Click here to Skip to main content
15,030,781 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
Hello,

Currently I am using Windows Server 2012 R2 Standard and the IIS version 6.2. The machine keys on IIS is currently set as SHA1 as Validation method and Auto as Encryption method. The <machinekey> tag present in Web.config file also consists of validation key, decryption key, validation=SHA1 and decryption=3DES.
I have to change this encryption method and have to use AES method.
Please let me know the required changes to use this method.

What I have tried:

When I changed the validation and encryption methods on IIS(machine keys) to AES and set the <machinekey> tag as validation=AES and decryption=AES(web.config) then I am not even able to login to my application.
But when I set decryption=3DES, then I am able to login to my application. I don't know if this right or not.
According to me, decryption must also be AES but its not working. Please let me know what I am doing wrong or what is the correct way to set this encryption method
Posted
Comments
Richard Deeming 4-Jul-17 13:06pm
   
Sounds like you're storing the passwords using a reversible encryption algorithm. That's almost as bad as using plain text!

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

You'll need to decrypt each password using the current encryption algorithm, calculate a salted hash of the password, and store the hash and salt against the record. Then update your login code to validate the hashed password, and finally remove the encrypted version of the passwords.

Alternatively, get your users to reset their passwords the next time they try to log in.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900