Cryptography in .NET framework

Posted on 1245136491|%e %b %Y, %H:%M %Z|agohover under cryptography .net

Cryptography is a vast subject. Its true that "devil is in details" but devil is at its best when it comes to cryptography. When you start learning encryption, hashing and signing; for the most of initial phase you just learn one thing "you know very little about it". Don't even consider me when some exceptional programmer make serious mistakes.

I managed to avoid cryptography for most part of my 4 year programming career but it eventually hit me in last project. And it hit me hard. I had to go through quiet a few concepts and use them in a real project. The fact that I was starting from basics, made it worse.

When I started learning about some of the basic concepts, I started playing with those concepts using .NET framework library. I was pleased to see that it has good support of cryptography.

I was wrong! .NET support of cryptography is too good.

Why? For following reasons:

  1. .NET framework has multiple implementation of almost all algorithms.
  2. Availability of an algorithm doesn't just depend on framework you are using, it also depends on the operating system.

Sometimes more is less

I use Visual Studio 2008 on Windows Vista machine, so I faced little problem in using any algorithm but when I proudly demoed my application to my friend who happened to be using Windows XP, my application simply crashed. I started exploring the MSDN documentation about the support of algorithms and it was not long before I started to loose track of things. After digging things a bit, I found out that there are three types of implementations:

  1. Managed: These are the classes that has "Managed" suffix. (e.g. SHA512Managed, AesManaged) As the name suggests, these classes are fully managed implementation of cryptographic algorithms)
  2. CryptoServiceProvider: These are the classes which end with "CryptoServiceProvider". (e.g. SHA512CryptoServiceProvider, DESCryptoServiceProvider) These classes are just managed wrapper of cryptographic service provider libraries (also known as CryptoAPI).
  3. CNG: These classes ends with "Cng" which means "Cryptography Next Generation". (e.g. SHA512Cng, ECDiffieHellmanCng) It is the strategic replacement of CryptoAPI.

What makes it more confusing is:

  1. Not all algorithms has implementation of all three types. For example SHA1 has all three implementations: SHA1Managed, SHA1CryptoServiceProvider, SHA1Cng whereas MD5 has only 2: MD5Cng, MD5CryptoServiceProvider
  2. For a given type, implementation of some algorithm are available in one version and other are available in different one. For example MD5CryptoServiceProvider is available in all framework versions but SHA512CryptoServiceProvider is available in only Framework 3.5.

Here is the complete table containing details of each algorithm:

Class Size (bits) Windows Server Framework
98 2000 XP Vista 7 2000 2003 2008 1.0 1.1 2.0 3.0 3.5
MD5CryptoServiceProvider 128 bits y y y y y y y y y y y y y
MD5Cng 128 bits y y y y
SHA1CryptoServiceProvider 160 bits y y y y y y y y y y y y y
SHA1Managed 160 bits y y y y y y y y y y y y y
SHA1Cng 160 bits y y y y
SHA256CryptoServiceProvider 256 bits y y y y y
SHA256Managed 256 bits y y y y y y y y y y y y y
SHA256Cng 256 bits y y y y
SHA384CryptoServiceProvider 384 bits y y y y y
SHA384Managed 384 bits y y y y y y y y y y y y y
SHA384Cng 384 bits y y y y
SHA512CryptoServiceProvider 512 bits y y y y y
SHA512Managed 512 bits y y y y y y y y y y y y y
SHA512Cng 512 bits y y y y
Symmetric Encryption
DESCryptoServiceProvider Block: 64
Key: 64
y y y y y y y y y y y y y
TripleDESCryptoServiceProvider Block: 64
Key: 128, 192
y y y y y y y y y y y y y
AesCryptoServiceProvider Block: 128
Key: 128-256(+64)
y y y y y y
AesManaged Block: 128
Key: 128-256(+64)
y y y y y y
Asymmetric Encryption
ECDiffieHellmanCng Key: 256,384,521 y y y y
RSACryptoServiceProvider Key:384-16384(+8) y y y y y y y y y y y y y
Digital Signature
DSACryptoServiceProvider Key:512-1024(+64) y y y y y y y y y y y y y
RSAPKCS1SignatureFormatter Key:384-16384(+8) y y y y y y y y y y y y y
ECDsaCng Key:256,384,521 y y y y
Random Number Generator
RNGCryptoServiceProvider y y y y y y y y y y y y y


  1. All Cng implementations are relatively new and if you are planning to run your application on Windows XP (which is quiet likely) then don't use Cng classes.
  2. Use CryptoServiceProvider implementation for MD5.
  3. Use Managed implementation for SHAx.
  4. Aes implementation is not available in .NET framework if you target Window 2000 OS also.
  5. RSA is the only choice for Asymmetric encryption (public key encryption) if you are willing to use .NET framework 2.0 or Windows XP. You have the option of external libraries though!
rating: 0+x
Add a New Comment
or Sign in as Wikidot user
(will not be published)
- +