How is the machineKey validationKey used when creating a sha1 hash?

Question

<machineKey validation="SHA1" validationKey="<64-byte key>"

What exactly does the validationKey do? Say I create a hash with SHA1. How does the validationKey play in to it?

Consider this code:

HMACSHA1 hashSha = new HMACSHA1(_validationKey);
byte[] ret = hashSha.ComputeHash(bytes, offSet, count);
return ret;

We are generating a new _validationkey, right? Then we take our bytes and hash them in ComputeHash. What is the point of the _validationKey? Do we need it when we validate the hash in some way?

And if it doesn't have any role in the process, then is the following true?

I have a byte array that's 80 bytes long, and the last 20 bytes consists of an asp.net sha1 hash, then the first 60 bytes, if sha1 hashed should match the last 20

validationKey plays no role in that?

Answer 1

The validationKey is used to encrypt the viewstate data and make sure that what comes back on a postback is valid.

http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.validationkey.aspx

EDIT: Sorry, this didn't really answer your question. The validationKey is only used when validating that your viewstate data hasn't been tampered with and the SHA1 that you are referring to is what type of algorithm you want to use with your validationKey. It is not used when creating a SHA1 hash, it's only for asp.net pages.

Answer 2

In my case, I discovered that the validation key is used to create the sha1 hmac keyed hash.