How to change 3DES to AES encryption on IIS?

Question

1.00/5 (1 vote)

See more:

Hello,

Currently I am using Windows Server 2012 R2 Standard and the IIS version 6.2. The machine keys on IIS is currently set as SHA1 as Validation method and Auto as Encryption method. The <machinekey> tag present in Web.config file also consists of validation key, decryption key, validation=SHA1 and decryption=3DES.
I have to change this encryption method and have to use AES method.
Please let me know the required changes to use this method.

What I have tried:

When I changed the validation and encryption methods on IIS(machine keys) to AES and set the <machinekey> tag as validation=AES and decryption=AES(web.config) then I am not even able to login to my application.
But when I set decryption=3DES, then I am able to login to my application. I don't know if this right or not.
According to me, decryption must also be AES but its not working. Please let me know what I am doing wrong or what is the correct way to set this encryption method

Posted 1-Jul-17 0:43am

Jomish John

Add a Solution

Comments

Richard Deeming 4-Jul-17 13:06pm

Sounds like you're storing the passwords using a reversible encryption algorithm. That's almost as bad as using plain text!

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

You'll need to decrypt each password using the current encryption algorithm, calculate a salted hash of the password, and store the hash and salt against the record. Then update your login code to validate the hashed password, and finally remove the encrypted version of the passwords.

Alternatively, get your users to reset their passwords the next time they try to log in.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)