Difference between SHA256CryptoServiceProvider and SHA256Managed

Question

The .Net SHA256Managed class is supported in all framework versions while the SHA256CryptoServiceProvider class is only supported from framework 3.5 and above.

Why is the SHA256CryptoServiceProvider introduced ? It seems to do the same as the SHA256Managed class, but the latter performs better.

What am I missing and why should I use the SHA256CryptoServiceProvider?

Answer 1

It has nothing to do with performance - SHA256CryptoServiceProvider uses the FIPS 140-2 validated (FIPS = Federal Information Processing Standards) Crypto Service Provider (CSP) while SHA256Managed does not. SHA256Managed is a pure managed implementation while SHA256CryptoServiceProvider does presumably the same thing but wraps the CryptoAPI.

This has big ramifications if you're going to operate on US federal or many state government systems as it is a requirement for software vendors. In the eyes of NIST, using a non-FIPS validated cryptographic module, like the SHA256Managed implementation, is no different than not using any encryption at all.

If you don't care about FIPS validation then the SHA256Managed is fine.

Everything that ends in Cng stands for "Crytographic API: Next Generation" which refers to the newer protocols that the US government calls Suite B cryptographic algorithms, but regardless of .Net framework version there is no support prior to Vista/Server 2008).

So use the algorithm and implementation that is appropriate for what you're protecting. You will be limited by which .Net framework version you're using, which operating system(s) your code runs on, and whether you need to use FIPS 140-2/140-3 (coming in 2011) validated module(s). If there isn't a supported .Net Framework class for the combination you need, there are 3rd party modules available, and you can also drop down and use the unmanaged CAPI if needed.

If you have insomnia, you can find a cure at http://csrc.nist.gov/groups/STM/cmvp/standards.html#02