Difference between TripleDES class and TripleDESCryptoServiceProvider class

Question

I am trying to understand simple codes of TripleDES encryption to see how it works. And I have seen many codes on google. Some of them used TripleDES class and some of them used TripleDESCryptoServiceProvider class. All I know, the second one is inherited from the first one.

TripleDES class:(showing only the encrption part)

static void Main(string[] args)
    {

        TripleDES TripleDESalg = TripleDES.Create("TripleDES");
        string sData = "Here is some data to encrypt.";
        byte[] Data = EncryptTextToMemory(sData, TripleDESalg.Key, TripleDESalg.IV);
        string Final = DecryptTextFromMemory(Data, TripleDESalg.Key, TripleDESalg.IV);
        Console.WriteLine(Final);
        Console.ReadLine();

    }

    public static byte[] EncryptTextToMemory(string Data,  byte[] Key, byte[] IV)
    {


            MemoryStream mStream = new MemoryStream();
            TripleDES tripleDESalg = TripleDES.Create();
            CryptoStream cStream = new CryptoStream(mStream, tripleDESalg.CreateEncryptor(Key, IV), CryptoStreamMode.Write);
            byte[] toEncrypt = new ASCIIEncoding().GetBytes(Data);
            cStream.Write(toEncrypt, 0, toEncrypt.Length);
            cStream.FlushFinalBlock();
            byte[] ret = mStream.ToArray();
            cStream.Close();
            mStream.Close();
            return ret;

    }

And the TripleDESCryptoServiceProvider class: (only the encryption code)

static void Main(string[] args)
    {


        TripleDESCryptoServiceProvider tDESalg = new TripleDESCryptoServiceProvider();
        string sData = "Here is some data to encrypt.";
        byte[] Data = EncryptTextToMemory(sData, tDESalg.Key, tDESalg.IV);
        string Final = DecryptTextFromMemory(Data, tDESalg.Key, tDESalg.IV); 
        Console.WriteLine(Final);
        Console.ReadLine();


    }

    public static byte[] EncryptTextToMemory(string Data, byte [] key, byte[] iv)
    {


        MemoryStream mStream = new MemoryStream();
        CryptoStream cStream = new CryptoStream(mStream,
            new TripleDESCryptoServiceProvider().CreateEncryptor(key, iv ),
            CryptoStreamMode.Write);
        byte[] toEncrypt = new ASCIIEncoding().GetBytes(Data);
        cStream.Write(toEncrypt, 0, toEncrypt.Length);
        cStream.FlushFinalBlock();
        byte[] ret = mStream.ToArray();
        cStream.Close();
        mStream.Close();
        return ret;

    }

Both of the codes work fine and 99% same. But my question is,

1. What is the difference between these two classes?

2. Which class is more acceptable?

3. What is the difference between TransformFinalBlock() and FlushFinalBlock()?

4. There are codes without using MemoryStream and CryptoStream classes. And they works great. So what is the benefit of using these streams?

5. And last, in the above code how will I know what keysize, cyphermode and padding algorithm is used?

Thanks in advance.

Answer 1

1. The TripleDESCryptoServiceProvider uses a CSP, a cryptographic service provider, which may be a software implementation, but it could also represent an implementation on a smart card.

2. Most of the time you should use the TripleDESCryptoServiceProvider as Microsoft does in the sample code; this makes it possible to switch CSP's (for added security or speed).

3. FlushFinalBlock is the stream version of the TransformFinalBlock. It indicates that the last computation can be performed on the data already on the stream. TransformFinalBlock also performs the last computation, but uses the given data and returns the actual result.

4. They are used far too often. A lot of code simply stores everything in a byte array first, then creates a stream from that. That's not useful at all. Streaming is useful for larger blocks of data that you don't want to have in memory all at the same time. Or maybe if you want to stream straight to or from a file. Of course, you can create a method that takes a stream as argument even for small data, so you can upgrade later on. But that's generally not how the streams are used.

5. They may be determined by the CSP, but I cannot find any final answer on that question. As with all cryptographic implementations, it is probably safest not to rely on any defaults, especially if they are ill defined or differ per implementation. Clearly specify what key lengths etc. you are using, this makes your code future proof and easier to maintain.