Contrary to what you may read about, you don’t need
SHA256CryptoServiceProvider to create a FIPS-compliant SHA-256 hasher in .NET 4.6.2. You can continue to use
RSACryptoServiceProvider, which has a number of other convenience methods on it (like
If you use
RSACryptoServiceProvider today, you can pass in an instance of a
new SHA1Managed() to hash the data with SHA1. If you want to switch over to SHA-256, with FIPS compliance, you can’t use
SHA256Managed (because it’s not FIPS-compliant).
SHA256Cng is FIPS compliant, but unmanaged (slower performance) and it doesn’t work with
RSACryptoServiceProvider. (This is probably because
RSACryptoServiceProvider doesn’t know about SHA-256 at all.)
You can read this Microsoft Connect issue about how to get this to work by specifying the OID for SHA-256 as a parameter to the
RSACryptoServiceProvider. This is the only workable solution on .NET versions prior to 4.x. You can see another, similar example on Stack Overflow.
On 4.6.2 (I didn’t test on older versions), you actually don’t need this! If you can simply update your projects to the latest .NET, everything will work as you wish.
Also, I don’t suggest using
SHA256.Create, because it can give you non-FIPS-compliant SHA hashers in certain situations. Using
SHA256Cng is safer (guarantees compliance).