10

I'm relatively new to C# so please bear with me. I understand the basic difference between managed and unmanaged code. But I'm still a bit confused when to use some methods.

For instance what does the word "Managed" mean in some class name endings. Does it mean that they are managed and all others aren't? For example what is the difference between Aes and AesManaged or SHA512 and SHA512Managed? I know that you can't derive from Managed classes, but that is all that I know.

Also when should one use "Managed" classess, for instance when to choose Aes over AesManaged?

(I already read about basics of managed code on wikipedia (here) and also found a nice explanation about basics of managed code (here)

Thank you for your time and answers.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Ben
  • 2,435
  • 6
  • 43
  • 57
  • 4
    "I know that you can't derive from Managed classes" - That is not correct. It might be true that the specific classed that you have seen with "Managed" in their names happen to be marked as `sealed` so that they can't be derived, but that has nothing to do with them being managed or having "Managed" in their names. – Guffa May 01 '11 at 13:17
  • @Guffa Thanks for clearing this up for me. – Ben May 01 '11 at 13:20

4 Answers4

16

There are two kinds of cryptography wrappers in .NET, the classes whose name ends in Managed and those whose name end in CryptoServiceProvider. Only the CryptoServiceProvider versions are FIPS 140-1 certified. They are wrappers around native code that Microsoft submitted to the USA department of commerce, verifying that the algorithms meet the security requirements as outlined in the this document. They also require the operating system to have these native libraries installed. FIPS compliance is a big deal whenever you contract with a USA government agency or any entity that stipulates that your code must be FIPS certified.

The Managed versions of the algorithms are written in managed code and don't have a dependency on the native crypto API libraries. They are not FIPS certified. There is a registry setting your customer can use that enforces FIPS compliance. The Managed classes will throw an exception in their constructor when it is turned on. More about that in this blog post.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
  • 1
    In fact, lack of "Managed" suffix doesn't guarantee that only FIPS-certified modules are used. CryptoAPI modules are used indeed, but not all versions of them are certified. If one needs to use only FIPS-certified modules, he would need to check module versions (there's a list of certified modules with their versions somewhere on MSDN site). – Eugene Mayevski 'Callback May 02 '11 at 06:59
6

Have a look at the Remarks section:

This is an abstract class. The only implementation of this class is SHA512Managed.

Meaning, SHA512 (and any other combination of Method and MethodManaged) is just a base class describing a contract any implementor has to fullfil, it on itself doesn't have functionality.

In the case of SHA512Managed, there is just one implementation - the managed one. There could be others using an implementation in C or C++.

Femaref
  • 60,705
  • 7
  • 138
  • 176
  • Yes, I know, but you can write "Aes aes = Aes.Create();" or "AesManaged aesManaged = AesManaged.Create();". I still don't seem to see the difference – Ben May 01 '11 at 13:18
  • 2
    What you care about is the Aes class, it has the method you need. Aes.Create() gives you back some concrete instance of Aes, perhaps it gives you an instance of AesManaged, perhaps it instantiates another class - you don't need to care. AesManaged.Create() creates an istance of the specific AesManaged class, Which you shouldn't need to do (read up on the Factory pattern). – nos May 01 '11 at 13:23
  • In .NET 4 there is also `SHA512Cng` and `SHA512CryptoServiceProvider`, the later of which is FIPS compliant. –  May 01 '11 at 13:24
  • interesting, they didn't change the docs then. My information was from the .net4.0 page of `SHA512`. – Femaref May 01 '11 at 13:39
  • 1
    @Ben @nos: Actually those both call the `Aes.Create` factory method. The fact that it's available as `AesManaged.Create` as well is a artifact caused by the fact that the factory also serves as the base class. – Matti Virkkunen May 01 '11 at 14:33
3

In the case of those classes, SHA512 both a factory for creating SHA512 implementations and the base class for the implementations and SHA512Managed is one such implementation written in managed code (think C#). I took a look and the libraries seem to come with other implementations as well, including at least one that uses native Windows APIs.

Matti Virkkunen
  • 63,558
  • 9
  • 127
  • 159
1

There are two versions of many crypto classes; one provides a managed implementation (written entirely in C#), while the other uses the operating system's native crypto APIs for the same algorithm.

Gabe
  • 84,912
  • 12
  • 139
  • 238