O
ola.theander
Dear subscribers
I have a question related to strong naming (signing) of assemblies to
avoid tampering. The reason for this question is that I'll like to
investigate the means to protect sensitive data in an application.
For starters, one thing that I don't fully understand, is there
anything that prevents a malicious user to tamper with the assembly
and in the same process replace the signature with a new signature
thus making the hash fit the tampered version of the assembly?
Assume for instance that the application have a public key stored in
the assembly to unpack an encrypted license key that validates the use
of the application. If a malicious user can replace the public key in
the assembly with the own public key, he/she can use their own private
key to create a valid license key. Is this operation prevented by
signing?
Is there any alternative storage for this type of protected data, i.e.
data that's not supposed to be tampered with by the user?
Kind regards, Ola Theander
I have a question related to strong naming (signing) of assemblies to
avoid tampering. The reason for this question is that I'll like to
investigate the means to protect sensitive data in an application.
For starters, one thing that I don't fully understand, is there
anything that prevents a malicious user to tamper with the assembly
and in the same process replace the signature with a new signature
thus making the hash fit the tampered version of the assembly?
Assume for instance that the application have a public key stored in
the assembly to unpack an encrypted license key that validates the use
of the application. If a malicious user can replace the public key in
the assembly with the own public key, he/she can use their own private
key to create a valid license key. Is this operation prevented by
signing?
Is there any alternative storage for this type of protected data, i.e.
data that's not supposed to be tampered with by the user?
Kind regards, Ola Theander