Generate Machine Key Asp Net 4.5
- Setting Up the Machine Key Directly in the Web.config File If you do not have access to the IIS management console, it is still possible to set-up a machine key for an Orchard application. To do so, open the web.config file that is at the root of the Orchard web site.
- I'm hosting two web apps in IIS 7.5. They must share the ASP.NET Forms Authentication cookie. Since I do not want to put the machine key in the Web.config (I am not using web farms and I don't want the key visible in the web.config file), I've set it to auto-generate.
- Apr 12, 2012 ASP.NET will generate one for you. But it will generate a new machine key each time the application pool recycles, and when that happens, it will cause users (when using formsauthentication) that are authenticated to be redirected to the login page on their first request after the application pool recycles, and this could also result in the.
- This tool will generate a valid random machine key used by ASP.NET for encryption, decryption, validation of forms-authentication and view-state data, and other purposes. Select your target version of ASP.NET and click the Generate Keys button.
Jan 12, 2011 how to generate validationKey and decryption Key for web.config Posted in ASP.NET (C# & VB), C#, VB, WCF by Alok Kumar Pandey on January 12, 2011 This article describes how to create keys to use for encryption, decryption, and validation of Forms authentication cookie data.
-->Definition
Provides a way to encrypt or hash data (or both) by using the same algorithms and key values that are used for ASP.NET forms authentication and view state.
Remarks
The MachineKey class provides methods that expose the hashing and encryption logic that ASP.NET provides. For information about which encryption and hashing algorithms ASP.NET uses, and the key values that it uses with them, see machineKey Element (ASP.NET Settings Schema).
Warning
The MachineKey APIs should only be used in an ASP.NET app. Behavior of the MachineKey APIs outside the context of an ASP.NET application is undefined
Methods
Decode(String, MachineKeyProtection) | Decodes and/or validates data that has been encrypted or provided with a hash-based message authentication code (HMAC). |
Encode(Byte[], MachineKeyProtection) | Encrypts data and/or appends a hash-based message authentication code (HMAC). |
Protect(Byte[], String[]) | Protects the specified data by encrypting or signing it. |
Unprotect(Byte[], String[]) | Unprotects the specified data, which was protected by the Protect(Byte[], String[]) method. |
Applies to
Update! I’ve updated a few points below in bold and have corrected a few things too
This blog post is the result of a thread on Twitter which starts here: https://twitter.com/crumpled_jeavon/status/880522105795870720 and works its way into confusion. Suffice to say I can’t answer these questions in 140 chars so here’s re-cap in the form of Q and A about Machine Keys and Umbraco. Please note that I am not an expert in hashing algorithms, some of these answers are based on my own research. Hope this clears things up!
How is the password hashed?
It is hashed in the same way that the ASP.NET Universal membership provider (DefaultMembershipProvider) and SqlMembershipProvider hashes passwords which by default uses the HMACSHA256 algorithm.
Jeffrey Schoemaker has been discussing updating Umbraco’s default password hashing to use an even stronger hash algorithm and I’ve recently updated a new task on the issue tracker to research this but it really comes down to the fact that Microsoft does not offer the best stronger hashing method in it’s standard .NET Framework so we’ll see where we end up.
Update – we will be shipping umbraco with stronger password hashing, possibly in a 7.7.x release http://issues.umbraco.org/issue/U4-10089 and it will use HMACSHA1 + PBKDF2 which is what ASP.NET Identity uses by default.
Is the Machine Key used for password hashing?
Yes, In 7.6.0+ it is by default because useLegacyEncoding is false by default in this release. Previous to 7.6.0 the useLegacyEncoding value was true by default purely to preserve some backwards compatibility settings for other products but you’ve been able to set it to true from 7.0.0 (IIRC). Since those products support the more secure password formats, this is now false by default and should be kept as false for new installs. By default the hashing algorithm is HMACSHA256 which uses comes from the ASP.NET Machine Key to perform part of it’s hashing function ‘validation’ algorithm type. This ‘validation’ algorithm type is configurable via the Machine Key or it is configurable at the membership provider level which would override the algorithm specified in the Machine Key, but you really shouldn’t change this to be a lesser strength hashing algorithm.
The HMAC part of this algorithm means it’s derived from a keyed algorithm and uses a key to generate the hash and the machine key is used to create this key by default. There doesn’t seem to be any documentation or reference to this online that I can find but trying to look through the crypto source code (which isn’t nice to look at) it seems that the default key gets set based on some logic in the RSACryptoServiceProvider class which reads some info from the machine key.
