Security via in ASP.NET 2.0

Secure ASP.NET

LANGUAGES:ALL

ASP.NETVERSIONS: 2.0

Security via in ASP.NET 2.0

By Don Kiely

One of the best features provided by the infrastructure ofASP.NET is security, which saves a lot of development effort repeatedlyimplementing security features for each application. One of the ways that itprovides security is through encryption and hashing of various bits ofsensitive information that comprise a typical Web site. Microsoft greatlyexpanded the options in ASP.NET 2.0, so it is worthwhile taking the time tounderstand how it protects your data by default and what options you have toadjust to meet your application needs.

ASP.NET 2.0 can protect several kinds of sensitive data ina Web application:

As indicated by the list above, ASP.NET can protect dataeither by making it tamper proof or by encrypting it, or both. As with allsecurity decisions, you need to provide the protection that is appropriate forthe real threats to your site and data and not go overboard in inappropriateways. Using hashing, you can make your data tamper proof if a threat involvesunauthorized messing with the data, changing it to meet some nefarious purposeof a hacker. This is a bit of a misnomer though, because the use of the hashdoesn t prevent tampering. Instead, it provides evidence or proof that the datawas messed with, since the hash of the existing data no longer matches the hashASP.NET creates and attaches to the data. In this context, validation refersto making data tamper proof through hashing the data and storing that valuewith the data. If you cannot allow the data even to be viewed by unauthorized peopleor processes, then you should encrypt the data.

All these hashes and encryption use the keys and othersettings specified in the machineKey element in machine.config. The syntax formachineKey has been expanded in ASP.NET 2.0 and is deceptively straightforward:

  validationKey="AutoGenerate | value[, IsolateApps]"   decryptionKey="AutoGenerate | value[, IsolateApps]"   validation="[SHA1 |MD5 | 3DES]"   decryption="[Auto |AES | 3DES]" />   The configuration files in .NET 2.0 were cleaned up a bit,so machine.config no longer includes elements that are set at their defaultsettings. This means that in a default installation of .NET 2.0 you won t findit in the default machine.config. But each of the attributes has a default, sothis is the effective setting until you add the element to the config file andchange the value of any of the attributes:    validationKey="AutoGenerate,IsolateApps"   decryptionKey="AutoGenerate,IsolateApps"   validation="SHA1"   decryption="Auto" />   There is nothing complicated about this syntax, althoughthe attribute names are not the most descriptive for their actual purpose. ThevalidationKey specifies the key used for the hashing algorithm used to validatedata. The decryptionKey, despite its name, is the key used to encrypt anddecrypt data that you want to keep secret, such as when you set theviewStateEncryptionMode to either Auto or Always in an@Page directive.   By default, both validationKey and encryptionKey are setto AutoGenerate,IsolateApps. AutoGenerate means thatthe system takes care of generating a secure, cryptographically random key foryou and saves it. In IIS 5.x, it is saved in the server s LSA, the WindowsLocal Security Authority. LSA is a very secure location for storing such thingsdeep within the bowels of Windows. In IIS 6, it is saved in a protected sectionof the registry, since saving to LSA requires SYSTEM privileges that the IIS 6process doesn t have. The IsolateApps modifier means that each application onthe server gets its own key based on the application ID, which contributestoward the isolation of each application.   If you insist that you can do a better job of generating akey, or if you need to share a key across servers in a Web farm, you canspecify your own key for either or both attributes. Make sure that you use themaximum possible length for the keys to get the maximum protection. See thedocumentation for machineKey for details about maximum key lengths.   The validation and decryption attributes specify thehashing and encryption algorithms used to protect data. The decryptionattribute is a new addition in ASP.NET 2.0 to reduce the overloading of theolder version of the validation attribute. The Auto option for this attributeuses an algorithm that is inferred from the key size. Triple DES encryption isthe default, but a key of 128 or 256 bits will use AES. Despite the name, thedecryption attribute applies to both encryption and decryption of data.Contrary to the documentation, you can use the Message Digest 5 (MD5) algorithmfor the validation key in addition to SHA1, AES, and 2DES.   You can override the settings for anindividual Web application by putting the key in the application s web.configfile. This is particularly useful if you need to manually provide keys for asingle application on the server. You can t, however, further override them ina subdirectory because you can only have a single key for each application.   Most of the uses of machineKey to protect various kinds ofapplication data and settings have their own configuration options, and therecan be subtle interactions with how you configure machineKey. ASP.NET providesmany of the tools developers need to build secure sites, so it is worthwhile totake the time to get to know them.  References Element documentation on MSDN:http://msdn2.microsoft.com/en-us/library/w8h3skw9.aspx How To: Configure MachineKey in ASP.NET 2.0 , awhite paper from Microsoft s Patterns & Practices Group: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp .NET Nuances: AutoGenerate Subtleties by DonKiely, which covers some interesting subtleties of ASP.NET 1.x keys: http://www.aspnetpro.com/newsletterarticle/2005/08/asp200508dk_l/asp200508dk_l.asp  DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.