0

In ASP .NET Webforms, the MachineKey (a guid) was an important part of database security as well as application security. It was used as an encryption key for passwords for forms authentication, so that if the machine key was changed, existing passwords would no longer be recognised. This did provide some level of safety around linking the password store in the db to a token on the webserver. If there were multiple webservers using a single database authentication store, it was necessary for them all to have the same machine ID.

In .NET Core MVC we now have several services we declare in Startup.cs:

        services.AddIdentity<ApplicationUser, IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();

        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,
                options => {
                    options.ExpireTimeSpan = new TimeSpan(0, 45, 0);
                    options.LoginPath = new PathString("/Account/Login");
                    options.AccessDeniedPath = new PathString("/Account/AccessDenied");
                }
            );

        services.AddDataProtection()
            .SetApplicationName("MyApplicationName")
            .PersistKeysToFileSystem(new System.IO.DirectoryInfo(@"C:\server_config\my-app-keys"));

I've had a look at the methods for each service, and none jumps out as providing a data store encryption key. I thought perhaps the ApplicationName might be used as a key, but if I change it, I can still log in with the old passwords, so it's clearly not being used to encrypt.

This article stipulates isolation as one of the key requirements of the API: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-3.0

and this one has a simple example using a 'Purpose String' to provide encryption isolation between different logical stores: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/using-data-protection?view=aspnetcore-3.0

however I can't seem to put this together to tie the password encryption in .NET Core to a specific key.

What am I missing in regard to setting a specific unique encryption key for the standard Asp Net Identity injection, to be used for passwords stored in the database?

Ben McIntyre
  • 1,972
  • 17
  • 28
  • Does this answer your question? [How to implement machineKey in ASP.NET Core 2.0](https://stackoverflow.com/questions/46668192/how-to-implement-machinekey-in-asp-net-core-2-0) – jazb Nov 25 '19 at 06:52
  • No, that's actually the question I used to set things up how they are now (ie. working, but not exactly how I want). I've been sitting on this for about 9 months, I'm just now at the stage of fine tuning. – Ben McIntyre Nov 25 '19 at 10:58
  • Actually, perhaps the answer linking to https://github.com/synercoder/FormsAuthentication *might* be a solution. I was hoping there would be something built in. This is a significant change from old behaviour, and I have googled extensively, I really would have expected to have found something by now. Asking this question on SO is a last resort, I'm hoping to find a guru in this area. – Ben McIntyre Nov 25 '19 at 11:10

1 Answers1

0

If I remember correctly you can do this using the following :

using System.Collections.Generic;
using System.Linq;
using System.Xml.Linq;
using Microsoft.AspNet.DataProtection.Repositories;

namespace MySpace
{
    public class MyXmlRepository : IXmlRepository
    {
        public MyXmlRepository()
        {
            // Whatever I wanted injected in.
        }

        public IReadOnlyCollection<XElement> GetAllElements()
        {
            return null;
        }

        public void StoreElement(XElement element, string friendlyName)
        {
            // Persist something
        }
    }
}

If you register this in the IOC it'll start using it for key persistence, you can then do whatever you like.

RubbleFord
  • 7,456
  • 9
  • 50
  • 80
  • Thanks, but this is specifically about setting up an encryption key for use by ASP NET identity. I don't want to roll my own. – Ben McIntyre Nov 25 '19 at 11:02