Which one to use: Managed vs. NonManaged hashing algorithms

Question

In a regular C# application which class to use for hashing: xxxManaged or xxx (i.e SHA1Managed vs SHA1) and why?

Answer 1

The *Managed versions are written using entirely Managed code, the *Provider versions are a wrapper around the APIs. So if you always use the managed versions, your code will be portable e.g. to Mono, but if you use the Provider version you'll be limited to Windows platforms.

Answer 2

You should use the *Managed variants; they're usually faster.

The *CryptoProvider and *CNG classes use native interop, and are usually slower.
However, I've heard that they can use hardware crypto accelerators. (I haven't checked that)

Also, the native versions are FIPS-certified; the managed versions aren't.

Answer 3

Another difference between the Managed and the CNG Non-Managed versions is the supported .Net Framework version: e.g.

• the AES Managed version starts from 3.5, while the CNG from 4.6.2 and for
• SHA512, Managed starts from 1.1 and Cng from 3.5.

However, I believe that if we are not constrained by the framework version or to support legacy OS versions, we should use the CNG versions:

• The hashing algorithms postfixed with Cng are the only ones that use bcrypt
• The fact that it might take longer is actually an advantage as it protects from brute force attacks: on the user side 300ms or 3ms makes no difference, while for an attacker it is an order 100 magnitude!

Answer 4

Managed classes are generally "safer" to use in .NET; they implement Framework-defined interfaces like IDisposable and ICryptoServiceProvider. However, they're a bit slower because of the managed component. You should use a managed class if you need to create and destroy these helpers at will, and/or if you need to implement interface-based design patterns.

Unmanaged classes are generally faster (because they are pre-compiled to machine code), but can be difficult to work with. Destroying an instance of an unmanaged class can be problematic and sometimes impossible. You should use these if there isn't a managed wrapper that will do the same thing (as you'll likely end up implementing your own wrapper for the unmanaged class to handle instantiation, interop and destruction), or if the usage is a one-off.

Answer 5

The Non-managed hashes which end in ***Cng, ie SHA256Cng, will also have platform restrictions. They are quite a bit faster than the managed alternatives, but will fail at runtime on Windows XP, for example. If you know your program will always be run on Windows 7, Vista SP1, or 2008, however, they will generally perform quite a bit better than the managed versions, even with the native interop overhead.

If you're writing a general purpose program, the ***Managed classes will be easier to work with, as they will always work.

Answer 6

Managed library is safer to use and does not incur the PInvoke overhead. Also for long-running applications (ASP.NET) where memory leaks can accumulate to bring down the server, managed is also preferable.