Re: Why ViewState doesn't work in ASP.NET?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: The Poster Formerly Known as Kline Sphere (.)
Date: 02/22/04 

Date: Sun, 22 Feb 2004 12:08:23 +0000

Good point.

However, any data which requires secure transmission should [also]
have been secured at the start of the conversation, as is the case
when using https. The problem with only using the viewstatemac setting
is that information (i.e. that contained in form variables) is sent as
part of the request to the server and naturally not encrypted. As
such, it is only the __VIEWSTATE field which is encrypted on the
server, which is then sent back to client as part of the response.

On Sun, 22 Feb 2004 00:35:16 -0500, UAError <null@null.null> wrote:

>"Brunswick Lowe" <brunswick@apstrategies.com> wrote:
>
>>It's encrypted, though, right?
>>
>Is only encrypted if in the machine.config:
>
><machineKey validation='3DES' />
>
>
>Building Secure ASP.NET Applications
>Chapter 8: Page 187
>
>Securing View State
>
>If your ASP.NET Web applications use view state:
>- Ensure the integrity of view state (to ensure
> it is not altered in any way while in transit)
> by setting the enableViewStateMac to true as
> shown below. This causes ASP.NET to generate
> a Message Authentication Code (MAC) on the
> page’s view state when the page is posted
> back from the client.
> <% @ Page enableViewStateMac=true >
>- Configure the validation attribute on the
> <machineKey> element in Machine.config, to
> specify the type of encryption to use for data validation.
> Consider the following:
> - Secure Hash Algorithm 1 (SHA1) produces a larger hash
> size than Message Digest 5 (MD5) so it is considered
> more secure. However, view state protected with SHA1
> or MD5 can be decoded in transit or on the client
> side and can potentially be viewed in plain text
> - Use 3 Data Encryption Standard (3DES) to detect
> changes in the view state and to also encrypt it
> while in transit. When in this state, even if
> view state is decoded, it cannot be viewed in plain text.

Kline Sphere (Chalk) MCNGP #3

Relevant Pages

  • Re: Unbreakable Encryption ? Scenarios - What encryption method would be best?
    ... DES is a well-known algorithm so there are good reasons to have a good ... > risk it by storing one of the best possible passwords (or encryption ... > Ok lets say there will be a secure channel but it will happen only ... > because the decrypting method yielded a plain text message and vice ...
    (sci.crypt)
  • Re: Socket Server with Encryption help
    ... do you know that .NET 2.0 has support for secure channels and the NTLM, ... write some encryption process. ... Client connects into Server and Server accepts the connection. ...
    (microsoft.public.dotnet.security)
  • Re: [fw-wiz] Re: Firewalls breaking stuff: [Was re: fwtk]
    ... > access to the mail server's private keys and thus the monitor can follow the ... > in a way that's more secure rather than less secure. ... for service level encryption versus VPN access. ... >> reducing bugs reduces the number of sever bugs. ...
    (Firewall-Wizards)
  • Re: Sending email securely
    ... In order to secure your email, you are going to have to use encryption where ... you have matching implementations at both the client and the server. ... What is the best/reccommended way to secure ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Best secure surfing solution
    ... I have set up a service with companies providing secure web ... the product would have to install a keylogger. ... If we caught anyone in> IS or elsewhere in our company sniffing our communications, even if they> were encrypted, they'd get laid off or, at least, suspended. ... If e-mails are sensitive then> the sender should be using encryption. ...
    (sci.crypt)