3

What is the difference between Security.Cryptography.HMACSHA256.Create() and Security.Cryptography.KeyedHashAlgorithm.Create("HmacSHA256")?

Improve this question
1
  • Heh, good one. Could be part of a riddle book for C# or an obfuscated C# contest :) Commented Sep 5, 2015 at 15:19

2 Answers 2

Reset to default
5

First, about Security.Cryptography.HMACSHA256.Create() --

Create method is the method of HMAC class, from which HMACSHA256 is derived. In short:

public class HMACSHA256 : HMAC {
...
}

where HMAC is defined as:

public abstract class HMAC : KeyedHashAlgorithm {
    new static public HMAC Create () {
        return Create("System.Security.Cryptography.HMAC");
    }

    new static public HMAC Create (string algorithmName) {
        return (HMAC) CryptoConfig.CreateFromName(algorithmName);
    }
    ...
}

Second, about Security.Cryptography.KeyedHashAlgorithm.Create("HmacSHA256")

public abstract class KeyedHashAlgorithm : HashAlgorithm { 
    new static public KeyedHashAlgorithm Create(String algName) {
        return (KeyedHashAlgorithm) CryptoConfig.CreateFromName(algName);    
    }
    ...
}

As you can see, both calls result in calling CryptoConfig.CreateFromName method, but with different parameter values, i.e., System.Security.Cryptography.HMAC in first case, and HmacSHA256 in second case. Internally, there are some tables and reflection logic inside CryptoConfig.CreateFromName method.

The result of first call is SHA1 hash, and the result of second call is SHA256.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks! So why is it that the classes HMACSHA256 and HMACSHA1 both return SHA1 hashes?
@chaaru Because CryptoConfig.CreateFromName doesn't know anything about SHA256, it receives System.Security.Cryptography.HMAC as input and thus it creates default one for HMAC algorithm, which is SHA1.
Heh, in Java you would get a (configurable) warning or error if you could call Create without specifying the declaring class. Isn't that also the case in the VisualStudio IDE and command line compilers for .NET? This sounds like a recipe for failure to me.
@MaartenBodewes I couldn't force compiler to generate warning for that. The only thing in VS2015 is that it offers to simplify HMACSHA256.Create to HMAC.Create.
That's at least something I suppose. Thanks for checking this out; hopefully that will prevent others from having to search for the same option. If anybody is writing static code analyzers for C#; this one should be in there.
0

Nothing. Security.Cryptography.KeyedHashAlgorithm.Create("HmacSHA256") (reference source) uses reflection to lookup Security.Cryptography.HMACSHA256.

Improve this answer

1 Comment

This would probably be the case if the HMACSHA256 class did "override" the static Create method.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.