How to configure machineKey in Custom Membership to use MD5 for ASP.MVC 4 (net 4.5)?

Question

I'm implementing a CustomMembership Provider, and the first part works, login, register, etc.(I chosen the validationKey and decriptionKey for now from http://msdn.microsoft.com/en-us/library/vstudio/w8h3skw9(v=vs.100).aspx).

My Web.Config:

<system.web>
    <machineKey validationKey="32E35872597989D14CC1D5D9F5B1E94238D0EE32CF10AA2D2059533DF6035F4F" decryptionKey="B179091DBB2389B996A526DE8BCD7ACFDBCAB04EF1D085481C61496F693DF5F4"/>
    <membership defaultProvider="CustomMembershipProvider">
      <providers>
        <clear />
        <add name="CustomMembershipProvider" type="CustomMembership.CustomMembership.CustomMembershipProvider" connectionStringName="TestMembershipEntities" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" passwordFormat="Encrypted" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="CustomRoleProvider">
      <providers>
        ...

Now I need to use MD5.

The method EncryptPassword choose the right Algorithm, if I set validation attribute in MachineKey?

switch (PasswordFormat)
{
    case MembershipPasswordFormat.Clear:
        break;
    case MembershipPasswordFormat.Encrypted:
        byte[] encryptedPass = EncryptPassword(Encoding.Unicode.GetBytes(password));
        encodedPassword = Convert.ToBase64String(encryptedPass);
        break;
    case MembershipPasswordFormat.Hashed:
        HMACSHA1 hash = new HMACSHA1();
        hash.Key = HexToByte(machineKey.ValidationKey);
        encodedPassword =     Convert.ToBase64String(hash.ComputeHash(Encoding.Unicode.GetBytes(password)));
        break;
    default:
        throw new ProviderException("Unsupported password format.");
}

Changing MachineKey

<machineKey validationKey="32E35872597989D14CC1D5D9F5B1E94238D0EE32CF10AA2D2059533DF6035F4F" decryptionKey="B179091DBB2389B996A526DE8BCD7ACFDBCAB04EF1D085481C61496F693DF5F4" 
validation="MD5"  decryption="Auto" />

If I do that, I get the follow error in @Html.AntiForgeryToken():

**ConfigurationErrorsException was unhandled...**
When using <machineKey compatibilityMode="Framework45" /> or the MachineKey.Protect and MachineKey.Unprotect APIs,
the 'validation' attribute must be one of these values: SHA1, HMACSHA256, HMACSHA384, HMACSHA512, or alg:[KeyedHashAlgorithm].

I need to write custom code to Encrypt/Decrypt MD5 in case MembershipPasswordFormat.Encrypted: or what I need to do, thanks.

Answer 1

Update your machine key tag to add the following (MSDN):

<machineKey compatibilityMode="Framework20SP1".... />

Note: the lowercase "c" in compatibilityMode

But seriously, MD5 is a very weak algorithm and if at all possible, get away from using it and use a more secure encryption scheme. This is one of the reasons it has been removed as a valid encryption algorithm in the newer .NET frameworks.

Answer 2

This blog explains much better:

Opting in or out of the 4.5 code paths

As you might imagine, such drastic changes to the crypto pipeline come at the expense of compatibility. And since .NET 4.5 is an in-place update to .NET 4, we cannot enable these new behaviors by default, otherwise we run the unacceptable risk of breaking existing applications.

To opt in to the new ASP.NET 4.5 behaviors, all that need be done is to set the following in Web.config:

<machineKey compatibilityMode="Framework45" />

Alternatively, you can set the following switch, which is what the ASP.NET 4.5 project templates do:

The above switch is responsible for a slew of runtime behavioral changes, but that is a blog post for another day. The important bit here is that setting the target framework to 4.5 in the element automatically implies a default setting of Framework45 for the compatibility mode unless the machine key compatibility mode has been explicitly specified.

ASP.NET has historically supported sharing forms authentication tickets between different versions of the framework. This allows tickets to be generated by an application running ASP.NET 2.0 and validated by an application running ASP.NET 4, for example. If you are writing an application targeting ASP.NET 4.5 (you have set ) and you need to share tickets with applications running earlier versions of ASP.NET, you must set the following in the 4.5 project's Web.config:

The value Framework20SP1 is the default machine key compatibility mode for all ASP.NET versions. This has the effect of using the legacy crypto code paths, even if .NET 4.5 is installed on the machine. An existing ASP.NET 4 application that happens to be running on a machine with 4.5 installed will not get the new behaviors automatically since neither nor would be present in that application's Web.config. If, however, you have made a new application targeting 4.5 (and as such it has those config settings) and need to maintain forms authentication ticket compatibility with existing applications, you can set Framework20SP1 to be interoperable with earlier versions of ASP.NET

http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx

Answer 3

Try:

 <machineKey compatibilityMode="Framework20SP2".... 

NOTE: that's a lowercase "c" in compatibilityMode.

The possible values are for the compatibilityMode property are: Framework20SP1, Framework20SP2, Framework45

See: http://msdn.microsoft.com/en-us/library/system.web.configuration.machinekeysection.compatibilitymode(v=vs.110).aspx