4

I am using HMACSHA256 for message authentication in a web-farm environment.

Within the web-farm each machine has the same machine key, so the ViewState will work across machines, however, I need to do HMAC message authentication which will work across machines, so I figured that since all machines use the same machine key, there should be a way to derive a key from that to use as the HMAC key.

I notice that as of .NET 4.0 there is the MachineKey class, however, I am stuck with using .NET 3.5, and this is unavailable to me.

Is there a way to get some sort key that is the same on all machines without generating my own, for use in an ASP.NET 3.5 environment?

Edit

I don't actually need the machine key itself, just the validation key that is derived from the machine key (or equivalent).

Matthew
  • 24,703
  • 9
  • 76
  • 110

1 Answers1

7

You can read the machine key from the web.config. This link shows how to do so: http://aspnetresources.com/blog/how_to_read_auto_generated_machinekey

Keep in mind, that the author of the article reads the generated machine key - so you have to do some changes in the code.

I just read the article a little bit more and saw, that it uses reflection, which isn't neccessary, if you store the machine key inside the web.config. Essentially it breaks down to this line:

MachineKeySection section = (MachineKeySection) 
  ConfigurationManager.GetSection ("system.web/machineKey");
TGlatzer
  • 5,815
  • 2
  • 25
  • 46
  • Thank you, this gives me what I need. The reflection bit is required as I have to get actual machine key value from `ValidationKeyInternal`. – Matthew Jan 03 '13 at 15:11
  • 1
    If you are not Stuck to .NET 3.5 you can use the MachineKey class – TGlatzer Jan 15 '15 at 20:54