23

I found two class in C# related to AES, and example code of them MSDN provides are similar, what is the difference between these two classes?

Aes Class

https://msdn.microsoft.com/en-us/library/system.security.cryptography.aes(v=vs.110).aspx

AesManaged Class

https://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged(v=vs.110).aspx

yu yang Jian
  • 6,680
  • 7
  • 55
  • 80

3 Answers3

25

System.Security.Cryptography.Aes is an abstract class, representing merely the concept of AES-ness. AesManaged, AesCryptoServiceProvider, and AesCng are concrete implementations of AES in managed code, using Windows CAPI, and using Windows CNG (respectively). (On .NET Core that's a lie: AesManaged and AesCryptoServiceProvider both just use a automagic hidden class which uses Windows CNG, macOS Security.framework, or OpenSSL, as available)

If you're unclear on which one you want, you want to create an instance via Aes.Create() and only use the base type. The only real exception is when using AesCng with a named key (which is very rare).

bartonjs
  • 30,352
  • 2
  • 71
  • 111
  • I'm getting trouble that some Azure instances are failing to decrypt what was encrypted, is there any platform, vm or .net versions impact on these functionality? – Juliyanage Silva Jun 15 '23 at 13:17
  • @JuliyanageSilva I think the `FeedbackSize` property is initialized differently in some situations, but that only applies if you're using `CipherMode.CFB`, otherwise they all should be the same across all versions and all OSes. – bartonjs Jun 15 '23 at 21:20
15

While I know there is already an accepted answer, which I felt was a good start, it left me wanting to understand more why there were several implementations of Aes in .Net that all seemed to do the same thing. So, I decided to dig in a little deeper.

As mentioned the Aes class is an abstract class, so you cannot new up an implementation of this class only call the “Create” static method. This static method creates an implementation of AES based on the CryptoConfig settings, which as best as I can tell allows you to specify specific implementations in the machine config otherwise it defaults to giving you the AesCryptoServiceProvider.

The AesCryptoServiceProvider will in turn provide you with the native Cryptographic Application Programming Interfaces (CAPI) handle.

AesManaged uses one key piece of information to determine which implementation to give you and that is the AllowOnlyFipsAlgorithms flag. According to documentation it “indicates whether the runtime should enforce the policy to create only Federal Information Processing Standard (FIPS) certified algorithms”. If it’s true then you get AesCryptoServiceProvider otherwise RijndaelManaged.

Lastly, not mentioned in the original post is the AesCng. According to Microsoft CNG is the “next generation” of the CAPI that is geared toward cloud usage scenarios.

webwires
  • 2,572
  • 3
  • 26
  • 44
3

AES is the abstract base class while AESManaged is a managed implementation of AES based upon Rijndael symmetric algorithm with a fixed block size and iteration count.

Travis Acton
  • 4,292
  • 2
  • 18
  • 30