What are the default key lengths that are generated when leaving the ValidationKey and DecryptionKey at their defaults? For example:
<machineKey decryptionKey="AutoGenerate,IsolateApps" validationKey="AutoGenerate,IsolateApps" ... />
I have not been able to find this documented anywhere on MSDN. I would like to generate a static machine key and keep it in line with the defaults.
The MachineKey class provides methods that expose the hashing and encryption logic that ASP.NET provides. For information about which encryption and hashing algorithms ASP.NET uses, and the key values that it uses with them, see machineKey Element (ASP.NET Settings Schema).
The Machine Key is used to hash and/or encrypt cookies for the Alpha Anywhere Application Server for IIS. If multiple servers running IIS have different Machine Keys, the cookies created on one machine won't be usable on the other.
Managed via the IIS Manager the generated key is stored in the <machineKey> element in the machine. config and must be kept in sync across all nodes of a Web Server Farm. On PCF the <machineKey> element must be added to the web. config of the ASP.NET Application to ensure consistency for all Application instances.
The machine key works with the cryptography libraries, at least on a fresh install, it adds an element to the web. config inside system. web that contains the encryption and decryption keys and algorithm.
This MSDN page talks about the machineKey web.config element:
"For SHA1, set the validationKey to 64 bytes (128 hexadecimal characters).
For AES, set the decryptionKey to 32 bytes (64 hexadecimal characters).
For 3DES, set the decryptionKey to 24 bytes (48 hexadecimal characters)."
Another MSDN page has additional info:
"validationKey specifies a manually assigned validation key. This value must be manually set to ensure consistent configuration across a network of Web servers (a Web farm). The key must be a minimum of 40 characters (20 bytes) and a maximum of 128 characters (64 bytes) long. If keys shorter than the maximum length are used, they should be created by a truly random means, such as by using RNGCryptoServiceProvider. The recommended key length is 128 hexadecimal characters. If you add the IsolateApps modifier to the validationKey value, ASP.NET generates a unique encrypted key for each application using each application's application ID."
"decryptionKey specifies a manually assigned key. This value must be manually set to a string of hexadecimal characters to ensure consistent configuration across a Web farm. The key should be 16 characters in length when using DES encryption and 48 characters in length when using Triple DES encryption. If keys shorter than the maximum length are used, they should be created by a truly random means, such as by using RNGCryptoServiceProvider. ASP.NET can use Triple DES only on computers on which 128-bit encryption is available. If you add the IsolateApps modifier to the decryptionKey value, ASP.NET generates a unique encrypted key for each application using each application's application ID."
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With