2

According to what I understand from the ViewState method in ASP.net, when the server generates the ViewState with MAC enabled, he will send it to the client with the MAC computed from the ViewState message in the end of the ViewState. Then, the client will postback this ViewState with the MAC. The server will check the MAC that he has received with the MAC he has stored when he first sent it. If It matches, so the integrity is conform.

However, I read this article : https://msdn.microsoft.com/en-us/magazine/ff797918.aspx

It explains that a secret key is also added to the message and the MAC is computed from the message and the secret key

I don't see any reason about having a secret key. Can you then explain me why It is used?

Xander
  • 35,525
  • 27
  • 113
  • 141
Duke Nukem
  • 687
  • 3
  • 9
  • 20

1 Answers1

1

As you stated, the purpose of the MAC is to ensure the integrity of the viewstate data...The ensure that it hasn't been manipulated by the client. If there were no secret key, this would not be possible. If, say, a non-keyed hash function (take plain SHA-256, for example) anybody would be able to compute the hash. This is very valuable when you want anybody to be able to compute the hash, say, to check the integrity of a downloaded file, but deadly if you want to identify if a client has modified some data since "anybody" includes "the client" and so a client could simply modify the viewstate, compute the new hash, send them both back to the server, and the server will get a modified viewstate with a hash that matches perfectly.

The secret key prevents this. The key ensures that only the server, the holder of the secret key, will be able to correctly compute the MAC for any given viewstate. So, even if the attacker modifies the viewstate, he will not be able to correctly compute a new MAC, and validation will fail, letting the server know that something is wrong and the request should be rejected.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • It should be noted that setting the secret key to a unique, secure random value per session, can be a form of CSRF protection for .NET postbacks. This value should be regenerated upon login and logout. – SilverlightFox Sep 29 '16 at 13:46
  • I understand your point, but this is not the default functioning of ViewState with MAC that I understood. In fact, there is no need of secret key if the server has stored the MAC of the ViewState when he first sent it. He just has to check the MAC sent with the PostBack, with the MAC he has stored. – Duke Nukem Sep 29 '16 at 15:38
  • 1
    You misunderstand...The server doesn't keep a copy of the MAC. In fact, the request containing the viewstate and MAC may not even go back to the same server that created them. This is the indeed the reason the MAC exists. – Xander Sep 29 '16 at 15:41
  • Thanks for your answer, I understand now. Can you tell me if that secret key is present by default when ViewState MAC is enabled? – Duke Nukem Sep 29 '16 at 15:46
  • @DukeNukem Yes, it is, it's based on the machineKey node in machine.config, or overriden in web.config. – Xander Sep 29 '16 at 17:19