It has nothing to do with performance - SHA256CryptoServiceProvider uses the FIPS 140-2 validated (FIPS = Federal Information Processing Standards) Crypto Service Provider (CSP) while SHA256Managed does not. SHA256Managed is a pure managed implementation while SHA256CryptoServiceProvider does presumably the same thing but wraps the CryptoAPI.
This has big ramifications if you're going to operate on US federal or many state government systems as it is a requirement for software vendors. In the eyes of NIST, using a non-FIPS validated cryptographic module, like the SHA256Managed implementation, is no different than not using any encryption at all.
If you don't care about FIPS validation then the SHA256Managed is fine.
Everything that ends in Cng stands for "Crytographic API: Next Generation" which refers to the newer protocols that the US government calls Suite B cryptographic algorithms, but regardless of .Net framework version there is no support prior to Vista/Server 2008).
So use the algorithm and implementation that is appropriate for what you're protecting. You will be limited by which .Net framework version you're using, which operating system(s) your code runs on, and whether you need to use FIPS 140-2/140-3 (coming in 2011) validated module(s). If there isn't a supported .Net Framework class for the combination you need, there are 3rd party modules available, and you can also drop down and use the unmanaged CAPI if needed.
If you have insomnia, you can find a cure at http://csrc.nist.gov/groups/STM/cmvp/standards.html#02
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
