I have an MVC app using .NET 4.5.2. In this app, I set the MachineKey as follows:
<machineKey compatibilityMode="Framework45" validationKey="25E5749C117E4072E721DA0B8A88B052AAA821CA1D1638C10F0DBF528C19D296134A996B5FA934E1032C9BA9FBDC45EF8806153D683EF4F6C833E7BF6639C513" decryptionKey="DC7ACBAD80BC8EDBD1429F102CEC1C210604DA6C3E6421A4" validation="SHA1" decryption="AES" />
I then run my GetMachineKey code (which has a dependency on ReflectionMagic to keep the reflection code simple when accessing Internal properties):
public static Tuple<string, string> GetKeys()
{
var mksType = typeof(MachineKeySection);
var getAppConfigMethod = mksType.GetMethod("GetApplicationConfig", BindingFlags.NonPublic | BindingFlags.Static);
var boxedMachineKeySection = getAppConfigMethod.Invoke(null, null);
var machineKeySection = boxedMachineKeySection as MachineKeySection;
var dynKeySection = machineKeySection.AsDynamic();
var encryptionKeyBytes = (byte[])dynKeySection.DecryptionKeyInternal;
var encryptionKeyString = string.Concat(encryptionKeyBytes.Select(b => b.ToString("X2")));
var validationKeyBytes = (byte[])dynKeySection.ValidationKeyInternal;
var validationKeyString = string.Concat(validationKeyBytes.Select(b => b.ToString("X2")));
return new Tuple<string, string>(encryptionKeyString, validationKeyString);
}
Upon running that code, I successfully retrieve both my ValidationKey and my DecryptionKey. Great! Perfect! Exactly what I want in that scenario!
Next, I set my MachineKey as such:
<machineKey compatibilityMode="Framework45" validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" decryption="AES" />
Now when I run my code, again I retrieve my keys, I notice that every time I have a new key generated, the first four octets are identical in both the Validation Key as is in the Decryption Key. I have deployed this application on 12 different servers now and the pattern is the same (not the same bytes on all servers but the first four octets always match on both keys for the same server). For example, in one instance, my keys both begin like this:
Validation Key: B298BA4E463CB2934329...
Decryption Key: B298BA4E0505BF0A9424...
Why do the "random" keys both have identical bytes at the beginning? Or alternatively, am I reading these keys correctly?
P.S. I know these keys are meant to be hard to get to and are very important for security reasons and I shouldn't usually be doing this. I am attempting to create a tech training demo/presentation talking about load-balancing and showing why managing your MachineKeys correctly is important. I would never do something like this with production code but it's nice to see these things when going through load-balancers to see the variables of the equation being changed for presentation purposes. So please do not lecture me about how I shouldn't do this. Yes, I know.
P.P.S. If you come across this post, you probably shouldn't use my code. It's a bad idea!
From the documentation:
"The IsolateApps modifier specifies that ASP.NET generates a unique encrypted key for each application using the application ID of each application"
Thus, it looks like IsolateApps is a safeguard to prevent identical keys being used by different apps that are sourcing the same machinekey config file.
In practice, the first four bytes are related to the hashcode of your appName (since you are specifying IsolateApps) while the rest are coming from RandomNumberGenerator.GetBytes. See here and here in the code.
As suggested by the code, if you had ",IsolateByAppId", the next 4 bytes would be the same.
If you remove these "Isolate" flags, you'll probably get all random bytes.