Hi Richard Blewett, regarding the CAS post earlier on!

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
..NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:

Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)

If

[some mechanism, that if you use this assembly with the right GUID]

means a custom CAS permission, then yes caspol -S off will disable the check.

if it means you perform some check in code that is not CAS based then no it will not

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft. com/microsoft.publi c.dotnet.langua ges.csharp/<54************ *************** *******@microso ft.com>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:

Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.publi c.dotnet.langua ges.csharp]

OK, heres a mechanism using public/private key encryption:

Give people a licence number when they purchase the library that encodes whether the version is academic or professional

Have your code look for the existance of a value in the registry that has been encrypted with your private key. If the value does not exist or, upon decytpion with the public key (which you put in your code) the value is incorrect, limit the code to the 3 functions. If it is correct enable all 10 functions.

Have an activation application where they are allowed to activate the library. This calls a web service which has access to your private key, passing the license number. If the installation is for a professional version the web service returns the encrypted value which gets stored in the registry.

Its not foolproof, its still possible to crack the app by decompiling, removing the registry check and recompiling, so strong naming etc will be another line of defence ...but that can be removed with enough time and know how.

Essentially you hhve to make it more expensive to crack than the difference in buying the professional version in the first place.

The last issue is it means that the professional version won't work fully unless the user has access to the internet - for business applications this is not generally an issue but it depends on your application and customers

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft. com/microsoft.publi c.dotnet.langua ges.csharp/<54************ *************** *******@microso ft.com>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:

Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.publi c.dotnet.langua ges.csharp]

Hi Richard again,

I just want to confirm.

1)

[some mechanism, that if you use this assembly with the right GUID]
means a custom CAS permission, then yes caspol -S off will disable the check.
if it means you perform some check in code that is not CAS based then no it
will not
--> perform some check in the code, you mean using my custom made
attributes, and caspol tool will not work anymore? Is it wise to write my
custom security attributes?

2)

Have your code look for the existance of a value in the registry that has
been encrypted with your private key. If the value does not exist or, upon
decytpion with the public key (which you put in your code) the value is
incorrect, limit the code to the 3 functions. If it is correct enable all 10
functions.
--> Doesn't this after all, had to use CAS. If not how to do i disable all
the 7 functions if the value is incorrect! Can't caspol disable the security
set within the .dll?

3)

Have an activation application where they are allowed to activate the
library. This calls a web service which has access to your private key,
passing the license number. If the installation is for a professional version
the web service returns the encrypted value which gets stored in the registry.
--> Rather than use internet, why can't i use dongle? You know the USB
device that you can plug into the computer to check the validity of the dll
license. No need internet at all!

4)

Its not foolproof, its still possible to crack the app by decompiling,
removing the registry check and recompiling, so strong naming etc will be
another line of defence ...but that can be removed with enough time and know
how.
--> Yes i heard of this way, but by using strong names can prevent it. But
you say strong names can be removed. Can you teach me how?

5)

Do you have an email or msn which i can contact you?

*I am planning to write an article on this CAS, from what i learn and use
for my work. Will be useful for people in future.

Thanks again.

Regards,
Chua Wen Ching

"Richard Blewett [DevelopMentor]" wrote:

OK, heres a mechanism using public/private key encryption:

Give people a licence number when they purchase the library that encodes whether the version is academic or professional

Have your code look for the existance of a value in the registry that has been encrypted with your private key. If the value does not exist or, upon decytpion with the public key (which you put in your code) the value is incorrect, limit the code to the 3 functions. If it is correct enable all 10 functions.

Have an activation application where they are allowed to activate the library. This calls a web service which has access to your private key, passing the license number. If the installation is for a professional version the web service returns the encrypted value which gets stored in the registry.

Its not foolproof, its still possible to crack the app by decompiling, removing the registry check and recompiling, so strong naming etc will be another line of defence ...but that can be removed with enough time and know how.

Essentially you hhve to make it more expensive to crack than the difference in buying the professional version in the first place.

The last issue is it means that the professional version won't work fully unless the user has access to the internet - for business applications this is not generally an issue but it depends on your application and customers

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft. com/microsoft.publi c.dotnet.langua ges.csharp/<54************ *************** *******@microso ft.com>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:

> Hi there,
>
> Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.
>
> Oh i didn't know you can set off the security in CAS.
>
> Sigh!
>
> on install you could have an encrypted value accessible somewhere that said
> what kind of version it was
> --> Do you think you can elaborate more on this? You mean during deployment
> of my dll to another machine, and check the version? So if i do this, no more
> CAS attributes anymore in my codes?
>
> I am interested to know more.
>
> I thought CAS is everything to my solution, now sad... had to re-think!
>
> Thanks.
> --
> Regards,
> Chua Wen Ching :)

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.publi c.dotnet.langua ges.csharp]

1) I mean you have code like:

if( !professionalEn abled)

throw new LicensingExcept ion("You need to pay more money");

CAS has no concept of this and so turning it off would not stop the check working. Of course the crucial thing is how do you determine whether the professionalEna bled is set to true or not - which brings me to my next point.

