views:

536

answers:

7

(Re-written question, please see history for original).

The question is right there in the title.

Why is there no managed MD5 implementation in the .NET framework?

I'm specifically talking about a purely managed code implementation of the MD5 algorithm, which does not exist within the .NET framework.

Within the System.Security.Cryptography namespace, I am aware of the MD5 abstract base class (which has to be inherited and can't be used as is), and I'm also aware of MD5CryptoServiceProvider and MD5CNG which both provide implementations from the OS's underlying CSP (Crypto Service Provider) and CNG (Cryptography Next Generation) providers respectively, however, both of these implementations are unmanaged code.

UPDATE ON ANSWERS:
I appreciate that, whilst there should be "one true answer" to this question, we (the SO community) may not know it unless a Microsoft framework designer (or someone who knows one directly) is part of this community, however, many people have offered very reasonable "educated guesses" as to the thinking that went into omitting a managed MD5 implementation from the framework, however, I'm still curious to know if anyone does know the "real" answer to this question.

+16  A: 

MD5CryptoServiceProvider has been in the .NET Framework from day one, actually:

byte[] hash = new MD5CryptoServiceProvider().
    ComputeHash(Encoding.ASCII.GetBytes("Hello World!"));

Note that all .NET BCL classes which encapsulate hashing algorithms inherit from HashAlgorithm class, so these can be used polymorphically ...

public byte[] ComputeHash(byte[] buffer, HashAlgorithm hashAlgorithm)
{ ...

...and different implementations can be Dependency-Injected into your code:

public HashAlgorithm HashAlgorithm { get; set; }

EDIT

Aha, I see. The thing with MD5 (this is pure speculation) is that it's one of the most widely used hashing algorithms, and being such, its implementation is required to conform to certain standards -- more specifically, FIPS 140-1. See this for more info.

Anton Gogolev
-1 This is *not correct*. MD5CryptoServiceProvider is not a managed implementation.
Gabe Moothart
@Anton - Thanks for the edit. I appreciate it may be speculation on your behalf, but the .NET Security Blog link is exactly the kind of thing I was expecting from asking the question (short of MS's framework designer stumbling on this question! :)
CraigTP
+1  A: 

What are you talking about?

System.Security.Cryptography.MD5
System.Security.Cryptography.MD5CryptoServiceProvider

Joel Coehoorn
Wrong! MD5CryptoServiceProvider is NOT a *managed* implementation. Please see the edit to my question.
CraigTP
The distinction is pretty silly. Why bother if the OS already provides the functionality for you? Lots of things in .Net just call the underlying OS API directly.
Joel Coehoorn
@Joel - And what if you're targeting the MONO framework or a different OS? It's sometimes nice to know that all of the code of your application is entirely managed and running within the framework without reliance upon outside libraries. Sure, if you're on Windows the distinction more moot, however, I'm still curious as to why the managed implementation was omitted.
CraigTP
In this case, mono is irrelevant. A compliant implementation has to provide the functionality, but it doesn't matter where it comes from.
Joel Coehoorn
@Joel - Interesting... I've just checked the MONO docs and found that they have included a MD5CryptoServiceProvider class, but this uses a purely *managed code* implementation, rather than delegating the functionality to the OS/CSP! See here: http://www.go-mono.com/docs/index.aspx?tlink=35@ecma%3a1062%23MD5CryptoServiceProvider%2f
CraigTP
A: 

It's been there since the begining

// Create a new instance of the MD5CryptoServiceProvider object.
MD5 md5Hasher = MD5.Create();

// Convert the input string to a byte array and compute the hash.
byte[] data = md5Hasher.ComputeHash(Encoding.Default.GetBytes(input));

// Create a new Stringbuilder to collect the bytes
// and create a string.
StringBuilder sBuilder = new StringBuilder();

// Loop through each byte of the hashed data 
// and format each one as a hexadecimal string.
for (int i = 0; i < data.Length; i++)
{
    sBuilder.Append(data[i].ToString("x2"));
}

