Secure ASP.NET ViewState

During an appearance on the .NET Rocks podcast last week, a question was raised about securely sending information through ASP.NET ViewState.  I responded to the question by indicating that the typical security concern for web content is not to trust any content submitted from the web, including ViewState.  After that podcast was published, several of my colleagues corrected me: in ASP.NET 4.5 the encryption of ViewState received a significant rewrite that addressed this issue and effectively makes ViewState very secure.

Encrypted and MAC’d

In older versions of ASP.NET, there was an option to “EnableViewStateMac” that would allow you to configure whether ViewState was protected against tampering with a Message Authentication Code (MAC – true setting).  As a secondary configuration option, ViewState was encrypted if the “ViewStateEncryptionMode” was set to true.  Beginning with ASP.NET 4.5.2, this configuration is ignored and all requests are both encrypted and protected with a Message Authentication Code.  Security advisory KB2905247, which was sent to all Windows machines on a patch Tuesday in September 2014, set ASP.NET to ignore the EnableViewStateMac setting and use the ASP.NET 4.5.2 encryption settings in all versions of ASP.NET going back to ASP.NET 1.1.  Troy Hunt has a magnificent blog post describing how ViewState MAC works if you are interested in the details.

Improved Encryption Pipeline

With the ASP.NET 4 release, you could replace the symmetric encryption and message authentication algorithms used by the cryptographic pipeline within ASP.NET request processing.  You could change the algorithm by setting a decryption and validation attribute on the machineKey element in the machine.config file.  More details on this configuration can be found in the MSDN documentation.

You can force your Windows web server to use the updated ASP.NET 4.5 encryption capabilities by applying a compatibilityMode attribute to the machineKey element in machine.config like this:

<machineKey compatibilityMode="Framework45" />

Alternatively, you can apply a targetFramework attribute to the httpRuntime element in web.config, as the updated ASP.NET project templates do:

<httpRuntime targetFramework="4.5" />

More information about the updates to ASP.NET Encryption and ViewState are available online.