2)

internal class LicenseChecker

{

public static readonly bool ProfessionalEna bled; // the readonly means that it can't be set via reflection

static LicenseChecker( )

{

// check the registry for an encrypted value

// Decrypt with the public key

if( regValue == "pro" ) // check the decrypted value

{

ProfessionalEna bled = true;

}

}

public void ProfessioanlOnl yFunction()

{

if( !LicenseChecker .ProfessionalEn abled )

throw new LicenseExceptio n();

...

}

}

3) Yes, I guess a dongle would work, but while you give people the pieces of the security infrastructure, the easier it is for them to work out a way round - whatever algorithms, etc are necessary to make your checks work are available to the client who has enough time and expertise. If that code is on another machine that you control, they can't examine the algorithms> If you don't want someone to reverse engineer your code the only thing you can do is not give them your code at the end of the day.

4) Say you have a strong named assembly Foo.dll. Hack it with a Binary Editor. Now run

sn -Vr foo.dll

you've now switched off verification checking (the process by which the assembly loader checks to see whether a an assembly has been tampered with) for that assembly on this machine.

5) richardb AT NOSPAM develop DOT com

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft. com/microsoft.publi c.dotnet.langua ges.csharp/<DA************ *************** *******@microso ft.com>

Hi Richard again,

I just want to confirm.

1)

[some mechanism, that if you use this assembly with the right GUID]
means a custom CAS permission, then yes caspol -S off will disable the check.
if it means you perform some check in code that is not CAS based then no it
will not
--> perform some check in the code, you mean using my custom made
attributes, and caspol tool will not work anymore? Is it wise to write my
custom security attributes?

2)

Have your code look for the existance of a value in the registry that has
been encrypted with your private key. If the value does not exist or, upon
decytpion with the public key (which you put in your code) the value is
incorrect, limit the code to the 3 functions. If it is correct enable all 10
functions.
--> Doesn't this after all, had to use CAS. If not how to do i disable all
the 7 functions if the value is incorrect! Can't caspol disable the security
set within the .dll?

3)

Have an activation application where they are allowed to activate the
library. This calls a web service which has access to your private key,
passing the license number. If the installation is for a professional version
the web service returns the encrypted value which gets stored in the registry.
--> Rather than use internet, why can't i use dongle? You know the USB
device that you can plug into the computer to check the validity of the dll
license. No need internet at all!

4)

Its not foolproof, its still possible to crack the app by decompiling,
removing the registry check and recompiling, so strong naming etc will be
another line of defence ...but that can be removed with enough time and know
how.
--> Yes i heard of this way, but by using strong names can prevent it. But
you say strong names can be removed. Can you teach me how?

5)

Do you have an email or msn which i can contact you?

*I am planning to write an article on this CAS, from what i learn and use
for my work. Will be useful for people in future.

Thanks again.

Regards,
Chua Wen Ching

"Richard Blewett [DevelopMentor]" wrote:

OK, heres a mechanism using public/private key encryption:

Give people a licence number when they purchase the library that encodes whether the version is academic or professional

Have your code look for the existance of a value in the registry that has been encrypted with your private key. If the value does not exist or, upon decytpion with the public key (which you put in your code) the value is incorrect, limit the code to the 3 functions. If it is correct enable all 10 functions.

Have an activation application where they are allowed to activate the library. This calls a web service which has access to your private key, passing the license number. If the installation is for a professional version the web service returns the encrypted value which gets stored in the registry.

Its not foolproof, its still possible to crack the app by decompiling, removing the registry check and recompiling, so strong naming etc will be another line of defence ...but that can be removed with enough time and know how.

Essentially you hhve to make it more expensive to crack than the difference in buying the professional version in the first place.

The last issue is it means that the professional version won't work fully unless the user has access to the internet - for business applications this is not generally an issue but it depends on your application and customers

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft. com/microsoft.publi c.dotnet.langua ges.csharp/<54************ *************** *******@microso ft.com>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:

Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.publi c.dotnet.langua ges.csharp]

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.publi c.dotnet.langua ges.csharp]