What are the default key lengths that are generated when leaving the ValidationKey and DecryptionKey at their defaults? For example:
<machineKey decryptionKey="AutoGenerate,IsolateApps" validationKey="AutoGenerate,IsolateApps" ... />
I have not been able to find this documented anywhere on MSDN. I would like to generate a static machine key and keep it in line with the defaults.
I've used this site: http://aspnetresources.com/tools/keycreator.aspx many a time to generate a machine key. I know this does not answer your question about the default lengths, but at least it will give you a valid key :)
This MSDN page talks about the machineKey web.config element:
"For SHA1, set the validationKey to 64 bytes (128 hexadecimal characters).
For AES, set the decryptionKey to 32 bytes (64 hexadecimal characters).
For 3DES, set the decryptionKey to 24 bytes (48 hexadecimal characters)."
Another MSDN page has additional info:
"validationKey specifies a manually assigned validation key. This value must be manually set to ensure consistent configuration across a network of Web servers (a Web farm). The key must be a minimum of 40 characters (20 bytes) and a maximum of 128 characters (64 bytes) long. If keys shorter than the maximum length are used, they should be created by a truly random means, such as by using RNGCryptoServiceProvider. The recommended key length is 128 hexadecimal characters. If you add the IsolateApps modifier to the validationKey value, ASP.NET generates a unique encrypted key for each application using each application's application ID."
"decryptionKey specifies a manually assigned key. This value must be manually set to a string of hexadecimal characters to ensure consistent configuration across a Web farm. The key should be 16 characters in length when using DES encryption and 48 characters in length when using Triple DES encryption. If keys shorter than the maximum length are used, they should be created by a truly random means, such as by using RNGCryptoServiceProvider. ASP.NET can use Triple DES only on computers on which 128-bit encryption is available. If you add the IsolateApps modifier to the decryptionKey value, ASP.NET generates a unique encrypted key for each application using each application's application ID."
Refer to the following Link:
http://msdn.microsoft.com/en-us/library/ms998288.aspx#paght000007_webfarmdeploymentconsiderations