Synchronize Validation and Encryption Keys

With a quick tweak to <machineKey>, data hashed or encrypted on one server can be validated or unencrypted on another.

Hot Tip

LANGUAGES: C#

TECHNOLOGIES: Validation | Encryption | machine.config

 

Synchronize Validation and Encryption Keys

With a quick tweak to <machineKey>, data hashed or encrypted on one server can be validated or unencrypted on another.

 

By Jeff Prosise

 

One key to configuring ASP.NET to work on server farms is to configure each server to use identical validation and encryption keys. You accomplish this by modifying the <machineKey> element in each server's Machine.config file. The default <machineKey> setting lets each server autogenerate its security keys at startup:

 

<machineKey

  validationKey="AutoGenerate"

  decryptionKey="AutoGenerate"

  ...

/>

The following <machineKey> element configures a server to use specific security keys:

<machineKey

  validationKey="4D815327A6400F267C03373C8353E3AE262C59D05542FDD4"

  decryptionKey="6FDFDED0CF52B1AFC543207254C5864F1A5A401B836D963E"

  ...

/>

 

Making this modification to each and every server in the Web farm ensures data hashed or encrypted on one server can be validated or unencrypted on another.

 

A commonly asked question regarding key values plugged into machine.config is, "How do I generate them?" You could generate a key manually by writing a series of hex values on a piece of paper, but the resulting key might not be cryptographically secure. (Some encryption keys are stronger than others. The stronger the key, the more effective the encryption.)

 

The .NET Framework Class Library features a class, named RNG CryptoServiceProvider (it's found in the System.Security.Cryptography namespace), that is capable of cryptographically generating strong random numbers that are perfect as validation and encryption keys.

 

Here's the C# source code for a command-line utility named KeyGen that uses RNGCryptoServiceProvider. It takes a key length (in bytes) as input and produces a cryptographically strong security key of the specified length:

 

using System;

using System.Security.Cryptography;

class KeyGen

{

    static void Main (string[] args)

    {

        if (args.Length == 0) {

            Console.WriteLine ("SYNTAX: KeyGen count");

            return;

        }

        int count;

        try {

            count = Convert.ToInt32 (args[0]);

            if (count <= 0) {

                Console.WriteLine

                    ("Count must be greater than 0");

                return;

            }

        }

        catch (FormatException) {

            Console.WriteLine ("Count must be numeric");

            return;

        }

        byte[] key = new byte[count];

        RNGCryptoServiceProvider rng =

            new RNGCryptoServiceProvider ();

        rng.GetBytes (key);

        Console.WriteLine (BitConverter.ToString

             (key).Replace ("-", ""));

    }

}

 

You can compile the source code with Microsoft's C# compiler, or you can download the finished EXE from here. To run KeyGen and produce a 24-byte security key, type keygen 24 in a command prompt window. To produce a shorter or longer key, simply adjust the byte count accordingly.

 

The sample code in this article is available for download.

 

Jeff Prosise is author of several books, including Programming Microsoft .NET (Microsoft Press). He also is a co-founder of Wintellect (http://www.wintellect.com), a software consulting and education firm that specializes in .NET. Got a question for this column? Submit queries to [email protected]

 

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish