I am attempting to turn on viewstate encryption Always as a security measure for my ASP.NET 3.5 website hosted in IIS6. We have viewstate turned off but still see some "controlstate" in this string. In a test environment I am able to simply set the following in web.config and i can no longer base64 decode the viewstate to semi-plaintext:
<pages enableViewState="false" enableViewStateMac="true" viewStateEncryptionMode="Always">
I have even added the following (genereated by machine key generater) to machine.config and still encrypts the viewstate fine on my test server:
<machineKey validationKey="002..." decryptionKey="D90E..." validation="SHA1" decryption="AES" />
My non-test environment doesn't seem to pick up the above changes as i can always base64 decode the viewstate to plain text with the above settings. I always iisreset after i make any changes.
Some info about my non-test webserver:
Can anyone suggest where to look for additional settings that might interfere with asp.net viewstate encryption?
EDIT: Now on my iis test server i cannot undo the viewStateEncryptionMode setting as it is encrypting the viewstate even when i set it to "Never" and none of my other websites seem to take a hold of this setting. Where can i possibly look to see where this property is being overridden? Is there any cache where this setting is stored that needs to be cleared besides what would be done when i iisreset/stop www service/touch machine.config?
EDIT FINAL: After days of studying config files i gave up and implemented this via code. I already had a security module that was attaching to page events so in Page_Load i added: Page.RegisterRequiresViewStateEncryption();
I would really love to know what was preventing this setting from getting picked up on IIS6 immediatley. When i run cassini locally if i set the viewStateEncryptionMode to "Always" via the pages node i would immediately see it encode the viewstate and render the additional hidden field with id="__VIEWSTATEENCRYPTED". When i then set it to "Never" i would immediately see the encryption turn off. If i make the same exact change to the website on my IIS6 hosted website, it would have no effect immediately but if i allow the setting to stay there it would eventually take hold. I would stop/start www service, reset iis, clear ASPNET temp cache but i don't know what else to try? Hopefully this post can ROT for a while and someone in the future will see the same behavior i experienced and we can further figure this out!
Present on the pages in the __viewstate parameter, all the values are serialized and encoded in base64 in a hidden field. In addition to the base64 encoding, the viewstate can also be signed with a MAC (Message Authentication Code) to guarantee integrity and also encrypted to guarantee confidentiality.
Q4. How can you detect if a viewstate has been tampered? Ans: By setting the EnableViewStateMac to true in the @Page directive. This attribute checks the encoded and encrypted viewstate for tampering.
I know it's been a while since you posted this, but have you considered making your own implementation of PageStatePersister? PageStatePersister is the component responsible for formatting the ViewState and ControlState data embedded in your page. If security is your primary concern you can use whatever encryption algorithms you'd like to ensure your data remains private. Based on your configuration it sounds like you're in a rather capable environment, so obviously load-test first. It's also worth mentioning that I have no idea regarding or experience with MVC's layered involvement in ViewState when incorporated in a "classic" ASP.NET WebForms site.
Good luck.
B
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With