What is the difference between Aes and AesManaged
System.Security.Cryptography.Aes
is an abstract class, representing merely the concept of AES-ness. AesManaged
, AesCryptoServiceProvider
, and AesCng
are concrete implementations of AES in managed code, using Windows CAPI, and using Windows CNG (respectively). (On .NET Core that's a lie: AesManaged and AesCryptoServiceProvider both just use a automagic hidden class which uses Windows CNG, macOS Security.framework, or OpenSSL, as available)
If you're unclear on which one you want, you want to create an instance via Aes.Create()
and only use the base type. The only real exception is when using AesCng
with a named key (which is very rare).
While I know there is already an accepted answer, which I felt was a good start, it left me wanting to understand more why there were several implementations of Aes in .Net that all seemed to do the same thing. So, I decided to dig in a little deeper.
As mentioned the Aes class is an abstract class, so you cannot new up an implementation of this class only call the “Create” static method. This static method creates an implementation of AES based on the CryptoConfig settings, which as best as I can tell allows you to specify specific implementations in the machine config otherwise it defaults to giving you the AesCryptoServiceProvider.
The AesCryptoServiceProvider will in turn provide you with the native Cryptographic Application Programming Interfaces (CAPI) handle.
AesManaged uses one key piece of information to determine which implementation to give you and that is the AllowOnlyFipsAlgorithms flag. According to documentation it “indicates whether the runtime should enforce the policy to create only Federal Information Processing Standard (FIPS) certified algorithms”. If it’s true then you get AesCryptoServiceProvider otherwise RijndaelManaged.
Lastly, not mentioned in the original post is the AesCng. According to Microsoft CNG is the “next generation” of the CAPI that is geared toward cloud usage scenarios.