Encryption of Authentication Ticket

R

Robert Millman

i have a question regarding the encryption of an Authentication Ticket under FormsAuthentication. Can anyone tell me what type of encryption is used and what key(s) is it based on? I simply want to know that the encryption is specific to the machine and possible the ASP.NET application and cannot be decrypted by someone who has access to the .NET framework and can put the ticket through the FormsAuthentication.Deccrypt method

Thank

Robert Millman
 
H

Hernan de Lahitte

Forms Auth encrypts the ticket with 3DES by default and use a random
generated key stored in the LSA. If you wish, you can specify a base 64
encoded key in the <machineKey> element of the machine.config file or your
web.config file. (see decryptionKey attribute). In fact, the encryption key
is hashed with some extra timestamped entropy values in order to get
increased security against replay attacks and the like. You can find more
info about <machineKey> in
http://msdn.microsoft.com/library/d...n-us/cpgenref/html/gngrfmachinekeysection.asp.
You also have good tips in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh19.asp


--
Hernan de Lahitte
Lagash Systems S.A.
http://www.lagash.com



Robert Millman said:
i have a question regarding the encryption of an Authentication Ticket
under FormsAuthentication. Can anyone tell me what type of encryption is
used and what key(s) is it based on? I simply want to know that the
encryption is specific to the machine and possible the ASP.NET application
and cannot be decrypted by someone who has access to the .NET framework and
can put the ticket through the FormsAuthentication.Deccrypt method.
 
R

Robert Millman

Thanks for answering my question. As I understand it, the ticket cannot be decrypted without the key, which is local/specific to the machine/config/app

Thank
 
H

Hernan de Lahitte

You are right. The exception is if you specify a decryptionKey in the
machineKey element of the config file, usually in web farm scenarios.

--
Hernan de Lahitte
Lagash Systems S.A.
http://www.lagash.com



Robert Millman said:
Thanks for answering my question. As I understand it, the ticket cannot
be decrypted without the key, which is local/specific to the
machine/config/app.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top