Computer keys for ASP. NET applications and Web Services Security

 

The <machineKey> element is used to specify the encryption keys, verification keys, and algorithms used to protect form authentication cookies and page-level view states. The following code example shows the default settings in Machine. config:

<MachineKey validationKey = "AutoGenerate, IsolateApps" decryptionKey = "AutoGenerate, IsolateApps" validation = "SHA1"/>

When configuring <machineKey>, consider the following suggestions:

 

•	Use a unique encryption key for multiple applications
•	Set validation = "SHA1"
•	Manually generate a key for the Web farm

Use a unique encryption key for multiple applications

 

If multiple applications reside on a Web server, a unique key should be used for each application on the computer, rather than one key for all applications. This prevents an application from spoofing the view status or encrypted form authentication Cookie in the resident environment.

IsolateApps should also be used. This is a new setting in. NET Framework 1.1 that instructs ASP. NET to automatically generate an encryption key and make the key of each application unique.

Set validation = "SHA1"

The validation attribute specifies the algorithm used for integrity check of page-level view states. The possible values are "SHA1", "MD5", and "3DES ".

If protection = "All" is used on the <forms> element, the form authentication Cookie is encrypted and integrity is ensured. No matter how the validation property is set, form authentication uses TripleDES (3DES) to encrypt cookies.

Note:Form authentication Cookie encryption is irrelevant to the validationkey setting. The key is based on the decryptionKey attribute.

If validation = "SHA1" is set on <machineKey>, the SHA1 algorithm is used to check the integrity of the page-level view State, and the <pages> element is configured as the view State MAC. For more information, see view status in front of this module.

You can also set the validation attribute to MD5. SHA1 should be used because the hash value generated by this algorithm is larger than MD5, so it is safer.

If validation = "3DES" is set on <machineKey>, the 3DES algorithm is used to encrypt the page-level view status (and check the integrity ), even if the <pages> element is configured as a view-status MAC.

Manually generate a key for the Web farm

In the Web field, you must set a clear key value and use the same key value on all computers in the Web field.