// Return the hexadecimal string.
string hexMD5hash = sBuilder.ToString();
monkey_p
Wrong! MD5.Create() internally creates an instance of the MD5CryptoServiceProvider (check it out in Reflector). MD5CryptoServiceProvider is NOT a *managed* implementation. Please see the edit to my question.
CraigTP
ok, after your edit, this is wrong
monkey_p
@monkey_p - To be fair, the question always did specify a *managed implementation*.
CraigTP
the MD5 class is managed :D
monkey_p
+4  A: 

Since I didn't design the framework, I can't say for sure, but I believe they probably didn't bother in order to discourage its use for security reasons. The CSP algorithms are always going to be faster than their managed counterparts, and I would think the main reason to use MD5 would be to compare files to check for duplicates (such as people uploading duplicate images to an image gallery), which you would want to calculate as quickly as possible, but you also wouldn't need to rely on the utmost security to achieve that.

It would be interesting to see a real answer though from someone who designed the language.

John Rasch
+1 This is the only real answer so far. The MSDN page for MD5CryptoServiceProvider has a note encouraging the use of a more modern hash, so I assume it was never a high enough priority to re-implement an algorithm they don't recommend. http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5cryptoserviceprovider.aspx
Gabe Moothart
+1  A: 

MD5 is not suitable for any cryptographic or file verifying purpose except for possibly error detecting transmission errors. This is probably an effort to get people to move to better hashes like SHA-1 or preferable SHA-256.

http://www.mscs.dal.ca/~selinger/md5collision/

A: 

In .NET anything that ends in CryptoServiceProvider wraps the unmanaged Windows Crypto API. Anything that ends in Managed is written entirely in a managed language. link text

As other people stated you shouldn't use MD5 anymore. You should use SHA-256 which in .NET has a Managed implementation. You're good to go and trading up to a better algorithm. (EDIT) As MD5 is no longer kosher, there's little chance of this being updated in a later version of .NET to be entirely managed as you shouldn't be using it anymore anyways.

Hexxagonal
+3  A: 

This is entirely speculation based on reading many posts from various Microsoft bloggers (although not the particular person who made this decision). There is no managed MD5 implementation in the .NET framework because:

1) An implementation was already available from the unmanaged Windows Crypto API and they couldn't afford to, or more likely felt they had better things to do than, devote resources to implementing something that could already be wrapped from an underlying unmanaged implementation. More insight into why they might make this decision can be found by reading How many Microsoft employees does it take to change a lightbulb?, Minus 100 points (applies to the C# compiler but demonstrates the same mindset of spending resources where they do the most good), Why Doesn't C# Implement "Top Level" Methods? (another look at the resources required for a single feature) and features don't exist by default (linked from here). None of these answers the specific question, but they all demonstrate that writing new code requires a lot of resources, resources that may be better spent elsewhere. You can argue that wrapping the underlying unmanaged code still requires resources, but I don't think there is any doubt that there would be net savings by not re-writing code which is already available, tested, and working.

2) Later, or possibly near the same time, research proved the feasibility of collision attacks against MD5. At that point, the already high bar to having MD5 re-written in managed code probably got even higher. Once the Security Development Lifecycle dictated don't use banned crypto I can imagine a managed version of MD5 would be the last thing they would devote resources to.

Although my answer is entirely speculation, it is not difficult to understand that even Microsoft has limited resources and a large list of features they would like to include. Choices have to be made and those decisions will almost always affect a certain segment of developers.

In closing, you said yourself that there are 3rd party MD5Managed classes, or you could always roll your own. A managed version of MD5 might be a "five minute feature", but if it really is, then as programmers we can write it ourselves.

Grant Wagner
@Grant - Although I appreciate this is speculation (as you state by your own admission), this answer is very helpful and provides great insight. +1 Thank you.
CraigTP