Forms Auth encrypts the ticket with 3DES by default and use a random
generated key stored in the LSA. If you wish, you can specify a base 64
encoded key in the <machineKey> element of the machine.config file or your
web.config file. (see decryptionKey attribute). In fact, the encryption key
is hashed with some extra timestamped entropy values in order to get
increased security against replay attacks and the like. You can find more
info about <machineKey> in
http://msdn.microsoft.com/library/d...n-us/cpgenref/html/gngrfmachinekeysection.asp.
You also have good tips in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh19.asp
--
Hernan de Lahitte
Lagash Systems S.A.
http://www.lagash.com
Robert Millman said:
i have a question regarding the encryption of an Authentication Ticket
under FormsAuthentication. Can anyone tell me what type of encryption is
used and what key(s) is it based on? I simply want to know that the
encryption is specific to the machine and possible the ASP.NET application
and cannot be decrypted by someone who has access to the .NET framework and
can put the ticket through the FormsAuthentication.Deccrypt method.