Configuring Machine Key in ASP.NET 3.5 to tamper proof viewState

Security is a major concern when it comes to online transactions like shopping. Today we will learn how to tamper proof your ASP.NET application using element in web.config file. How to protect your sensitive ViewState data and Forms authentication ticket.

By default, ViewState in ASP.NET is encoded and not encrypted as you might feel. ViewState is transmitted to server as a Base64 string and can be easily decoded.Take a look at this if you are interested in decoding stuff and read more about Base64 here.

Encrypting and protecting ViewState: For a tamper proof ViewState a hashed message authentication code (HMAC) is generated from ViewState data which is then compared on subsequent requests. We can make use of element and can encrypt our ViewState using desired encryption mechanisms. Eg, SHA1 , MD5, AES and 3DES. Here is how a element looks but before that we need to set enableViewStateMac=True in our asp.net page as shown below code segment.

<%@ Page  EnableViewStateMac="true" ViewStateEncryptionMode="Auto"  Language="C#" AutoEventWireup="true" CodeBehind="login.aspx.cs" Inherits="Using_SQL_Membership.login" %>

Or you can set it in web.config file as shown below.

enableViewState=True enables hashing of viewstate while you viewStateEncryptionMode takes 3 values. Auto, Always and Never. With viewStateEncryptionMode set to Auto, the page is only encrypted if a control has specifically asked for it by calling the Page.RegisterRequiresViewStateEncryption() method to request encryption. If it set to Always, this forces encryption even if a control does not request it. For performance reasons do not encrypt viewState unless and until it has sensitive data.

1. validationKey: This specifies the key that the HMAC algorithm uses to make ViewState tamper proof.

2.decryptionKey: specifies the key used to encrypt or decrypt data. Also, ASP.NET uses the key only if validation attribute is set to AES or 3DES.

3.validation: specifies the hashing algorithm used to generate HMACs to make ViewState encrypted.

In general, you should choose SHA1 over MD5 for tamper-proofing because this produces a larger hash than MD5 and is considered cryptographically stronger.

Encrypting and protecting Forms Authentication:

To ensure that forms authentication tickets are encrypted and protected against tampering, set the protection attribute of the element to All, as shown

Along with this make same settings to machineKey as shown above.

If you deploy your application in a Web farm, you must ensure that the configuration files on each server share the same value for validationKey and decryptionKey, which are used for hashing and decryption respectively. This is required because you cannot guarantee which server will handle successive requests.

Viewing ASP.NET viewstate with ViewState Decoder
Do you ever wonder what may be inside that asp.net viewstate? As a tester don't you think you should? It's a good thing to wonder about if you care about security. It's possible that the viewstate could contain sensitive user information that could be compromised in a man in the middle attack. For example: A user can input a credit card number into a textbox which would be passed to the next page via the viewstate. Not good... The viewstate is not encrypted by default its just simple Base64 encoding which can easily decoded with cool little tools like ViewState Decoder made by Fritz Onion.