Alireza_Salehi
یک شنبه 03 مرداد 1389, 19:28 عصر
Machine Key Explained
The default settings for the <pages> and <machineKey> elements are defined in the machine-level web.config.comments file. The relevant default settings are shown here for reference.
<pages enableViewStateMac="true" viewStateEncryptionMode="Auto" ... />
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" decryption="Auto" />
When you configure ViewState, the <pages> element is used in conjunction with the <machineKey> element.
The <machineKey> attributes are as follows:
validationKey. This specifies the key that the HMAC algorithm uses to make ViewState tamper proof. The ViewState MAC is checked at the server when either the enableViewStateMAC attribute of the <pages> element or the EnableViewStateMac attribute of the @Page directive is set to true. <pages enableViewStateMAC="true" ... />
or
<%@Page EnableViewStateMac="true" ... %>
Forms authentication also uses this key for signing the authentication ticket. Role manager and anonymous identification if enabled also uses this key for signing their cookies. If you use anonymous identification in cookieless mode, the data on the URL is also signed with this value,
decryptionKey. This specifies the key used to encrypt and decrypt data. Forms authentication, role manager and anonymous identification features use this key to encrypt and decrypt the authentication ticket, roles cookie and anonymous identification cookie. ASP.NET uses the key to encrypt and decrypt ViewState, but only if the validation attribute is set to AES or 3DES.
decryption. This specifies the symmetric encryption algorithm used to encrypt and decrypt forms authentication tickets.
validation. This specifies the hashing algorithm used to generate HMACs to make ViewState and forms authentication tickets tamper proof. This attribute is also used to specify the encryption algorithm used for ViewState encryption. This attribute supports the following options:
SHA1SHA1 is used to tamper proof ViewState and, if configured, the forms authentication ticket. When SHA1 is selected for the validation attribute, the algorithm used is HMACSHA1.
MD5MD5 is used to tamper proof ViewState and, if configured, the forms authentication ticket.
AESAES is used to encrypt ViewState with the key specified in the decryptionKey attribute.
3DES3DES is used to encrypt ViewState with the key specified in the decryptionKey attribute. This is the only way to encrypt ViewState in ASP.NET 1.1. Both the forms authentication ticket and the ViewState are tamper-proofed using SHA-1 and the key specified in the validationKey attribute. Because the validation attribute is overloaded in ASP.NET 1.1, ASP.NET 2.0 introduces a new decryption attribute.
In general, you should choose SHA1 over MD5 for tamper-proofing because this produces a larger hash than MD5 and is considered cryptographically stronger.
Forms authentication defaults to SHA1 for tamper proofing (if <forms protection="validation" or "All"). When <forms protection="All"> or <forms protection = "Encryption">, then forms authentication hashes the forms authentication ticket by using either MD5 or HMACSHA1 (HMACSHA1 is used even if validation is set to AES or 3DES). Forms authentication then encrypts the ticket using the algorithm specified in the decryption attribute. (The decryption attribute was introduced in ASP.NET 2.0.)
http://msdn.microsoft.com/en-us/library/ff649308.aspx
http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
جهت تولید کلید ها هم machine key generator را گوگل کنید، مثلا:
http://www.developmentnow.com/articles/machinekey_generator.aspx