Summary
The security update that is described in Microsoft security bulletin MS10-070 makes changes to the default encryption mechanism in ASP.NET to perform validation (signing) in addition to encryption. This article describes configuration options to revert to legacy behavior for encryption in ASP.NET.
For more information about this security update, visit the following website:
http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx
More Information
ASP.NET allows users to optionally encrypt or validate data through configuration in the MachineKey section. The security update that is addressed by security update MS10-070 changes the default behavior of encryption in ASP.NET to perform validation in addition to encryption even if only encryption is requested.
After you install the security update that is described in security bulletin MS10-070, the following operations are performed when encryption is set up for ASP.NET:
-
During the encryption of data, an HMAC signature is generated for the encrypted data and is appended to it.
-
During the decryption of data, the HMAC signature is validated before the data is decrypted.
The following keys in ASP.NET application settings (appSettings) control the behavior of signing in addition to encryption.
|
Key |
Type |
Default Value |
Supported on.NET versions |
|---|---|---|---|
|
aspnet:UseLegacyEncryption |
Boolean |
False |
Microsoft .NET Framework 2.0 Service Pack 1 |
|
aspnet:UseLegacyMachineKeyEncryption |
Boolean |
False |
Microsoft .NET Framework 4.0 |
|
aspnet:ScriptResourceAllowNonJsFiles |
Boolean |
False |
Microsoft .NET Framework 3.5 Service Pack 1 |
Description of the aspnet:UseLegacyEncryption appSetting
This application setting specifies whether encryption will additionally perform validation with an HMAC key even when the validation section in the machineKey section of ASP.NET configuration is not configured for HMAC signature validation.
|
aspnet:UseLegacyEncryption |
Description |
|---|---|
|
False (Default) |
This setting configures ASP.NET to additionally perform HMAC signature validation when ASP.NET is configured to use encryption. This will occur even if validation in machineKey is not configured to sign by using an HMAC key. |
|
True |
This setting configures ASP.NET not to perform HMAC signature validation when it is configured to use encryption and not HMAC signing through validation in machineKey. |
To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
<appSettings>
...
<add key="aspnet:UseLegacyEncryption" value="false" />
</appSettings>
</configuration>
Description of aspnet:UseLegacyMachineKeyEncryption appSetting
This application setting specifies whether encryption through the System.Web.Security.MachineKey class will additionally perform validation with an HMAC key even when the provided MachineKeyProtection argument does not specify that validation be performed.
|
aspnet:UseLegacyMachineKeyEncryption |
Description |
|---|---|
|
False (Default) |
This setting configures ASP.NET to additionally perform HMAC signature validation through the MachineKey class when ASP.NET is configured to use encryption. This will occur even if the provided MachineKeyProtection argument does not specify that validation be performed. |
|
True |
This setting configures ASP.NET not to perform HMAC signature validation through the MachineKey class when it is configured to use encryption and not HMAC signing through the provided MachineKeyProtection argument. |
To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
<appSettings>
...
<add key="aspnet:UseLegacyMachineKeyEncryption" value="false" />
</appSettings>
</configuration>
Description of aspnet:ScriptResourceAllowNonJsFiles appSetting
This application setting specifies whether the ScriptResource.axd handler in ASP.NET will serve non-JavaScript files (.js extension). ScriptResource.axd is an ASP.NET handler that returns JavaScript source files to AJAX components in an ASP.NET webpage.
|
aspnet:ScriptResourceAllowNonJsFiles |
Description |
|---|---|
|
False (Default) |
This setting configures ASP.NET to only serve static files that have the .js extension (JavaScript) through the ScriptResource.axd handler. |
|
True |
This setting configures ASP.NET to serve any static file that the ASP.NET application has access to through the ScriptResource.axd handler. |
To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
<appSettings>
...
<add key="aspnet:ScriptResourceAllowNonJsFiles" value="false" />
</appSettings>
</configuration>
References
For more information about the MachineKey section, visit the following Microsoft website:
http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx
For more information about the System.Web.Security.MachineKey class, visit the following Microsoft website:
http://msdn.microsoft.com/en-us/library/system.web.security.machinekey.aspxFor more information about how to use application settings (appSettings), click the following article numbers to view the articles in the Microsoft Knowledge Base:
815786 How to store and retrieve custom information from an application configuration file by using Visual C#
313405 How to store and retrieve custom information from an application configuration file by using Visual Basic .NET or Visual Basic 2005
For more information about ASP.Net configuration, click the following article number to view the article in the Microsoft Knowledge Base:
307626 INFO: ASP.NET Configuration Overview
