Encryption of Authentication Ticket

Discussion in 'ASP .Net Security' started by Robert Millman, Feb 2, 2004.

  1. i have a question regarding the encryption of an Authentication Ticket under FormsAuthentication. Can anyone tell me what type of encryption is used and what key(s) is it based on? I simply want to know that the encryption is specific to the machine and possible the ASP.NET application and cannot be decrypted by someone who has access to the .NET framework and can put the ticket through the FormsAuthentication.Deccrypt method

    Thank

    Robert Millman
    Robert Millman, Feb 2, 2004
    #1
    1. Advertising

  2. Forms Auth encrypts the ticket with 3DES by default and use a random
    generated key stored in the LSA. If you wish, you can specify a base 64
    encoded key in the <machineKey> element of the machine.config file or your
    web.config file. (see decryptionKey attribute). In fact, the encryption key
    is hashed with some extra timestamped entropy values in order to get
    increased security against replay attacks and the like. You can find more
    info about <machineKey> in
    http://msdn.microsoft.com/library/d...n-us/cpgenref/html/gngrfmachinekeysection.asp.
    You also have good tips in
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh19.asp


    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://www.lagash.com



    "Robert Millman" <> wrote in message
    news:...
    > i have a question regarding the encryption of an Authentication Ticket

    under FormsAuthentication. Can anyone tell me what type of encryption is
    used and what key(s) is it based on? I simply want to know that the
    encryption is specific to the machine and possible the ASP.NET application
    and cannot be decrypted by someone who has access to the .NET framework and
    can put the ticket through the FormsAuthentication.Deccrypt method.
    >
    > Thanks
    >
    > Robert Millman
    Hernan de Lahitte, Feb 2, 2004
    #2
    1. Advertising

  3. Thanks for answering my question. As I understand it, the ticket cannot be decrypted without the key, which is local/specific to the machine/config/app

    Thank
    Robert Millman, Feb 3, 2004
    #3
  4. You are right. The exception is if you specify a decryptionKey in the
    machineKey element of the config file, usually in web farm scenarios.

    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://www.lagash.com



    "Robert Millman" <> wrote in message
    news:...
    > Thanks for answering my question. As I understand it, the ticket cannot

    be decrypted without the key, which is local/specific to the
    machine/config/app.
    >
    > Thanks
    >
    >
    Hernan de Lahitte, Feb 3, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. e
    Replies:
    1
    Views:
    3,555
    John Saunders
    Oct 24, 2003
  2. Roel

    authentication ticket

    Roel, Jul 19, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    456
    John Saunders
    Jul 19, 2004
  3. =?Utf-8?B?QmlsbCBCb3Jn?=

    Error decrypting authentication ticket

    =?Utf-8?B?QmlsbCBCb3Jn?=, Oct 11, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    384
    =?Utf-8?B?QmlsbCBCb3Jn?=
    Oct 11, 2004
  4. Lauchlan M
    Replies:
    0
    Views:
    215
    Lauchlan M
    Oct 1, 2003
  5. jfer
    Replies:
    3
    Views:
    541
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
Loading...

Share This Page