What encryption does MVC4 use?

Question

How do we find out what encryption MVC4 uses? I notice there is an option for a SALT but this also seems not to be used in the WebSecurity() module.

I would like to know the standard used and if it is easily possible to upgrade to the latest SHA

Answer 1

According to the below link the Default Hashing Algorithm Is Now HMACSHA256:

http://www.asp.net/whitepapers/aspnet4/breaking-changes

Default Hashing Algorithm Is Now HMACSHA256

ASP.NET uses both encryption and hashing algorithms to help secure data such as forms authentication cookies and view state. By default, ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on cookies and view state. Earlier versions of ASP.NET used the older HMACSHA1 algorithm.

Your applications might be affected if you run mixed ASP.NET 2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the following setting in the Web.config file:

<machineKey validation="SHA1" />

Answer 2

the WebSecurity class internally uses the Crypto class and salts the passwords despite you don't see it in the generated tables, more details can be found here . This said you can easily inspect the WebMatrix.WebData with ilSpy to see the internals of the WebSecurity class.