webfarm + machinekey + crypto/hashing



Hi, we have had an application live in production for 6 months, it
uses crypto/hashing in the following ways:

1- membership provider default password hash

2- membership provider security answer

3- viewstate mac (unknowingly)

4 - byte[] encryptedBytes = ProtectedData.Protect(encodedBytes,
EncryptionEntropy, DataProtectionScope.LocalMachine);

We want to move systems and put them in a webfarm.

We do NOT have machinekey defined in the web.config. Can someone tell
me are we hosed in all these cases? If we add a machine or move
machines, will we be able to hash passwords using same salt, hash
answers using same salt, and the data we have encrypted using #4 be
able to decrypt? What machinekey was used for these by default if we
didnt specify? Is hashing ok, but not encryption?

It seems like we can login on the new system, so somehow the hashing
must be portable....

thanks
Joel
.



Relevant Pages

  • Re: Authentication (was Re: Autentication)
    ... I haven't read the whole thread but isn't there External Authentication capability for this? ... This algorithm constant code and the associated field does nothing to resolve the problem at hand: it's the hash storage size change, and the changes to the structures of SYSUAF and RIGHTSLIST and/or the replacement authorization database, and maintaining compatibility where that's feasible. ... More than a few applications are hard-coded with the hash length of eight, this whether secondary to undocumented and direct RMS file access, or secondary to following the documented procedures for accessing and processing the password hash. ...
    (comp.os.vms)
  • Re: NetScreen Password Hash
    ... The netscreens use MD5 hashes with the consonants of the word ... NETSCREEN spelled backwords in the hash. ... password hash or a tool to crack the password hash of netscreen 204 config ...
    (Pen-Test)
  • Re: NetScreen Password Hash
    ... I read somewhere that netscreen inserts consonants of the word 'netscreen' backwards into the hash. ... password hash or a tool to crack the password hash of netscreen 204 config ... Need to secure your web apps NOW? ...
    (Pen-Test)
  • Re: [Full-disclosure] password hash, funny myth in the industry!
    ... Hash: SHA1 ... blah blah blah, this is full-disclosure not some dear diary/myspace ... just password hash(generally SHA1, ... Full-Disclosure - We believe in it. ...
    (Full-Disclosure)
  • Re: phpBB Security Bugs
    ... hex digit in the md5 hash, and allows you to guess that digit's particular ... Each digit would be guessed in 16 tries or less. ... determine any particular password hash. ...
    (Bugtraq)