ViewState Encryption in ASP.Net

4
votes

Why is it that I see the same hash value generated when I use different algorithms for viewstate encryption. I have added below lines to the web.config file

pages viewstateEncryptionMode="Always" enableViewStateMac="true".../>

machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="AES" decryption="Auto" />

Also, compilation debug="false" ... > is set.

No matter what I use (AES, MD5, SHA1, 3DES), it generates the same hash. Is there something I am missing out.

Please let me know.

-Thanks

2
asp.netencryptionviewstate

2 Answers

0
votes

Here is an article on Encrypting Viewstate. It's for ASP.Net 2.0. which should be fine for 3.5.

0
votes

Via P&P on MSDN:

Forms authentication defaults to SHA1 for tamper proofing (if or , then forms authentication hashes the forms authentication ticket by using either MD5 or HMACSHA1 (HMACSHA1 is used even if validation is set to AES or 3DES). Forms authentication then encrypts the ticket using the algorithm specified in the decryption attribute. (The decryption attribute was introduced in ASP.NET 2.0.)

Therefore, theoretically, only SHA1 and MD5 should differ in the hash that is produced.