Update – the key used to hash the passwords is the generated salt we produce it is not the key part of the Machine Key. This logic is exactly the same as the logic used in the (DefaultMembershipProvider) and SqlMembershipProvider and if the hashing algorithm key length doesn’t equal the generated salt key length then it is padded/trimmed to the correct length, see source here. The part of the Machine Key that is used to hash the passwords is specifically the algorithm type. As you can see on this machine key generator, there can be a handful of different algorithm types used for the ‘validation’ part of a machine key and the default of this value changes based on the ASP.NET version being used. In ASP.NET 4.5 the default is HMACSHA256. Also note that in ASP.NET 4.5 the following algorithms are no longer allowed in the Machine Key config: AES, 3DES, and MD5
A DSA key for use with the SSH-2 protocol. Putty ssh. An ECDSA (elliptic curve DSA) key for use with the SSH-2 protocol. An Ed25519 key (another elliptic curve algorithm) for use with the SSH-2 protocol.PuTTYgen can also generate an RSA key suitable for use with the old SSH-1 protocol (which only supports RSA); for this, you need to select the ‘SSH-1 (RSA)’ option.
Do machine keys change between environments?
If you explicitly generate and set your own machine key in your web.config then the answer is No.
Asp Baton
If you don’t explicitly generate and set your own machine key than you will get an auto-generated machine key. The simple answer for this is: In most cases No, an auto-generated machine key will not change between environments.
To understand when it will change between environments is a little more complicated and comes down to a combination of IIS user, IIS website virtual path (i.e. if you are running a site in a virtual directory), and a combination of a few settings set at the machine config level: “IsolateApps” and “IsolateByAppId”. Unless a server administrator specifically changes these settings than chances are you won’t be affected by different auto-generated machine keys for your site. If you are really keen, here’s a series all about this topic and other cryptographic changes in .NET 4.5:
- Part 1 – see the “A brief digression: auto-generated machine keys” for info on auto-generating keys
- Part 2 – in-depth info about the machine key and hashing changes
- Part 3 – interesting info especially with regards to PBKDF2 in .NET Framework
Update – another reason a machine key may change between environments is based on which version of ASP.NET is running and what it’s default ‘validation’ algorithm type is
Can I change my machine key?
No. YES
However, I realize In some cases you might need to change it or move from an auto-generated machine key to an explicit machine key. If that is the case there will may be a lot of some manual work you’ll need to do. If you simply just change the machine key or add an explicit one when you previously didn’t have one than your members/users will might not be able to log in! This really comes down to what hashing algorithm was used originally to hash the passwords and what hash algorithm is configured in your Machine Key. If you install or change a machine key to a different algorithm that was used to first hash your passwords, then your members/users will not be able to log in.
Update – Previously I was under the impression that the key in the hashing algorithm was directly affected by the key in the machine key but after some more investigation it is not actually the case. As mentioned in the above updates, the part of the Machine Key that is used in the password hashing is the algorithm type specified (if you haven’t overridden this algorithm type by specifying it directly on the membership provider). I’ve also detailed some of this investigation in this ticket: http://issues.umbraco.org/issue/U4-10222
Can I change from useLegacyEncoding ‘true’ to ‘false’?
Not easily.
This will require a bit of extra work just like the above question but it’s not quite as tricky as changing a Machine Key. When you have useLegacyEncoding=’true’ , the machine key validation algorithm is not used, so you could do something like:
- Create a new password column in the database which will store the newly hashed password based on the new machine key validation algorithm
- When a user logs in you can check if they have the new password format or not.
- If not, then you can validate the password based on the old format then re-hash with the new format and store it and delete the old stored hash password.
- If so, then you can validate the password based on the new format
- To do this would probably require inheriting from the current Umbraco membership provider and implementing this logic yourself
Do I need to generate and store a custom Machine Key if I am planning on Load Balancing?
Yes.
This is also mentioned in the Umbraco docs for load balancing
Generate Machine Key Asp.net 4.5
Do I need to generate and install a Machine Key before I run the Umbraco installer?
Yes.
This is because during the Umbraco installation it will hash and store the password for the admin account and if you then add a Machine Key after the fact, you will no longer be able to log in.
Can Umbraco generate a custom Machine Key on install for me?
Yes!
Example Asp.net
but it doesn’t do that right now. I created that functionality in a PR but we decided to remove the machine key generation part when it was accepted. We have decided to bring it back though so that will be part of an upcoming Umbraco release, whether that is the 7.6.x series or 7.7 series is still being decided.
Generate Machine Key Asp Net 4.5 Price
Update – this is shipping with 7.7 and new installs will have a Machine Key generated and installed for you. You can of course opt out of this in the advanced installer options if you like.
Do Machine Key’s exist in ASP.NET Core?
No.
Well sort of but not really. I haven’t been able to research too much into this but when speaking to a couple MS Dev’s about this a couple years ago the answer was that the way machine key’s work will be different. If keys need to be shared between apps in ASP.NET Core the data protection APIs need to be used and these keys would then be stored in the registry or the Cloud (i.e. Azure Key Vault), here’s a SO article on this.
Clear as mud?! ;)
Categories: ASP.NetUmbraco