Viewstate Encryption

[DavidF]

Hi,

I'm having a problem with viewstate encryption on one of my websites. To
encrypt the viewstate, I'm using the following lines in my web.Config file:

<pages theme="Default" viewStateEncryptionMode="Always"
enableViewStateMac="true"></pages>

<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" />

Although the viewstate is encrypted, it actually looks like an MD5 hash.
Additionaly, the viewstate value attribute contains exactly the same no
matter what I've put in the validation block (e.g.MD5, AES, 3DES, SHA1).

Am I missing something blindingly obvious?

Any help appreciated!
Cheers,
Dave F.

 

[Guest]

Isn't there an enableViewState="true" attribute you can add? Because what you
are describing sounds like "no ViewState"..
---Peter
"Inside every large program, there is a small program trying to get out."
http://www.eggheadcafe.com
http://petesbloggerama.blogspot.com
http://www.blogmetafinder.com

 

[Walter Wang [MSFT]]

Hi Dave,

Please note the SHA1 and MD5 are used to tamper proof ViewState and, if
configured, the forms authentication ticket. Only the AES and 3DES are
supported to encrypt ViewState:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx
<quote>
SHA1¨CSHA1 is used to tamper proof ViewState and, if configured, the forms
authentication ticket. When SHA1 is selected for the validation attribute,
the algorithm used is HMACSHA1.
MD5¨CMD5 is used to tamper proof ViewState and, if configured, the forms
authentication ticket.
AES¨CAES is used to encrypt ViewState with the key specified in the
decryptionKey attribute.
3DES¨C3DES is used to encrypt ViewState with the key specified in the
decryptionKey attribute. This is the only way to encrypt ViewState in
ASP.NET 1.1. Both the forms authentication ticket and the ViewState are
tamper-proofed using SHA-1 and the key specified in the validationKey
attribute. Because the validation attribute is overloaded in ASP.NET 1.1,
ASP.NET 2.0 introduces a new decryption attribute.
</quote>


Also, it's recommended to use AES instead of 3DES:

#You may receive an error message when you access ASP.NET Web pages that
have ViewState enabled after you upgrade from ASP.NET 1.1 to ASP.NET 2.0
http://support.microsoft.com/kb/911722
<quote>
Theoretically, the 3DES algorithm is less secure than the AES (Rijndael)
algorithm. We recommend that you use the AES algorithm whenever possible to
help secure your system.
</quote>


Hope this helps.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[DavidF]

Thanks for your response Peter.

Adding the enableViewState="true" doesn't seem to make any difference (I was
also under the impression that ViewState="true" by default). Even with the
page (and machine key) elements as:

<pages theme="Default" enableViewState="true"
viewStateEncryptionMode="Always" enableViewStateMac="true"></pages>

<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" />

The resulting ViewState block looks like:

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="1qcK2zxo...<snip>...Q+wvmxyDP4=" />


Changing the validation value to any of the other values results in an
identical viewstate block - the only way I can see that the value changes is
if I remove the encryption - at which point it reverts back to the Base64
encoding.

Cheers,
Dave

 

[DavidF]

Thanks Walter,

Appreciate the comment and will be using 3DES once I can actually get it to
encrypt!

Cheers,
Dave