473,396 Members | 1,918 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > c# / c sharp > questions > hi richard blewett, regarding the cas post earlier on!

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Hi Richard Blewett, regarding the CAS post earlier on!

Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)
Nov 16 '05 #1
5 1310
Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
..NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:
Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)

Nov 16 '05 #2
If

[some mechanism, that if you use this assembly with the right GUID]

means a custom CAS permission, then yes caspol -S off will disable the check.

if it means you perform some check in code that is not CAS based then no it will not

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft.com/microsoft.public.dotnet.languages.csharp/<54**********************************@microsoft.co m>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:
Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.public.dotnet.languages.csharp]
Nov 16 '05 #3
OK, heres a mechanism using public/private key encryption:

Give people a licence number when they purchase the library that encodes whether the version is academic or professional

Have your code look for the existance of a value in the registry that has been encrypted with your private key. If the value does not exist or, upon decytpion with the public key (which you put in your code) the value is incorrect, limit the code to the 3 functions. If it is correct enable all 10 functions.

Have an activation application where they are allowed to activate the library. This calls a web service which has access to your private key, passing the license number. If the installation is for a professional version the web service returns the encrypted value which gets stored in the registry.

Its not foolproof, its still possible to crack the app by decompiling, removing the registry check and recompiling, so strong naming etc will be another line of defence ...but that can be removed with enough time and know how.

Essentially you hhve to make it more expensive to crack than the difference in buying the professional version in the first place.

The last issue is it means that the professional version won't work fully unless the user has access to the internet - for business applications this is not generally an issue but it depends on your application and customers

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft.com/microsoft.public.dotnet.languages.csharp/<54**********************************@microsoft.co m>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:
Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.public.dotnet.languages.csharp]
Nov 16 '05 #4
Hi Richard again,

I just want to confirm.

1)

[some mechanism, that if you use this assembly with the right GUID]
means a custom CAS permission, then yes caspol -S off will disable the check.
if it means you perform some check in code that is not CAS based then no it
will not
--> perform some check in the code, you mean using my custom made
attributes, and caspol tool will not work anymore? Is it wise to write my
custom security attributes?

2)

Have your code look for the existance of a value in the registry that has
been encrypted with your private key. If the value does not exist or, upon
decytpion with the public key (which you put in your code) the value is
incorrect, limit the code to the 3 functions. If it is correct enable all 10
functions.
--> Doesn't this after all, had to use CAS. If not how to do i disable all
the 7 functions if the value is incorrect! Can't caspol disable the security
set within the .dll?

3)

Have an activation application where they are allowed to activate the
library. This calls a web service which has access to your private key,
passing the license number. If the installation is for a professional version
the web service returns the encrypted value which gets stored in the registry.
--> Rather than use internet, why can't i use dongle? You know the USB
device that you can plug into the computer to check the validity of the dll
license. No need internet at all!

4)

Its not foolproof, its still possible to crack the app by decompiling,
removing the registry check and recompiling, so strong naming etc will be
another line of defence ...but that can be removed with enough time and know
how.
--> Yes i heard of this way, but by using strong names can prevent it. But
you say strong names can be removed. Can you teach me how?

5)

Do you have an email or msn which i can contact you?

*I am planning to write an article on this CAS, from what i learn and use
for my work. Will be useful for people in future.

Thanks again.

Regards,
Chua Wen Ching

"Richard Blewett [DevelopMentor]" wrote:
OK, heres a mechanism using public/private key encryption:

Give people a licence number when they purchase the library that encodes whether the version is academic or professional

Have your code look for the existance of a value in the registry that has been encrypted with your private key. If the value does not exist or, upon decytpion with the public key (which you put in your code) the value is incorrect, limit the code to the 3 functions. If it is correct enable all 10 functions.

Have an activation application where they are allowed to activate the library. This calls a web service which has access to your private key, passing the license number. If the installation is for a professional version the web service returns the encrypted value which gets stored in the registry.

Its not foolproof, its still possible to crack the app by decompiling, removing the registry check and recompiling, so strong naming etc will be another line of defence ...but that can be removed with enough time and know how.

Essentially you hhve to make it more expensive to crack than the difference in buying the professional version in the first place.

