Search code examples
asp.net-mvcsecuritysslweb-configmachinekey

Diffrences of using SSL rather than Validation Key in Asp.net MVC Applications


For each Asp.net MVC application we use Static or Dynamic Key to Validate user Requests/Responses for example in web.config file we may use this due to have static validation :

<machineKey validationKey="AC7308C5274D969E665AC7BED7A863582B571D97D9ED03B314952BD3DD159CDFC164E2341D44BDE8F0284FA924052817B3D7429433AABC3F53A118BB7B3F9ABB" decryptionKey="1EDB4490EC0074F7FF3099D450D5E92F1D39F577F9799D14033D1B27DB0F7A93B" validation="SHA1" decryption="AES" />

At the other hand we have a tool, named SSL (Secure Socket Layer) to upgrade Web App security. SSL also have non repudiation mechanism.

With this in mind, My Question is :

What differences exist between them? And What types of jobs are related to them? Each one Will secure which part of App? In other words: Can we be confident from our app by using MVC ValidationKey instead of using SSL?

The concept that baffles me is : They have both Encryption/Decryption.


Solution

  • The very high level answer is that they protect different things. They're complementary; secure ASP.NET applications use both of them at the same time.

    SSL is used to protect the client and the server from an untrusted third party. It provides authentication: the client knows the identity of the server he is talking to. It also provides integrity protection: the client knows the page he's getting actually came from the server instead of an attacker. And it provides confidentiality: nobody can read the credit card number the client sends to the server during checkout.

    The <machineKey> element, on the other hand, protects the server from a malicious client. Consider that your server sends me a login cookie that says "levi". What if I change the cookie contents to instead read "amir"? The <machineKey> cryptographic services allow the server to verify that when information like cookies and form fields (__VIEWSTATE, for instance) are round-tripped from server -> client -> server, the client hasn't tampered with the payload in a malicious fashion.