If the machine.config file does not define any section, nor does any web.config file, does it default to AutoGenerate option?
Thanks
Vikas
Yes, the AutoGenerate setting is the default setting for both decryptionKey and validationKey.
"AutoGenerate, IsolateApps" - Specifies that the key is automatically generated. This is the default value. The AutoGenerate modifier specifies that ASP.NET generates a random key and stores it in the Local Security Authority (LSA). The IsolateApps modifier specifies that ASP.NET generates a unique encrypted key for each application using the application ID of each application.
Source: http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
Related
It's been a while that I'm getting "Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster." error on GridView post-backs.
I've defined the same machine-keys on my sites but I (sometimes) get the message.
Any clue?
Add this to your web.config file in the system.web section:
<machinekey validationkey="xxx" decryptionkey="xxx" validation="SHA1" decryption="AES" />
Provide your own validation and decryption keys ("xxx" above),
which you can try to generated from here
Please do refer this microsoft kb
We are trying to encrypt sensitive information stored in server.xml of Liberty Profile. To do that we are using securityUtility tool with "aes" encoding type. Understand from the IBM infocenter that a custom key value can be set with the property wlp.password.encryption.key for the encryption. If this value is not set the tool will use default value.
We want to set up a custom value for the wlp.password.encryption.key property, so that it can be used during the encryption.
However I could not find any details how can we set this property. What are the syntax to be used?
Here are some information how to use encryption key - Liberty profile: The limits to protection through password encryption
The encryption key used for decrypting can be overridden from the default by setting the wlp.password.encryption.key property. This
property should not be set in the server.xml file that stores the
password, but in a separate configuration file that is included by the
server.xml file. This separate configuration file should contain only
a single property declaration, and should be stored outside the normal
configuration directory for the server. This ensures that the file
containing the key is not included when you are running the server
dump or package command.
The encryption key property can also be specified as a bootstrap property.
How to define property (in server.xml or in separate file):
<server>
...
<variable name="wlp.password.encryption.key" value="yourKey" />
</server>
How to include separate file in server.xml:
<server>
...
<include location="${shared.config.dir}/key.xml" />
</server>
bootstrap.properties is optional file, it does not exist by default. You must create it in the same directory where server.xml is stored, by default usr/servers/server_name.
Define entry in there like this:
wlp.password.encryption.key = yourKey
I try to read / decrypt the value of an auth cookie from forms authentication that is written in AES but without setting the MachineKey in the web.config because I cannot modify this config myself.
Therefore I can't use FormsAuthentication.Decrypt because this uses the machine key internally.
You didn't specify the ASP.NET version but in 2.0 and I think still in 4.0, you can override the machineKey in your web.config.
Check out the section "Web Farm Deployment Considerations".
http://msdn.microsoft.com/en-us/library/ff649308.aspx#paght000007_webfarmdeploymentconsiderations
You can generate a machine key online with this tool: http://aspnetresources.com/tools/machineKey
Is it possible to have both encypted and unencrypted connection strings in the same web.config?
I don't believe that you can encrypt an individual connection string as part of the ConnectionStrings section. This is because ConfigurationElement objects (ConnectionStringSetting derives from) has an ElementInformation Property which does not have a Protect method. A ConfigurationSection has a SectionInformation Property which does have a Protect method, ConnectionStringsSection inherits from ConfigurationSection.
So, with that said, you can encrypt a ConnectionStringsSection, but not a ConnectionStringSetting.
However, all is not lost. You do have the ability to create your sections/elements to maintain your non-encrypted (or encrytped depending on which way you want to go) connection strings. You just won't be able access them using the WebConfigurationManager's ConnectionStrings Property.
Where do I find the machineKey config section for ASP.NET?
I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.
Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)
Having read this: http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
i was expecting to find something like this, somewhere:
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>
Edit: the 1.1 docs seem fairly clear wrt default values: http://msdn.microsoft.com/en-us/library/w8h3skw9(VS.71).aspx but the 4 docs are rather ambiguous http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
machineKey is situated under System.web entry in web.config
Refer MSDN link for web.config Schema.
If you dont see it in your web.config, you can just add it there.
From MSDN again :-)
To provide tamper proof ViewState, a hashed message authentication code (HMAC) is generated from the ViewState content and the hash is compared on subsequent requests. The validation attribute of the indicates which hashing algorithm to use, and it defaults to SHA1, which uses the HMACSHA1 algorithm. Valid choices for hashing include SHA1 or MD5, although SHA1 is preferable because it produces a larger hash and is considered cryptographically stronger than MD5. The validationKey attribute of is used in conjunction with the ViewState content to produce the HMAC. If your application is installed in a Web farm, you need to change the validationKey from AutoGenerate,IsolateApps to a specific manually generated key value.
The default settings for the <pages> and <machineKey> elements are defined in the machine-level web.config.comments file.
For machineKey, they are
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" decryption="Auto" />
EDIT :
For .NET 4.0 the default algorithm has been changed to SHA256
I think that the easiest way of finding the defaults is to see the entry in the MSDN for this config value.
MSDN 4.0 for machinekey is as below. The values selected are the default values.
The values in [] are the other optional values that the field can take.
I remember reading someplace this is the typical way in MSDN of denoting defaults for the config values.
<machineKey
validationKey="AutoGenerate,IsolateApps" [String]
decryptionKey="AutoGenerate,IsolateApps" [String]
validation="HMACSHA256" [SHA1 | MD5 | 3DES | AES | HMACSHA256 |
HMACSHA384 | HMACSHA512 | alg:algorithm_name]
decryption="Auto" [Auto | DES | 3DES | AES | alg:algorithm_name]
/>