I am using HMACSHA256 for message authentication in a web-farm environment.
Within the web-farm each machine has the same machine key, so the ViewState will work across machines, however, I need to do HMAC message authentication which will work across machines, so I figured that since all machines use the same machine key, there should be a way to derive a key from that to use as the HMAC key.
I notice that as of .NET 4.0 there is the MachineKey class, however, I am stuck with using .NET 3.5, and this is unavailable to me.
Is there a way to get some sort key that is the same on all machines without generating my own, for use in an ASP.NET 3.5 environment?
I don't actually need the machine key itself, just the validation key that is derived from the machine key (or equivalent).
You can read the machine key from the web.config. This link shows how to do so: http://aspnetresources.com/blog/how_to_read_auto_generated_machinekey
Keep in mind, that the author of the article reads the generated machine key - so you have to do some changes in the code.
I just read the article a little bit more and saw, that it uses reflection, which isn't neccessary, if you store the machine key inside the web.config. Essentially it breaks down to this line:
MachineKeySection section = (MachineKeySection)
ConfigurationManager.GetSection ("system.web/machineKey");