Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is Forms Authentication Ticket safe enough?

Tags:

asp.net

forms-authentication

machine.config

machinekey

formsauthenticationticket

When a user logs in based on default Forms Authentication method, the server creates a cookie containing encrypted data (using Machine Key as key for encryption).

It means that if someone find/guess/access Machine Key for the server, he will be logged in to the web application.

I've developed some applications which are on 4 servers. So, I hard-coded the same Machine Key for all the servers in machine.config and I can't use Auto Generate mode.

  1. Is it possible to brute force the Machine Key?
  2. Is there any other methods? (I don't want to use Windows and Passport)
  3. And is Forms Authentication Ticket safe enough? (i.e. acceptable for e-banking applications)
like image 363
Amir Pournasserian Avatar asked Mar 26 '12 08:03

Amir Pournasserian

People also ask

Is form authentication secure?

Form-based authentication is not particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. This form of authentication can expose your user names and passwords unless all connections are over SSL.

What is form authentication ticket?

The FormsAuthenticationTicket class is used to create an object that represents the authentication ticket that is used by forms authentication to identify an authenticated user.

Is form authentication deprecated?

Microsoft will deprecate Basic Authentication effective October 1, 2022.

How does form authentication work?

Form Authentication is a token-based system. When users log in, they receive a token with user information that is stored in an encrypted cookie. When a user requests an ASP.NET page via the browser, the ASP.NET verifies whether the form authentication token is available.

2 Answers

ASP.NET forms authentication tickets are encrypted using the Rijndael algorithm. Rijndael was created as a replacement for DES (Data Encryption Standard) which offered unlimited ways to encrypt data and was also susceptible to brute force attacks. A number of DES Challenge were organised in the late 90's by RSA Security to challenge teams to crack DES in order to highlight its inherent vulnerabilities: http://en.wikipedia.org/wiki/DES_Challenges

By comparison Rijndael (also known as Advanced Encryption Standard AES) uses longer keys - 256bits and a double encrption algorithm. To crack a 256 bit Rijndael key (such as the ASP.NET machine key) would require 2^200 operations (about 10^60 - ten with 60 zeros), near impossible to brute force crack. Combine that with the fact that the ASP.NET ticket changes regularly, and when decrypted basically looks like a random string of letters and numbers (so impossible to determine if what you've brute force decrypted is correct or not) you can rest assured nobody will be cracking your forms authentication cookie any time soon.

More info about Rijndael and its possible attacks here:

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks

like image 110
reach4thelasers Avatar answered Oct 05 '22 07:10

reach4thelasers

The first rule of encryption is that the message is only as secure as the key. If someone has access to your key there is no method secure enough.

  1. I doubt it is possible to brute-force the Machine Key in any reasonable time.
  2. I believe Fomrs Authentication is the only true web solution that comes out of the box in ASP.NET. You can implement your own but I doubt it will be more secure.
  3. Safe enough for what? It is hijackable by a man in the middle in non-encrypted connection and vulnerable to XSRF attacks if you turn off event validation (in Web Forms) or don't use the security tokens (MVC). Otherwise it is secure safe for exploits that are discovered and fixed all the time in all technologies.
like image 31
Stilgar Avatar answered Oct 05 '22 07:10

Stilgar
Sign in to Comment

Related questions

Access IConfiguration in the ActionFilterAttribute in the asp.net core rc2 application [duplicate]
Calling WEB API with basic authentication in C#
ASP.Net: why is my button's click/command events not binding/firing in a repeater?
Accessing Row Data In Telerik RadGrid (Server Side)
How I do to force the browser to not store the HTML form field data?
Application_Start not being hit in ASP.NET web app
Using SQLBulkCopy to Insert/Update database
How do I limit the length of characters in a textbox in MVC?
Increasing Max Upload File Size on IIS7/Win7 Pro
Why does asp.net wrap the page in a form?
In Web Development - What ASP.net can do that PHP cannot do? [closed]
C#: Multiply Decimal with Float?
WCF Service Proxy throws exception when more than one parameter is used in [OperationContract] method
Change cell color on different values - Gridview
Edit and Continue in ASP.NET MVC 3 application
Use reflection to get the value of a property by name in a class instance
Delete cookie on clicking sign out
How to change the DataTable Column Value without looping?
ID vs UniqueID vs ClientID vs UniqueClientID vs StaticClientID?
Single instance of a class per HTTP request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!