This documentation is archived and is not being maintained.

HMACSHA256 Class

Updated: May 2011

Computes a Hash-based Message Authentication Code (HMAC) using the SHA256 hash function.

Namespace:  System.Security.Cryptography
Assembly:  mscorlib (in mscorlib.dll)

public ref class HMACSHA256 : public HMAC

HMACSHA256 is a type of keyed hash algorithm that is constructed from the SHA-256 hash function and used as a Hash-based Message Authentication Code (HMAC). The HMAC process mixes a secret key with the message data, hashes the result with the hash function, mixes that hash value with the secret key again, and then applies the hash function a second time. The output hash is 256 bits in length.

An HMAC can be used to determine whether a message sent over an insecure channel has been tampered with, provided that the sender and receiver share a secret key. The sender computes the hash value for the original data and sends both the original data and hash value as a single message. The receiver recalculates the hash value on the received message and checks that the computed HMAC matches the transmitted HMAC.

Any change to the data or the hash value results in a mismatch, because knowledge of the secret key is required to change the message and reproduce the correct hash value. Therefore, if the original and computed hash values match, the message is authenticated.

HMACSHA256 accepts keys of any size, and produces a hash sequence 256 bits in length.

The following example shows how to sign a file by using the HMACSHA256 object and then how to verify the file.

using namespace System;
using namespace System::IO;
using namespace System::Security::Cryptography;

// Computes a keyed hash for a source file, creates a target file with the keyed hash 
// prepended to the contents of the source file, then decodes the file and compares 
// the source and the decoded files. 
void EncodeFile( array<Byte>^key, String^ sourceFile, String^ destFile )

   // Initialize the keyed hash object.
   HMACSHA256^ myhmacsha256 = gcnew HMACSHA256( key );
   FileStream^ inStream = gcnew FileStream( sourceFile,FileMode::Open );
   FileStream^ outStream = gcnew FileStream( destFile,FileMode::Create );

   // Compute the hash of the input file. 
   array<Byte>^hashValue = myhmacsha256->ComputeHash( inStream );

   // Reset inStream to the beginning of the file.
   inStream->Position = 0;

   // Write the computed hash value to the output file.
   outStream->Write( hashValue, 0, hashValue->Length );

   // Copy the contents of the sourceFile to the destFile. 
   int bytesRead;

   // read 1K at a time 
   array<Byte>^buffer = gcnew array<Byte>(1024);

      // Read from the wrapping CryptoStream.
      bytesRead = inStream->Read( buffer, 0, 1024 );
      outStream->Write( buffer, 0, bytesRead );
   while ( bytesRead > 0 );


   // Close the streams
} // end EncodeFile 

// Decode the encoded file and compare to original file. 
bool DecodeFile( array<Byte>^key, String^ sourceFile )

   // Initialize the keyed hash object. 
   HMACSHA256^ hmacsha256 = gcnew HMACSHA256( key );

   // Create an array to hold the keyed hash value read from the file. 
   array<Byte>^storedHash = gcnew array<Byte>(hmacsha256->HashSize / 8);

   // Create a FileStream for the source file.
   FileStream^ inStream = gcnew FileStream( sourceFile,FileMode::Open );

   // Read in the storedHash.
   inStream->Read( storedHash, 0, storedHash->Length );

   // Compute the hash of the remaining contents of the file. 
   // The stream is properly positioned at the beginning of the content,  
   // immediately after the stored hash value. 
   array<Byte>^computedHash = hmacsha256->ComputeHash( inStream );

   // compare the computed hash with the stored value 
   bool err = false;
   for ( int i = 0; i < storedHash->Length; i++ )
      if ( computedHash[ i ] != storedHash[ i ] )
         err = true;
   if (err)
            Console::WriteLine("Hash values differ! Encoded file has been tampered with!");
            return false;
            Console::WriteLine("Hash values agree -- no tampering occurred.");
            return true;

} //end DecodeFile 

int main()
   array<String^>^Fileargs = Environment::GetCommandLineArgs();
   String^ usageText = "Usage: HMACSHA256 inputfile.txt encodedfile.hsh\nYou must specify the two file names. Only the first file must exist.\n";

   //If no file names are specified, write usage text. 
   if ( Fileargs->Length < 3 )
      Console::WriteLine( usageText );

         // Create a random key using a random number generator. This would be the 
         //  secret key shared by sender and receiver. 
         array<Byte>^secretkey = gcnew array<Byte>(64);

         //RNGCryptoServiceProvider is an implementation of a random number generator.
         RNGCryptoServiceProvider^ rng = gcnew RNGCryptoServiceProvider;

         // The array is now filled with cryptographically strong random bytes.
         rng->GetBytes( secretkey );

         // Use the secret key to encode the message file.
         EncodeFile( secretkey, Fileargs[ 1 ], Fileargs[ 2 ] );

         // Take the encoded file and decode
         DecodeFile( secretkey, Fileargs[ 2 ] );
      catch ( IOException^ e ) 
         Console::WriteLine( "Error: File not found", e );

} //end main

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0




May 2011

Updated the code example.

Information enhancement.