Summary

The security update that is described in Microsoft security bulletin MS10-070 makes changes to the default encryption mechanism in ASP.NET to perform validation (signing) in addition to encryption. This article describes configuration options to revert to legacy behavior for encryption in ASP.NET.For more information about this security update, visit the following website:

http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx

More Information

ASP.NET allows users to optionally encrypt or validate data through configuration in the MachineKey section. The security update that is addressed by security update MS10-070 changes the default behavior of encryption in ASP.NET to perform validation in addition to encryption even if only encryption is requested.After you install the security update that is described in security bulletin MS10-070, the following operations are performed when encryption is set up for ASP.NET:

  • During the encryption of data, an HMAC signature is generated for the encrypted data and is appended to it.

  • During the decryption of data, the HMAC signature is validated before the data is decrypted.

The following keys in ASP.NET application settings (appSettings) control the behavior of signing in addition to encryption.

Key

Type

Default Value

Supported on.NET versions

aspnet:UseLegacyEncryption

Boolean

False

Microsoft .NET Framework 2.0 Service Pack 1Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.5Microsoft .NET Framework 3.5 Service Pack 1Microsoft .NET Framework 4.0

aspnet:UseLegacyMachineKeyEncryption

Boolean

False

Microsoft .NET Framework 4.0

aspnet:ScriptResourceAllowNonJsFiles

Boolean

False

Microsoft .NET Framework 3.5 Service Pack 1Microsoft .NET Framework 4.0

Description of the aspnet:UseLegacyEncryption appSetting

This application setting specifies whether encryption will additionally perform validation with an HMAC key even when the validation section in the machineKey section of ASP.NET configuration is not configured for HMAC signature validation.

aspnet:UseLegacyEncryption

Description

False (Default)

This setting configures ASP.NET to additionally perform HMAC signature validation when ASP.NET is configured to use encryption. This will occur even if validation in machineKey is not configured to sign by using an HMAC key.

True

This setting configures ASP.NET not to perform HMAC signature validation when it is configured to use encryption and not HMAC signing through validation in machineKey.Note This setting could allow a malicious client to decrypt, forge, or otherwise tamper with encrypted data.

To configure this setting, add the following configuration in your computer or application web.config file:

<configuration>... <appSettings> ... <add key="aspnet:UseLegacyEncryption" value="false" /> </appSettings></configuration> 

Description of aspnet:UseLegacyMachineKeyEncryption appSetting

This application setting specifies whether encryption through the System.Web.Security.MachineKey class will additionally perform validation with an HMAC key even when the provided MachineKeyProtection argument does not specify that validation be performed.

aspnet:UseLegacyMachineKeyEncryption

Description

False (Default)

This setting configures ASP.NET to additionally perform HMAC signature validation through the MachineKey class when ASP.NET is configured to use encryption. This will occur even if the provided MachineKeyProtection argument does not specify that validation be performed.

True

This setting configures ASP.NET not to perform HMAC signature validation through the MachineKey class when it is configured to use encryption and not HMAC signing through the provided MachineKeyProtection argument.Note This setting could allow a malicious client to decrypt, forge, or otherwise tamper with encrypted data.

To configure this setting, add the following configuration in your computer or application web.config file:

<configuration>... <appSettings> ... <add key="aspnet:UseLegacyMachineKeyEncryption" value="false" /> </appSettings></configuration> 

Description of aspnet:ScriptResourceAllowNonJsFiles appSetting

This application setting specifies whether the ScriptResource.axd handler in ASP.NET will serve non-JavaScript files (.js extension). ScriptResource.axd is an ASP.NET handler that returns JavaScript source files to AJAX components in an ASP.NET webpage.

aspnet:ScriptResourceAllowNonJsFiles

Description

False (Default)

This setting configures ASP.NET to only serve static files that have the .js extension (JavaScript) through the ScriptResource.axd handler.

True

This setting configures ASP.NET to serve any static file that the ASP.NET application has access to through the ScriptResource.axd handler.NoteĀ This setting allows any file within your ASP.NET application to be served through the handler. If any such files contains sensitive or confidential data, then this settingĀ can potentially to leak sensitive information to a client.

To configure this setting, add the following configuration in your computer or application web.config file:

<configuration>... <appSettings> ... <add key="aspnet:ScriptResourceAllowNonJsFiles" value="false" /> </appSettings></configuration> 

References

For more information about the MachineKey section, visit the following Microsoft website:

http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx For more information about the System.Web.Security.MachineKey class, visit the following Microsoft website:

http://msdn.microsoft.com/en-us/library/system.web.security.machinekey.aspxFor more information about how to use application settings (appSettings), click the following article numbers to view the articles in the Microsoft Knowledge Base:

815786 How to store and retrieve custom information from an application configuration file by using Visual C# 313405 How to store and retrieve custom information from an application configuration file by using Visual Basic .NET or Visual Basic 2005For more information about ASP.Net configuration, click the following article number to view the article in the Microsoft Knowledge Base:

307626 INFO: ASP.NET Configuration Overview

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.