Deployment / Security / Strong Names

[Jimski]

Hi all,

I am creating an assembly that will access a database to return record
details.

I need to deploy it to a 3rd Party and they will then be able to use
the assembly in their code to access the methods contained within the
assembly. As this assembly will effectively access the database then I
need to provide some security to stop unwanted access.

I am confused. If I deploy this assembly with a strong name and a
public key what will stop another user copying the assembly and
accessing it themselves using say reflection? I am slightly unsure what
I will need to provide the 3rd party with to allow them access to the
assembly and what I will need to do with the assembly to stop "anybody"
accessing it?

Could somebody please offer some advice please?


Thanks in advance
Jimski

 

[Bruce Wood]

Strong naming and the GAC give you some assurances, but not all of the
ones you're after, so I think you'll need more than just a strong name.

First of all, a strong name helps out with versioning, so if you're
deploying to a third party then you should definitely use strong
naming. That way if you release v2.0 of your code and the third party's
application depends upon v1.0, it won't break the contract, at least.
(The data is a whole other question, of course.)

The second thing that a strong name gives you is assurance that nobody
else can hack your code, alter it, and pass it off as your oroginal
DLL. Insert a trojan, for example.

However, it's still a DLL, and anyone can call it. I'm sure that there
are schemes for preventing unauthorized access. (Have to unlock the DLL
with a password, or some other such thing?) I've never tried doing it,
though, so someone else will have to comment on best practices.

Have you tried asking in / looking in microsoft.public.dotnet.security?