Basato sulla prima risposta di questo link :
This cookie is encrypted and signed with the DPAPI key that is associated with the IIS application pool.
Per le tue informazioni :
DPAPI provides an essential data protection capability that ensures
the confidentiality of protected data while allowing recovery of the
underlying data in the event of lost or changed passwords. The
password-based protection provided by DPAPI is excellent for a number
of reasons.
- It uses proven cryptographic routines, such as the strong Triple-DES algorithm in CBC mode, the strong SHA-1 algorithm, and the PBKDF2 password-based key derivation routine.
- It uses proven cryptographic constructs to protect data. All critical data is cryptographically integrity protected, and secret data is wrapped by using standard methods.
- It uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets.
- It uses PBKDF2 with 4000 iterations to increase the work factor of an adversary trying to compromise the password.
- It sanity checks MasterKey expiration dates.
- It protects all required network communication with Domain Controllers by using mutually authenticated and privacy protected RPC channels.
- It minimizes the risk of exposing any secrets, by never writing them to disk and minimizing their exposure in swappable RAM.
- It requires Administrator privileges to make any modifications to the DPAPI parameters in the registry.
- It uses Windows File Protection to help protect all critical DLLs from online changes even by processes with Administrator privileges.
Ora, per l'ordine tra Autenticazione e Crittografia, riguardante questa documentazione , WIF sembra prima criptare, quindi autenticare .