I’m creating custom registration forms for Forms Based Authentication for a SharePoint 2010 site, and storing passwords as ‘Encrypted’ in the aspnet_Membership database table.
My setting in web.config shows that the ‘decryption’ parameter is “AES”. My boss is asking that I look to use AES256, as it’s more secure, but I’m having trouble working out how to do this. I’ve been Googling and “stackoverflow-ing”, but so far I’ve not been able to find that one post that either explains what I need to do, or where to look for good information.
My questions, I think, are:
- is “AES256” a valid value for the “decryption” parameter of ?
- if not, is simply generating a longer “decryptionkey” all that’s required to make AES stonger? i.e. if I make my decryption key 64 characters long, would that constitute AES256?
- if I’m totally off base with my current thinking, can anyone put me on track, or explain (or link to an explanation of) how to update my web.config to use AES256 rather than the default AES?
Just in case anyone wants to say “You should use Hashed”.. been there, discussed that, decision made to use Encrypted. Just thought I’d get that out of the way 🙂
No, you can only use “AES” as the decryption parameter for the AES algorithm.
Yes, if you generate one that is 256 bits (64 bytes) long, you effectively have AES256. In reality, you could generate one that is 512 bits long, too. The longer this value is, the stronger the encryption.
No need. You seem to be understanding it.
Now, in .NET 4.0, they’ve enhanced this a bit, allowing SHA256 to be used for validation as well. See MSDN’s documentation (archive.org snapshot) for details.