Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to configure legacy encryption mode in ASP.NET


Summary

The security update that is described in Microsoft security bulletin MS10-070 makes changes to the default encryption mechanism in ASP.NET to perform validation (signing) in addition to encryption. This article describes configuration options to revert to legacy behavior for encryption in ASP.NET.

For more information about this security update, visit the following website:

↑ Back to the top


More Information

ASP.NET allows users to optionally encrypt or validate data through configuration in the MachineKey section. The security update that is addressed by security update MS10-070 changes the default behavior of encryption in ASP.NET to perform validation in addition to encryption even if only encryption is requested.

After you install the security update that is described in security bulletin MS10-070, the following operations are performed when encryption is set up for ASP.NET:
  • During the encryption of data, an HMAC signature is generated for the encrypted data and is appended to it.
  • During the decryption of data, the HMAC signature is validated before the data is decrypted.
The following keys in ASP.NET application settings (appSettings) control the behavior of signing in addition to encryption.
KeyTypeDefault ValueSupported on.NET versions
aspnet:UseLegacyEncryptionBooleanFalseMicrosoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0
aspnet:UseLegacyMachineKeyEncryptionBooleanFalseMicrosoft .NET Framework 4.0
aspnet:ScriptResourceAllowNonJsFilesBooleanFalseMicrosoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Description of the aspnet:UseLegacyEncryption appSetting

This application setting specifies whether encryption will additionally perform validation with an HMAC key even when the validation section in the machineKey section of ASP.NET configuration is not configured for HMAC signature validation.
aspnet:UseLegacyEncryptionDescription
False (Default)This setting configures ASP.NET to additionally perform HMAC signature validation when ASP.NET is configured to use encryption. This will occur even if validation in machineKey is not configured to sign by using an HMAC key.
TrueThis setting configures ASP.NET not to perform HMAC signature validation when it is configured to use encryption and not HMAC signing through validation in machineKey.

Note This setting could allow a malicious client to decrypt, forge, or otherwise tamper with encrypted data.

To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
<appSettings>
...
<add key="aspnet:UseLegacyEncryption" value="false" />
</appSettings>
</configuration>

Description of aspnet:UseLegacyMachineKeyEncryption appSetting

This application setting specifies whether encryption through the System.Web.Security.MachineKey class will additionally perform validation with an HMAC key even when the provided MachineKeyProtection argument does not specify that validation be performed.
aspnet:UseLegacyMachineKeyEncryptionDescription
False (Default)This setting configures ASP.NET to additionally perform HMAC signature validation through the MachineKey class when ASP.NET is configured to use encryption. This will occur even if the provided MachineKeyProtection argument does not specify that validation be performed.
TrueThis setting configures ASP.NET not to perform HMAC signature validation through the MachineKey class when it is configured to use encryption and not HMAC signing through the provided MachineKeyProtection argument.

Note This setting could allow a malicious client to decrypt, forge, or otherwise tamper with encrypted data.

To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
<appSettings>
...
<add key="aspnet:UseLegacyMachineKeyEncryption" value="false" />
</appSettings>
</configuration>

Description of aspnet:ScriptResourceAllowNonJsFiles appSetting

This application setting specifies whether the ScriptResource.axd handler in ASP.NET will serve non-JavaScript files (.js extension). ScriptResource.axd is an ASP.NET handler that returns JavaScript source files to AJAX components in an ASP.NET webpage.
aspnet:ScriptResourceAllowNonJsFilesDescription
False (Default)This setting configures ASP.NET to only serve static files that have the .js extension (JavaScript) through the ScriptResource.axd handler.
TrueThis setting configures ASP.NET to serve any static file that the ASP.NET application has access to through the ScriptResource.axd handler.

Note This setting allows any file within your ASP.NET application to be served through the handler. If any such files contains sensitive or confidential data, then this setting can potentially to leak sensitive information to a client. 

To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
<appSettings>
...
<add key="aspnet:ScriptResourceAllowNonJsFiles" value="false" />
</appSettings>
</configuration>

↑ Back to the top


References

For more information about the MachineKey section, visit the following Microsoft website:
For more information about the System.Web.Security.MachineKey class, visit the following Microsoft website:
For more information about how to use application settings (appSettings), click the following article numbers to view the articles in the Microsoft Knowledge Base:
815786 How to store and retrieve custom information from an application configuration file by using Visual C#
313405 How to store and retrieve custom information from an application configuration file by using Visual Basic .NET or Visual Basic 2005




For more information about ASP.Net configuration, click the following article number to view the article in the Microsoft Knowledge Base:
307626 INFO: ASP.NET Configuration Overview

↑ Back to the top


Keywords: kbexpertiseinter, kbhowto, kblangall, kbmustloc, kbsecreview, kbsecurity, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2425938
Revision : 3
Created on : 11/26/2018
Published on : 11/26/2018
Exists online : False
Views : 398