Answer updated for .NET Framework 4 and greater:
The machineKey element which is used for:
encryption, decryption, and validation of forms-authentication data
and view-state data
uses AES as the default decryption algorithm, with a minimum key length of 128 bits.
It also uses HMACSHA256 as the default for validation which is HMAC over SHA-256. A HMAC prevents a length extension attack which is a way for an attacker to append data to the value that has the hash over it in such a way that the hash still validates.
There are no known practical attacks against AES-128 (unlike 192 and 256 that can suffer from a related key attack), and SHA-256 is nowhere near being broken, although there is an academic attack against its sister SHA-1 that questions its collision resistance. Collision resistance doesn't really matter when authenticating token values, however it is theoretically one step towards breaking preimage resistance. Therefore, you can rest assured you are secure against attacks with AES-128 and HMAC SHA-256.
However, as with any encryption or hash algorithm, it will all boil down to how secure your key is. AutoGenerate and IsolateApps settings will be fine, however if you set your own make sure that they are generated by a cryptographically secure pseudo random number generator (CSPRNG) and are 128bits in length. Anything less than that means you could be compromised by a brute force attack (in theory). 128 bits means that even using every computer in the world in a distributed brute-force attack on your key would never complete in your lifetime. Of course, attackers may try and get round this by grabbing your key some other way. Keep it secure.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
