0

Does anyone know Where Asp.net Core Identity keeps its encryption key? I need to have an ability to invalidate all the users. So changing encryption key makes currrent users cookies invalid. I know that in asp.net it used to machine key, what about Asp.Net Core?

usrere
  • 93
  • 8
  • Possible duplicate of [How to implement machineKey in ASP.NET Core 2.0](https://stackoverflow.com/questions/46668192/how-to-implement-machinekey-in-asp-net-core-2-0) – ste-fu Feb 13 '19 at 15:00
  • 1
    What encryption key? Neither ASP.NET Core nor ASP.NET *encrypt* passwords. They *hash* them using Rfc2898DeriveBytes or better, typically with over 1000 hashing iterations. There's no valid reason to encrypt passwords. No, sending the password to the user is *NOT* a valid reason, it's a huge security vulnerability, which is why it's no longer available – Panagiotis Kanavos Feb 13 '19 at 15:01
  • 1
    @PanagiotisKanavos I believe the OP is asking about the encryption of the Cookie generated, not the passwords hashed – Camilo Terevinto Feb 13 '19 at 15:02
  • @CamiloTerevinto by nuking the *machine key*. Might as well blow up the server. – Panagiotis Kanavos Feb 13 '19 at 15:03
  • @PanagiotisKanavos Doesn't Identity use an ephemeral key stored in-memory by default? That could be IdentityServer though, I don't remember now – Camilo Terevinto Feb 13 '19 at 15:04
  • @CamiloTerevinto I'm freaking to the suggestion that the machine key should be modified at the moment. The actual question behind this question, how to invalidate all authenticatin cookies, needs further study and I suspect it has nothing to do with nuking the machine-wide encryption key – Panagiotis Kanavos Feb 13 '19 at 15:05
  • @PanagiotisKanavos I can imagine, but ASP.NET Core does not use the machine key at all for this. OP: you can read more about this here: https://stackoverflow.com/questions/42842511/how-to-manually-decrypt-an-asp-net-core-authentication-cookie – Camilo Terevinto Feb 13 '19 at 15:08
  • Your idea is dubious, but if you want to manage keys, read the topic about this [here](https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-encryption-at-rest?view=aspnetcore-2.2). And maybe [here](https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2) you can find a satisfying answer. – PWND Feb 13 '19 at 15:26

0 Answers0