5

I am currently using SHA256Managed in ASP.NET Core 3.1 and to be more secure, I would like to use the Hash512.

The Managed postfix suggests that one is managed code where the other is not.

Can someone please explain any concerns that one would need to consider when using unmanaged vs managed? Does the unmanaged required any special deployment e.g. in a Docker container / or operating system requirements.

    private string Hash512(string str) {
        var message = Encoding.Unicode.GetBytes(str);
        var hash = SHA512.Create();

        var hashValue = hash.ComputeHash(message);
        return Encoding.Unicode.GetString(hashValue);
    }

    public string Hash256(string str)
    {
        var message = Encoding.Unicode.GetBytes(str);
        var hash = new SHA256Managed();

        var hashValue = hash.ComputeHash(message);
        return Encoding.Unicode.GetString(hashValue);
    }
Sedat Kapanoglu
  • 46,641
  • 25
  • 114
  • 148
Wayne
  • 3,359
  • 3
  • 30
  • 50

1 Answers1

5

(I originally marked this as a duplicate of Difference between SHA256CryptoServiceProvider and SHA256Managed - however this question is specifically in the context of ASP.NET Core 3.x which isn't the same as the linked question (.NET Framework on Windows).)

You're conflating two different things:

  • SHA256 represents the 256-bit flavor of the SHA-2 cryptographic hashing function, while, SHA256Managed, SHA256CryptoServiceProvider and SHA256Cng are its implementations.

  • SHA512 represents the 512-bit flavor of the SHA-2 cryptographic hashing function, while, SHA512Managed, SHA512CryptoServiceProvider and SHA512Cng are its implementations.

The differences between the 256-bit and 512-bit versions of SHA-2 are documented on Wikipedia. Note that .NET does not support the 224-bit version, but does support the 256, 384 and 512-bit versions.

Regarding the differences between SHA{bits} (the interface) and SHA{bits}Managed, SHA{bits}CryptoServiceProvider and SHA{bits}Cng:

  • The .NET Framework and .NET Core support multiple different implementations of the same hashing algorithms, this can be because some implementations may be hardware accelerated, provided by the operating system, or implemented entirely in C#/Managed-code.
  • SHA256 is an abstract base class that defines the interface of all implementations of the SHA-2 (256-bit) hashing function. Ditto SHA512 for the SHA-2 (512-bit) function.
  • SHA256Managed (and SHA512Managed) are 100% C#/Managed-code implementations that do run slowly compared to native or OS-provided implementations. This is the only implementation provided that's built-in to .NET Core.
  • SHA256CryptoServiceProvider and SHA256Cng are OS-provided implementations that may be used for faster performance or for FIPS compliance (as SHA256Managed is not FIPS compliant). If you don't know if you need to worry about FIPS compliance then you probably don't need to worry about it (i.e. unless you're working for the US federal government or your company's legal team has informed you of your project's regulatory compliance requirements).
    • Additionally, SHA256CryptoServiceProvider and SHA256Cng are not built-in to .NET Core, only .NET Framework.
  • The SHA256.Create() method is a factory method that is meant to return the "best" implementation for the current platform - in .NET Core it always returns an instance of SHA256Managed.
mhu
  • 17,720
  • 10
  • 62
  • 93
Dai
  • 141,631
  • 28
  • 261
  • 374
  • Dear Dai, if I am not reading incorrectly, .Net Core repository on GitHub says otherwise about SAH256Managed and SHA512Managed classes. SHA512Managed class has a fully managed implementation for .Net Framework, yes, but for [.Net Core](https://github.com/dotnet/runtime/blob/master/src/libraries/System.Security.Cryptography.Algorithms/src/System/Security/Cryptography/SHA512Managed.cs), it seems like it is always linking to the native implementation, which on windows is bcrypt – Oguz Ozgul Apr 07 '20 at 00:56
  • Thanks for sharing Dai, explained very well. – Wayne Apr 07 '20 at 01:33
  • @OguzOzgul `bcrypt` has nothing to do with SHA at all. bcrypt is not a part of the .NET Framework or .NET Core either - where are you seeing that? As for `SHA512Managed` not being fully-managed - it does seem that things are changing with the upcoming ".NET 5" release. I maintain the information in my answer is correct as far as .NET Core 3.0 and .NET Framework 4.8 are concerned. – Dai Apr 07 '20 at 01:36
  • In the link in my comment (.Net Core source code, SHA512Managed.cs). `-> HashProviderDispenser -> HashProviderCng -> Interop.BCrypt.BCryptCreateHash()` – Oguz Ozgul Apr 07 '20 at 01:41
  • @OguzOzgul Interesting. I don't have an explanation for that, sorry. It might be an attempt to be backwards-compatible? – Dai Apr 07 '20 at 02:21