers to the newer protocols that the US government calls Suite B cryptographic algorithms, but regardless of .Net framework version there is no support prior to Vista/Server 2008).

So use the algorithm and implementation that is appropriate for what you're protecting. You will be limited by which .Net framework version you're using, which operating system(s) your code runs on, and whether you need to use FIPS 140-2/140-3 (coming in 2011) validated module(s). If there isn't a supported .Net Framework class for the combination you need, there are 3rd party modules available, and you can also drop down and use the unmanaged CAPI if needed.

If you have insomnia, you can find a cure at http://csrc.nist.gov/groups/STM/cmvp/standards.html#02