3

How do we find out what encryption MVC4 uses? I notice there is an option for a SALT but this also seems not to be used in the WebSecurity() module.

I would like to know the standard used and if it is easily possible to upgrade to the latest SHA

Eonasdan
  • 7,563
  • 8
  • 55
  • 82
CR41G14
  • 5,464
  • 5
  • 43
  • 64

2 Answers2

6

According to the below link the Default Hashing Algorithm Is Now HMACSHA256:

http://www.asp.net/whitepapers/aspnet4/breaking-changes

Default Hashing Algorithm Is Now HMACSHA256

ASP.NET uses both encryption and hashing algorithms to help secure data such as forms authentication cookies and view state. By default, ASP.NET 4 now uses the HMACSHA256 algorithm for hash operations on cookies and view state. Earlier versions of ASP.NET used the older HMACSHA1 algorithm.

Your applications might be affected if you run mixed ASP.NET 2.0/ASP.NET 4 environments where data such as forms authentication cookies must work across.NET Framework versions. To configure an ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the following setting in the Web.config file:

<machineKey validation="SHA1" />
Community
  • 1
  • 1
Adam K Dean
  • 7,387
  • 10
  • 47
  • 68
2

the WebSecurity class internally uses the Crypto class and salts the passwords despite you don't see it in the generated tables, more details can be found here . This said you can easily inspect the WebMatrix.WebData with ilSpy to see the internals of the WebSecurity class.

Giorgio Minardi
  • 2,765
  • 1
  • 15
  • 11
  • Why don't we see the salt used in the tables as the field is there? – CR41G14 Feb 20 '13 at 17:24
  • 1
    In short the salt get generated from within the method HashPassword of the Crypto class. The only thing needed is the size of the salt wich is 128bit. There is no need to save it within the table then. Read the links above for a more detailed explanation ! – Giorgio Minardi Feb 20 '13 at 17:32