How can I use RSA to Encrypt/Decrypt ASP.Net Forms Authentication Ticket

StackOverflow https://stackoverflow.com/questions/13588039

Question

Istead of using FormsAuthentication.Encrypt / FormsAuthentication.Decrypt, is it possible to use an existing RSA container in the machine key store to do the encryption/decryption of the ticket.

The reason is that the ASP.Net application I'm developing is meant to be used in multiple load balanced servers. Hence I need to copy the machine key onto all web.config files in all the machines. Since we are already using Asymmetric Encryption (RSA) for another purpose, we have automated installing a common RSA key container in all the servers via a bat file and key container xml. Since this mechanism is in place I want to use the same RSA key container to encrypt/decrypt the forms auth ticket too.

  1. Is this possible? If so how do I override the existing behaviour to achieve this.
  2. If its possible then do you see any disadvantages of using RSA instead of the standard encryption?
Was it helpful?

Solution

Yes, but it would require some work.

You will need to override/replace the standard authentication module that ships with .NET and replicate all the existing functionality with the exception of calls to the RSA Encrypt/Decrypt methods you want to use instead.

See http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.encrypt.aspx

You will also need to edit all the standard builtin login pages if you are using those.

As a template, inspect the source for the FormsAuthenticationTicket and you will see how the string is constructed that contains parameters such as UserID, Expiry Date etc, and then pass that string into the Encrypt method, which in turn is then used as the cookie value.

Your new auth module will then have to reverse that encryption and validate the user as before.

It's a fair amount of work for relatively little gain, depends on how badly you want to use RSA over the standard encryption methods used (they already offer some powerful encruyption methods right out the box see http://www.sourcetree.net/sourcetree/Development/Aspnet%20Examples/GenerateMachineKeyForWebConfig.aspx)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top