DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2425938 - Last Review: September 29, 2010 - Revision: 1.5

SUMMARY

The security update that is described in Microsoft security bulletin MS10-070 makes changes to the default encryption mechanism in ASP.NET to perform validation (signing) in addition to encryption. This article describes configuration options to revert to legacy behavior for encryption in ASP.NET.

For more information about this security update, visit the following website:
http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx (http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx)

MORE INFORMATION

ASP.NET allows users to optionally encrypt or validate data through configuration in the MachineKey section. The security update that is addressed by security update MS10-070 changes the default behavior of encryption in ASP.NET to perform validation in addition to encryption even if only encryption is requested.

After you install the security update that is described in security bulletin MS10-070, the following operations are performed when encryption is set up for ASP.NET:
  • During the encryption of data, an HMAC signature is generated for the encrypted data and is appended to it.
  • During the decryption of data, the HMAC signature is validated before the data is decrypted.
The following keys in ASP.NET application settings (appSettings) control the behavior of signing in addition to encryption.
Collapse this tableExpand this table
KeyTypeDefault ValueSupported on.NET versions
aspnet:UseLegacyEncryptionBooleanFalseMicrosoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0
aspnet:UseLegacyMachineKeyEncryptionBooleanFalseMicrosoft .NET Framework 4.0
aspnet:ScriptResourceAllowNonJsFilesBooleanFalseMicrosoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0

Description of the aspnet:UseLegacyEncryption appSetting

This application setting specifies whether encryption will additionally perform validation with an HMAC key even when the validation section in the machineKey section of ASP.NET configuration is not configured for HMAC signature validation.
Collapse this tableExpand this table
aspnet:UseLegacyEncryptionDescription
False (Default)This setting configures ASP.NET to additionally perform HMAC signature validation when ASP.NET is configured to use encryption. This will occur even if validation in machineKey is not configured to sign by using an HMAC key.
TrueThis setting configures ASP.NET not to perform HMAC signature validation when it is configured to use encryption and not HMAC signing through validation in machineKey.

Note This setting could allow a malicious client to decrypt, forge, or otherwise tamper with encrypted data.

To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
 <appSettings>
 ...
 <add key="aspnet:UseLegacyEncryption" value="false" />
 </appSettings>
</configuration>

Description of aspnet:UseLegacyMachineKeyEncryption appSetting

This application setting specifies whether encryption through the System.Web.Security.MachineKey class will additionally perform validation with an HMAC key even when the provided MachineKeyProtection argument does not specify that validation be performed.
Collapse this tableExpand this table
aspnet:UseLegacyMachineKeyEncryptionDescription
False (Default)This setting configures ASP.NET to additionally perform HMAC signature validation through the MachineKey class when ASP.NET is configured to use encryption. This will occur even if the provided MachineKeyProtection argument does not specify that validation be performed.
TrueThis setting configures ASP.NET not to perform HMAC signature validation through the MachineKey class when it is configured to use encryption and not HMAC signing through the provided MachineKeyProtection argument.

Note This setting could allow a malicious client to decrypt, forge, or otherwise tamper with encrypted data.

To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
 <appSettings>
 ...
 <add key="aspnet:UseLegacyMachineKeyEncryption" value="false" />
 </appSettings>
</configuration>

Description of aspnet:ScriptResourceAllowNonJsFiles appSetting

This application setting specifies whether the ScriptResource.axd handler in ASP.NET will serve non-JavaScript files (.js extension). ScriptResource.axd is an ASP.NET handler that returns JavaScript source files to AJAX components in an ASP.NET webpage.
Collapse this tableExpand this table
aspnet:ScriptResourceAllowNonJsFilesDescription
False (Default)This setting configures ASP.NET to only serve static files that have the .js extension (JavaScript) through the ScriptResource.axd handler.
TrueThis setting configures ASP.NET to serve any static file that the ASP.NET application has access to through the ScriptResource.axd handler.

Note This setting allows any file within your ASP.NET application to be served through the handler. If any such files contains sensitive or confidential data, then this setting can potentially to leak sensitive information to a client. 

To configure this setting, add the following configuration in your computer or application web.config file:
<configuration>
...
 <appSettings>
 ...
 <add key="aspnet:ScriptResourceAllowNonJsFiles" value="false" />
 </appSettings>
</configuration>

References

For more information about the MachineKey section, visit the following Microsoft website:
http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx (http://msdn.microsoft.com/en-us/library/w8h3skw9.aspx)
For more information about the System.Web.Security.MachineKey class, visit the following Microsoft website:
http://msdn.microsoft.com/en-us/library/system.web.security.machinekey.aspx (http://msdn.microsoft.com/en-us/library/system.web.security.machinekey.aspx)
For more information about how to use application settings (appSettings), click the following article numbers to view the articles in the Microsoft Knowledge Base:
815786  (http://support.microsoft.com/kb/815786/ ) How to store and retrieve custom information from an application configuration file by using Visual C#
313405   (http://support.microsoft.com/kb/313405 / ) How to store and retrieve custom information from an application configuration file by using Visual Basic .NET or Visual Basic 2005
For more information about ASP.Net configuration, click the following article number to view the article in the Microsoft Knowledge Base:
307626  (http://support.microsoft.com/kb/307626/ ) INFO: ASP.NET Configuration Overview

APPLIES TO
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 2.0 Service Pack 1 (x86)
Keywords: 
kbexpertiseinter kbhowto kbsecurity kbsurveynew KB2425938
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support