ASP.net ViewState encryption and decryption

I heard that .NET framework will encrypt the ViewState using SHA1 or some other algorithm. So if i know the SHA1 encryption and decryption algorithm can i tamper a ViewState?I mean

a malicious us开发者_如何学Goer studies SHA1 encryption algorithm,if he understand that algorith and develops decryption algorithm ,will it open the road of viewstate tampering? or SHA1 or other algorithm uses any random tricks for encryption and decryption?

Encryption implies a key. Said key is kept on the server, and (barring other, much bigger, security issues) the client never sees it. Without knowing that key, you aren't even going to be able to view encrypted viewstate, much less change it.

Even without encryption, the server can be told to generate a hash of the viewstate and a key that only the server knows. Without knowing that key, you can still read the viewstate, but you won't be able to edit it without a whole lot of effort.

Now, it's possible that whatever encryption or hashing algorithm the framework uses, could be broken enough to make tampering easy. But if it were, you'd hear about it pretty quickly -- as that same algorithm will be used in dozens of other places (there are a few well-known, well-tested algorithms that just about everyone uses).

Short version: If you care about preventing tampering, the stuff built into ASP.net will work pretty well if configured properly.