471,612 Members | 2,506 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,612 software developers and data experts.

Securing assembly question

Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.

I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')

and I've read this article
http://www.morganskinner.com/Article...ityPermission/
and in this case we paste the key in the code of the dll assembly like this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +

"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?

So I would liks to know what is the best way to secure the dll assembly?

Thanks
Marty
Nov 25 '05 #1
3 1329
"Marty" <xm******@hotmail.com> wrote in message
news:TMHhf.170020$Io.44557@clgrps13...
Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.
StrongNameIdentityPermission verifications are quite trivial to bypass by
code with certain "high privilege" CAS permissions. In addition, all code
running with unrestricted CAS permissions (aka "full trust") automatically
passes demands for any identity permission in v. 2.0. Given this, you might
want to consider using some alternate mechanism (e.g.: licensing) for
limiting the callers into your assemblies.

I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')
Exactly what were you hoping that simply signing the assembly would
accomplish with respect to "securing the assembly"?
and I've read this article
http://www.morganskinner.com/Article...ityPermission/
and in this case we paste the key in the code of the dll assembly like
this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +
"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?
Yes. The value can be supplied via a constant, and that constant can be
defined in a file linked into your project.


So I would liks to know what is the best way to secure the dll assembly?

Thanks
Marty

Nov 28 '05 #2
Hi Nicole,

Thank you for your reply, this is pretty interesting.

Your suggestions about the "Licensing" is interesting and I've found an
article about it: http://windowsforms.net/articles/Licensing.aspx

Do you have other great articles about it?

I can see that licensing must be aplied to each class and forms. is
there a way to apply licensing to a whole project, such as a dll project?

Regards,
Marty

Nicole Calinoiu wrote:
"Marty" <xm******@hotmail.com> wrote in message
news:TMHhf.170020$Io.44557@clgrps13...
Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.

StrongNameIdentityPermission verifications are quite trivial to bypass by
code with certain "high privilege" CAS permissions. In addition, all code
running with unrestricted CAS permissions (aka "full trust") automatically
passes demands for any identity permission in v. 2.0. Given this, you might
want to consider using some alternate mechanism (e.g.: licensing) for
limiting the callers into your assemblies.
I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')

Exactly what were you hoping that simply signing the assembly would
accomplish with respect to "securing the assembly"?

and I've read this article
http://www.morganskinner.com/Article...ityPermission/
and in this case we paste the key in the code of the dll assembly like
this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +
"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?

Yes. The value can be supplied via a constant, and that constant can be
defined in a file linked into your project.
So I would liks to know what is the best way to secure the dll assembly?

Thanks
Marty


Nov 30 '05 #3
"Marty" <xm******@hotmail.com> wrote in message
news:hMjjf.132948$y_1.35447@edtnps89...
Hi Nicole,

Thank you for your reply, this is pretty interesting.

Your suggestions about the "Licensing" is interesting and I've found an
article about it: http://windowsforms.net/articles/Licensing.aspx

Do you have other great articles about it?
The one you mentioned is probably the most complete introduction I've seen.
Unfortunately, the MSDN documentation isn't likely to be much help until
you've understood the underlying mechanism and can put the specifics into
context.

I can see that licensing must be aplied to each class and forms. is there
a way to apply licensing to a whole project, such as a dll project?
AFAIK, not directly. However, you could use a post-compiler like XC#
(http://www.resolvecorp.com) to map a custom assembly-level attribute into
member-level code.

Regards,
Marty

Nicole Calinoiu wrote:
"Marty" <xm******@hotmail.com> wrote in message
news:TMHhf.170020$Io.44557@clgrps13...
Hi,

My main application is calling a couple of dll assembly that we made. I
want to secure those dll assembly so they can't be used by a third party.

StrongNameIdentityPermission verifications are quite trivial to bypass by
code with certain "high privilege" CAS permissions. In addition, all
code running with unrestricted CAS permissions (aka "full trust")
automatically passes demands for any identity permission in v. 2.0.
Given this, you might want to consider using some alternate mechanism
(e.g.: licensing) for limiting the callers into your assemblies.
I did a couple of test with
[assembly: AssemblyKeyFile(@"..\..\myKey.snk")] on both side, caller and
dll assembly, but does not succeed to secure the assembly. (myKey.snk is
gnerated with 'sn -k myKey.snk')

Exactly what were you hoping that simply signing the assembly would
accomplish with respect to "securing the assembly"?

and I've read this article
http://www.morganskinner.com/Article...ityPermission/
and in this case we paste the key in the code of the dll assembly like
this:
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="00240000048000009400000006020000" +
"..." +
"1c6056092c2ac48a8b27c53631f7d5b6")]

But what happen when this key has to change in 50 dlls, can it be taken
from a file?

Yes. The value can be supplied via a constant, and that constant can be
defined in a file linked into your project.
So I would liks to know what is the best way to secure the dll assembly?

Thanks
Marty



Nov 30 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.