The last issue is it means that the professional version won't work fully unless the user has access to the internet - for business applications this is not generally an issue but it depends on your application and customers

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft.com/microsoft.public.dotnet.languages.csharp/<54**********************************@microsoft.co m>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:
> Hi there,
>
> Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.
>
> Oh i didn't know you can set off the security in CAS.
>
> Sigh!
>
> on install you could have an encrypted value accessible somewhere that said
> what kind of version it was
> --> Do you think you can elaborate more on this? You mean during deployment
> of my dll to another machine, and check the version? So if i do this, no more
> CAS attributes anymore in my codes?
>
> I am interested to know more.
>
> I thought CAS is everything to my solution, now sad... had to re-think!
>
> Thanks.
> --
> Regards,
> Chua Wen Ching :)


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.public.dotnet.languages.csharp]

Nov 16 '05 #5
1) I mean you have code like:

if( !professionalEnabled)

throw new LicensingException("You need to pay more money");

CAS has no concept of this and so turning it off would not stop the check working. Of course the crucial thing is how do you determine whether the professionalEnabled is set to true or not - which brings me to my next point.

2)

internal class LicenseChecker

{

public static readonly bool ProfessionalEnabled; // the readonly means that it can't be set via reflection

static LicenseChecker()

{

// check the registry for an encrypted value

// Decrypt with the public key

if( regValue == "pro" ) // check the decrypted value

{

ProfessionalEnabled = true;

}

}

public void ProfessioanlOnlyFunction()

{

if( !LicenseChecker.ProfessionalEnabled )

throw new LicenseException();

...

}

}

3) Yes, I guess a dongle would work, but while you give people the pieces of the security infrastructure, the easier it is for them to work out a way round - whatever algorithms, etc are necessary to make your checks work are available to the client who has enough time and expertise. If that code is on another machine that you control, they can't examine the algorithms> If you don't want someone to reverse engineer your code the only thing you can do is not give them your code at the end of the day.

4) Say you have a strong named assembly Foo.dll. Hack it with a Binary Editor. Now run

sn -Vr foo.dll

you've now switched off verification checking (the process by which the assembly loader checks to see whether a an assembly has been tampered with) for that assembly on this machine.

5) richardb AT NOSPAM develop DOT com

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft.com/microsoft.public.dotnet.languages.csharp/<DA**********************************@microsoft.co m>

Hi Richard again,

I just want to confirm.

1)

[some mechanism, that if you use this assembly with the right GUID]
means a custom CAS permission, then yes caspol -S off will disable the check.
if it means you perform some check in code that is not CAS based then no it
will not
--> perform some check in the code, you mean using my custom made
attributes, and caspol tool will not work anymore? Is it wise to write my
custom security attributes?

2)

Have your code look for the existance of a value in the registry that has
been encrypted with your private key. If the value does not exist or, upon
decytpion with the public key (which you put in your code) the value is
incorrect, limit the code to the 3 functions. If it is correct enable all 10
functions.
--> Doesn't this after all, had to use CAS. If not how to do i disable all
the 7 functions if the value is incorrect! Can't caspol disable the security
set within the .dll?

3)

Have an activation application where they are allowed to activate the
library. This calls a web service which has access to your private key,
passing the license number. If the installation is for a professional version
the web service returns the encrypted value which gets stored in the registry.
--> Rather than use internet, why can't i use dongle? You know the USB
device that you can plug into the computer to check the validity of the dll
license. No need internet at all!

4)

Its not foolproof, its still possible to crack the app by decompiling,
removing the registry check and recompiling, so strong naming etc will be
another line of defence ...but that can be removed with enough time and know
how.
--> Yes i heard of this way, but by using strong names can prevent it. But
you say strong names can be removed. Can you teach me how?

5)

Do you have an email or msn which i can contact you?

*I am planning to write an article on this CAS, from what i learn and use
for my work. Will be useful for people in future.

Thanks again.

Regards,
Chua Wen Ching

"Richard Blewett [DevelopMentor]" wrote:
OK, heres a mechanism using public/private key encryption:

Give people a licence number when they purchase the library that encodes whether the version is academic or professional

Have your code look for the existance of a value in the registry that has been encrypted with your private key. If the value does not exist or, upon decytpion with the public key (which you put in your code) the value is incorrect, limit the code to the 3 functions. If it is correct enable all 10 functions.

