I am using the following code to generate an encrypted token:
var ticket = new System.Web.Security.FormsAuthenticationTicket(
2,
"",
DateTime.Now,
DateTime.Now.AddMinutes(10),
false,
"user id here");
var cipherText = System.Web.Security.FormsAuthentication.Encrypt(ticket);
This code uses the key and algorithm specified in app/web.config :
<system.web>
<machineKey validationKey="SOME KEY"
decryptionKey="SOME OTHER KEY"
validation="SHA1" />
</system.web>
Now suppose I give the cipher text thus generated to a partner. Is he capable of brute forcing:
- The value that is stored in the cipher (the user id which does not represent sensitive information and it doesn't bother me much)
- The value of the validationKey and decryptionKey used to create the cipher (this would be catastrophic because he would be capable of generating tokens and impersonating any user)
I suppose the answer to both questions is yes, but how realistic his chances are and do you think giving him the cipher would represent a security threat to my system? Thanks in advance for your responses.