Arno van der Meer Arno van der Meer - 2 months ago 13x
C# Question

Difference between SHA256CryptoServiceProvider and SHA256Managed

The .Net

class is supported in all framework versions while the
class is only supported from framework 3.5 and above.

Why is the
introduced ? It seems to do the same as the
class, but the latter performs better.

What am I missing and why should I use the


It has nothing to do with performance - SHA256CryptoServiceProvider uses the FIPS 140-2 validated (FIPS = Federal Information Processing Standards) Crypto Service Provider (CSP) while SHA256Managed does not. SHA256Managed is a pure managed implementation while SHA256CryptoServiceProvider does presumably the same thing but wraps the CryptoAPI.

This has big ramifications if you're going to operate on US federal or many state government systems as it is a requirement for software vendors. In the eyes of NIST, using a non-FIPS validated cryptographic module, like the SHA256Managed implementation, is no different than not using any encryption at all.

If you don't care about FIPS validation then the SHA256Managed is fine.

Everything that ends in Cng stands for "Crytographic API: Next Generation" which refers to the newer protocols that the US government calls Suite B cryptographic algorithms, but regardless of .Net framework version there is no support prior to Vista/Server 2008).

So use the algorithm and implementation that is appropriate for what you're protecting. You will be limited by which .Net framework version you're using, which operating system(s) your code runs on, and whether you need to use FIPS 140-2/140-3 (coming in 2011) validated module(s). If there isn't a supported .Net Framework class for the combination you need, there are 3rd party modules available, and you can also drop down and use the unmanaged CAPI if needed.

If you have insomnia, you can find a cure at