Several features of ASP.NET were designed with security in mind – see the ViewState protection for example – from the early days of the platform, although those days were quite a while ago. The latest complex changes were introduced in version 2, but that happened about 7 years ago, and the world of cryptography, which serves as the basis of many security feature, can change a lot in so many years. The other problem with cryptography is that you have to use it correctly, which is sometimes absolutely not obvious, and misuse can lead to serious security vulnerabilities (see MS10-070).
Guided by these principles, ASP.NET 4.5 introduces important security changes and features. Some days ago Levi Broderick published an excellent 3-part article titled Cryptographic Improvements in ASP.NET 4.5 on the .NET Web Development and Tools Blog:
- Background regarding the use of cryptography in ASP.NET 4.
- Changes that were introduced in ASP.NET 4.5.
- Usage notes and miscellaneous Q&A.
I strongly recommend reading all three parts to everyone, especially to architects who design the security features of web applications. To quickly summarize:
- The machine key has higher entropy, it is more secure to use, and new application isolation features are introduced.
- The usage of machine key is separated by “purpose”, so a vulnerability in one usage area (eg. ScriptResource.axd) hopefully will not affect other areas (such as ViewState).
- New MachineKey.Protect and MachineKey.Unprotect functions, where you can specify the “purpose”. These functions are “just protect”, you don’t have to worry about MAC and encryption. With the new functions the old Encode and Decode methods became deprecated.
As you may guess, these changes have effect in several areas of the framework, and sometimes they can even lead to compatibility issues as well. To minimize the effect, the ASP.NET team determined where they use the new system by default, and where they stay with the old one for compatibility reasons. These are all detailed beautifully in second and third part of the above series including the corresponding web.config settings, so they are definitely worth to read.
Please keep in mind that Windows Azure Web Sites are running on ASP.NET 4.5, which is an in-place upgrade!