ASP.Net 3.5 SP1 Machine Key decryption algorithm auto

Question

I am having some trouble understanding the documentation on machinekey. What algorithm is being used to encrypt/decrypt the forms authentication ticket when the decryption attribute is not set. I have:

<machineKey validationKey="128CharacterKey" decryptionKey="48CharacterKey" validation="3DES"/>

I found some documentation saying that if the decryption attribute was not specifically set it would use the value in the validation attribute. I also found something saying it would use SHA-1. Yet another articles said it would be based on the size of the value in the decryptionKey.

Which algorithm is it using?

On a side note, which algorithm are most people using nowadays AES, 3DES, SHA1, etc?

Answer 1

On a side note, which algorithm are most people using nowadays AES, 3DES, SHA1, etc?

Certainly new applications should avoid 3DES in favour of AES for symmetric encryption. SHA1 should also be avoided, and use at least SHA-256 for hashing.

The defaults are on MSDN: AES and SHA1.

Answer 2

You'll want to read Chapter 6 of "Professional ASP.NET 3.5 Security, Membership and Role Management with C# and VB". Here's a link to the Google Books version of it, which should suffice...

It's definetely something you'll want to modify if you're building a serious application.

http://books.google.com/books?id=uAnOTcTR8l8C&pg=PA295&lpg=PA295PPA295,M1