Article

Jon Box's .NET Blog: ASP.NET Membership Provider and Different Servers

I'm working on an application where I built a custom membership provider because of custom database scheme requirement

ASP.NET Membership Provider and Different Servers

I'm working on an application where I built a custom membership provider because of custom database scheme requirement.  My custom membership provider is using the hashed format for passwords and user answers.  I've got that working and now want to deploy the new application including the new provider.  Due to the encryption in ASP.NET being based on the MachineKey and wanting to share the data in development and early testing (ie. different web servers), I needed a MachineKey at the application level.

Thanks to an article in the patterns & practices ASP.NET 2.0 Security How To's, I found a snippet that would generate the keys for me.  I converted it to a Windows app so that I could just copy/paste the key into the Web.Config file in my development project.  While doing that, I discovered a small buy in the array declaration in thier sample.  It is corrected below.  To use the code, make a VB.NET WinForm project, add a multiline textbox and a button, paste this code in, and run.  I have made the code generate SHA1 for validation and AES for the decryption key.  Now I can run against the database from my development machine or the clients development server.  I can even copy the DB directly to my box for debugging purposes.

Imports System
Imports System.Text
Imports System.Security
Imports System.Security.Cryptography

Public Class Form1
    'from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp
    'Generate Cryptographically Random Keys
    'To generate cryptographically random keys: 
    'Use the RNGCryptoServiceProvider class to generate a cryptographically strong random number. 
    'Choose an appropriate key size. The recommended key lengths are as follows: 
    ' For SHA1, set the validationKey to 64 bytes (128 hexadecimal characters). 
    ' For AES, set the decryptionKey to 32 bytes (64 hexadecimal characters). 
    ' For 3DES, set the decryptionKey to 24 bytes (48 hexadecimal characters).

Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
    CreateMachineKeyConfig()
End Sub

Private Sub CreateMachineKeyConfig()
   
Dim sb As StringBuilder = New StringBuilder()
    sb.AppendLine(
"<machineKey ")
   
sb.AppendLine(" validationKey = """ + GenRandomValues(128) + """")
    sb.AppendLine(
" decryptionKey = """ + GenRandomValues(64) + """")
    sb.AppendLine(
" validation = ""SHA1""")
    sb.AppendLine(
" decryption = ""AES""")
    sb.AppendLine(
" />")
   
Me.TextBox1.Text = sb.ToString()
End Sub

Private Function GenRandomValues(ByVal len As Integer) As String
    Dim buff((len / 2) - 1) As Byte 'JBox added the decrement b/c of VB array decl syntax
    Dim rng As New RNGCryptoServiceProvider()
    rng.GetBytes(buff)
    Dim sb As New StringBuilder(Len)
    Dim i As Integer
    For i = 0 To buff.Length - 1
        sb.Append(
String.Format("{0:X2}", buff(i)))
    Next i
    Return sb.ToString
End Function

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
    CreateMachineKeyConfig()
End Sub

End Class



More Stories By Jon Box

Jon Box is an Architect Evangelist in Developer & Platform Evangelism with the Microsoft Corporation. He coauthored Building Solutions with the Microsoft .NET Compact Framework, published by Addison-Wesley, and blogs at http://blogs.msdn.com/jonbox/default.aspx.

Comments (2)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.