Securing assembly question

[Marty]

Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.

I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')

and I've read this article
http://www.morganskinner.com/Articles/StrongNameIdentityPermission/
and in this case we paste the key in the code of the dll assembly like this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +

"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?

So I would liks to know what is the best way to secure the dll assembly?

Thanks
Marty

 

[Nicole Calinoiu]

Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.

StrongNameIdentityPermission verifications are quite trivial to bypass by
code with certain "high privilege" CAS permissions. In addition, all code
running with unrestricted CAS permissions (aka "full trust") automatically
passes demands for any identity permission in v. 2.0. Given this, you might
want to consider using some alternate mechanism (e.g.: licensing) for
limiting the callers into your assemblies.

I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')

Exactly what were you hoping that simply signing the assembly would
accomplish with respect to "securing the assembly"?

and I've read this article
http://www.morganskinner.com/Articles/StrongNameIdentityPermission/
and in this case we paste the key in the code of the dll assembly like
this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +
"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?

Yes. The value can be supplied via a constant, and that constant can be
defined in a file linked into your project.

 

[Marty]

Hi Nicole,

Thank you for your reply, this is pretty interesting.

Your suggestions about the "Licensing" is interesting and I've found an
article about it: http://windowsforms.net/articles/Licensing.aspx

Do you have other great articles about it?

I can see that licensing must be aplied to each class and forms. is
there a way to apply licensing to a whole project, such as a dll project?

Regards,
Marty

Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.

StrongNameIdentityPermission verifications are quite trivial to bypass by
code with certain "high privilege" CAS permissions. In addition, all code
running with unrestricted CAS permissions (aka "full trust") automatically
passes demands for any identity permission in v. 2.0. Given this, you might
want to consider using some alternate mechanism (e.g.: licensing) for
limiting the callers into your assemblies.

I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')

Exactly what were you hoping that simply signing the assembly would
accomplish with respect to "securing the assembly"?

and I've read this article
http://www.morganskinner.com/Articles/StrongNameIdentityPermission/
and in this case we paste the key in the code of the dll assembly like
this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +
"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?

Yes. The value can be supplied via a constant, and that constant can be
defined in a file linked into your project.

So I would liks to know what is the best way to secure the dll assembly?

Thanks
Marty

 

[Nicole Calinoiu]

Hi Nicole,

Thank you for your reply, this is pretty interesting.

Your suggestions about the "Licensing" is interesting and I've found an
article about it: http://windowsforms.net/articles/Licensing.aspx

Do you have other great articles about it?

The one you mentioned is probably the most complete introduction I've seen.
Unfortunately, the MSDN documentation isn't likely to be much help until
you've understood the underlying mechanism and can put the specifics into
context.

I can see that licensing must be aplied to each class and forms. is there
a way to apply licensing to a whole project, such as a dll project?

AFAIK, not directly. However, you could use a post-compiler like XC#
(http://www.resolvecorp.com) to map a custom assembly-level attribute into
member-level code.

Regards,
Marty

Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.

StrongNameIdentityPermission verifications are quite trivial to bypass by
code with certain "high privilege" CAS permissions. In addition, all
code running with unrestricted CAS permissions (aka "full trust")
automatically passes demands for any identity permission in v. 2.0.
Given this, you might want to consider using some alternate mechanism
(e.g.: licensing) for limiting the callers into your assemblies.

I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')

Exactly what were you hoping that simply signing the assembly would
accomplish with respect to "securing the assembly"?

and I've read this article
http://www.morganskinner.com/Articles/StrongNameIdentityPermission/
and in this case we paste the key in the code of the dll assembly like
this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +
"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?

Yes. The value can be supplied via a constant, and that constant can be
defined in a file linked into your project.

So I would liks to know what is the best way to secure the dll assembly?

Thanks
Marty