The World’s Leading Microsoft .NET Magazine
Sign-In | Register
   
 
Login Console

Log-In

My Blog    My Profile

Leave Message

Add as neighbor

««
December 2008
»»
SM
T
WTFS
  123456
78910111213
14151617181920
21222324252627
28293031

Mailing List

Jon Box Blog

ASP.NET Membership Provider and Different Servers
« H » ASP.NET :: email link

I'm working on an application where I built a custom membership provider because of custom database scheme requirement.  My custom membership provider is using the hashed format for passwords and user answers.  I've got that working and now want to deploy the new application including the new provider.  Due to the encryption in ASP.NET being based on the MachineKey and wanting to share the data in development and early testing (ie. different web servers), I needed a MachineKey at the application level. 


Thanks to an article in the patterns & practices ASP.NET 2.0 Security How To's, I found a snippet that would generate the keys for me.  I converted it to a Windows app so that I could just copy/paste the key into the Web.Config file in my development project.  While doing that, I discovered a small buy in the array declaration in thier sample.  It is corrected below.  To use the code, make a VB.NET WinForm project, add a multiline textbox and a button, paste this code in, and run.  I have made the code generate SHA1 for validation and AES for the decryption key.  Now I can run against the database from my development machine or the clients development server.  I can even copy the DB directly to my box for debugging purposes.



Imports System
Imports System.Text
Imports System.Security
Imports System.Security.Cryptography



Public Class Form1
    'from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp
    'Generate Cryptographically Random Keys
    'To generate cryptographically random keys: 
    'Use the RNGCryptoServiceProvider class to generate a cryptographically strong random number. 
    'Choose an appropriate key size. The recommended key lengths are as follows: 
    ' For SHA1, set the validationKey to 64 bytes (128 hexadecimal characters). 
    ' For AES, set the decryptionKey to 32 bytes (64 hexadecimal characters). 
    ' For 3DES, set the decryptionKey to 24 bytes (48 hexadecimal characters).



Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
    CreateMachineKeyConfig()
End Sub



Private Sub CreateMachineKeyConfig()
    Dim sb As StringBuilder = New StringBuilder()
    sb.AppendLine("<machineKey ")
    sb.AppendLine(" validationKey = """ + GenRandomValues(128) + """")
    sb.AppendLine(" decryptionKey = """ + GenRandomValues(64) + """")
    sb.AppendLine(" validation = ""SHA1""")
    sb.AppendLine(" decryption = ""AES""")
    sb.AppendLine(" />")
    Me.TextBox1.Text = sb.ToString()
End Sub



Private Function GenRandomValues(ByVal len As Integer) As String
    Dim buff((len / 2) - 1) As Byte 'JBox added the decrement b/c of VB array decl syntax
    Dim rng As New RNGCryptoServiceProvider()
    rng.GetBytes(buff)
    Dim sb As New StringBuilder(Len)
    Dim i As Integer
    For i = 0 To buff.Length - 1
        sb.Append(String.Format("{0:X2}", buff(i)))
    Next i
    Return sb.ToString
End Function



Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
    CreateMachineKeyConfig()
End Sub

End Class 



posted Monday, 9 January 2006comments

This blog is created and maintained by the author of the page and in no way associated with SYS-CON Media or .NET Developer's Journal. The author of the blog assumes all liability and responsibility personally for the content of the page.
www.blog-n-play.com is a registered trademark (78553120) of SYS-CON Media.