Have an activation application where they are allowed to activate the library. This calls a web service which has access to your private key, passing the license number. If the installation is for a professional version the web service returns the encrypted value which gets stored in the registry.

Its not foolproof, its still possible to crack the app by decompiling, removing the registry check and recompiling, so strong naming etc will be another line of defence ...but that can be removed with enough time and know how.

Essentially you hhve to make it more expensive to crack than the difference in buying the professional version in the first place.

The last issue is it means that the professional version won't work fully unless the user has access to the internet - for business applications this is not generally an issue but it depends on your application and customers

Regards

Richard Blewett - DevelopMentor

http://staff.develop.com/richardb/weblog

nntp://news.microsoft.com/microsoft.public.dotnet.languages.csharp/<54**********************************@microsoft.co m>

Oh ya 1 more thing to confirm, with what you replied earlier.

Are you sure caspol can switch off this:

Master.dll (different master.dll for different clients that needs different
requirements) which communicates with a dongle (some security mechanism here)
--> communicates --> MyFramework.dll (which had CAS in each methods)

example:

[some mechanism, that if you use this assembly with the right GUID]
public void FuncA();

If the master.dll was found to a different version or GUID, then will reject
this function.

Caspol can remove this? Or it removes off the security policy set on the
.NET assemblies?

I need to double confirm with you.
"Chua Wen Ching" wrote:
Hi there,

Sorry for the late reply. I was busy attending Microsoft Teched 2004 Malaysia.

Oh i didn't know you can set off the security in CAS.

Sigh!

on install you could have an encrypted value accessible somewhere that said
what kind of version it was
--> Do you think you can elaborate more on this? You mean during deployment
of my dll to another machine, and check the version? So if i do this, no more
CAS attributes anymore in my codes?

I am interested to know more.

I thought CAS is everything to my solution, now sad... had to re-think!

Thanks.
--
Regards,
Chua Wen Ching :)


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.public.dotnet.languages.csharp]


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 10/09/2004

[microsoft.public.dotnet.languages.csharp]
Nov 16 '05 #6
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
Urgent Questions regarding Index usage & VIEWs, sorting, etc.
by: Mike | last post by:
Hello, I have a few rather urgent questions that I hope someone can help with (I need to figure this out prior to a meeting tomorrow.) First, a bit of background: The company I work for is...
DB2 Database
14
regarding algorithim
by: invincible | last post by:
Hi I want to find an algorithim , which calculates shortest perpendicular distance from a given point to a line. Thanks Mohan
C / C++
77
regarding "goto" in C
by: M.B | last post by:
Guys, Need some of your opinion on an oft beaten track We have an option of using "goto" in C language, but most testbooks (even K&R) advice against use of it. My personal experience was that...
C / C++
7
Regarding Connection object behaviour
by: Mrinal Kamboj | last post by:
Hi , I am using OracleConnection object from Oracle ODP.net provider and following is the behaviour which i am finding bit strange : To start with my argument is based on followings facts : ...
C# / C Sharp
8
query regarding xs:key & key ref
by: shyam | last post by:
Hi All As per my understanding we use xs:key when we want to have a unique value for a element or attribute and keyref to refer to one of the unique values of that element or attribute. ...
.NET Framework
12
Richard Heathfield's TSP permutation algorithm
by: whitehatmiracle | last post by:
Dear Sir I couldnt quite figure out wat your permute function does exactly... could you please throw some light on it? void Permute(char *Perm, size_t n, size_t unchanged) { size_t outer = 0;...
C / C++
10
A question regarding the Name property
by: Rob | last post by:
I am reading a book that says that the "name" property can be altered only at design time and cannot be modified at runtime. Please explain this given the code below... If you click Button3......
Visual Basic .NET
4
Need help regarding "search in file"
by: mpatharkar | last post by:
Hi all, I wrote a script to search a pattern in input file and if pattern does not found in input file ,print that pattern in to output file. The input file is...
Perl
5
Question regarding UB
by: Philip Potter | last post by:
I have a somewhat flippant question regarding undefined behaviour. Does an operation which invokes undefined behaviour affect the whole program, or are earlier statements guaranteed to execute...
C / C++
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!