Best IT Recipes

Can strong assembly naming be used to verify the author of an assembly?

I read the related article on MSDN, Strong-Named Assemblies and the related stack overflow question, Build validation for a strong name .

  • To what extent can a strong named assembly be verified to avoid fake?
  • Can I use a strong name to verify the author of the assembly?

The first question arises after reading the CSharp411 .NET Assembly FAQ - Part 3 - Strong Names and Signatures , which mentions this, among other problems with using strong names:

Unable to stop full replacement. . Strong names cannot stop a hacker from deleting a strong signature, maliciously modifying your assembly, re-signing it with your key, and then transferring your assembly like yours. "

The second question is to find the differences between strong names and other signing schemes, for example, Authenticode . The same MSDN article mentions early conditions:

"Please note, however, that strong names alone do not imply such a level of trust as is provided, for example, by a digital signature and a confirmation certificate."

Am I trying to use a strong name for much more than it was created? Was a strong name created just to avoid name conflicts or the new "GAC DLL Hell" type?

+19
security assemblies strongname
Dec 15 '08 at 18:17
source share
4 answers

When you sign an assembly with a strong name based on the private key you create, this has the following advantages:

  • A strong name ensures that the assembly identifier is unique by adding a public key token and digital signature to the assembly.
  • A strong name can be mapped to a public key to prove that the assembly comes from the publisher with this public key and only with this publisher.
  • A strong name provides reliable integrity checking. Passing the .NET Framework security checks ensures that the contents of the assembly have not been modified since the last assembly.

Can I use a strong name to verify the author of the assembly?

Yes, as discussed above, a strong name can verify the author of the assembly last . But he does not check the original author. If an attacker replaces your strong build name, all you can verify is that you were not the last author of the assembly. If he removes the strong name, then no author check can be performed at all.

To what extent can a strong named assembly be verified to avoid fake?

The following C # code verifies that the attacker did not fake the public key token that was written to your assembly when you used the strong name. He does not avoid fakes, but can detect some types of fakes. The method below takes an array of bytes containing the public key token, and compares it with the actual build token. Note that in order for this method to be effective, your selection obfuscator must encrypt the string containing your public key token, and only decrypt it on the fly as it is used. And also keep in mind that you need FullTrust permission for this code to work, because it uses reflection under the hood.

// Check that public key token matches what expected. private static bool IsPublicTokenOkay_Check(byte [] tokenExpected) { // Retrieve token from current assembly byte [] tokenCurrent = Assembly.GetExecutingAssembly().GetName().GetPublicKeyToken(); // Check that lengths match if (tokenExpected.Length == tokenCurrent.Length) { // Check that token contents match for (int i = 0; i < tokenCurrent.Length; i++) if (tokenExpected[i] != tokenCurrent[i]) return false; } else { return false; } return true; }

While you are running a version of the .NET Framework prior to .NET 3.5 SP1, you can also force the strong name signature to be verified if the strong name was deleted by an attacker or the strong name verification was disabled in the registry. The following code demonstrates a call in the static method of another class called NativeMethods. This will check.

 // Check that this assembly has a strong name. private bool IsStrongNameValid_Check() { byte wasVerified = Convert.ToByte(false); byte forceVerification = Convert.ToByte(true); string assemblyName = AppDomain.CurrentDomain.BaseDirectory + AppDomain.CurrentDomain.FriendlyName; return NativeMethods.CheckSignature(assemblyName, forceVerification, ref wasVerified); }

Actual signature verification is done using P / Invoke, as shown below. Using the StrongNameSignatureVerificationEx API is pretty tricky - for a decent explanation, see this blog post .

 // P/Invoke to check various security settings // Using byte for arguments rather than bool, // because bool won't work on 64-bit Windows! [DllImport("mscoree.dll", CharSet=CharSet.Unicode)] private static extern bool StrongNameSignatureVerificationEx(string wszFilePath, byte fForceVerification, ref byte pfWasVerified); // Private constructor because this type has no non-static members private NativeMethods() { } public static bool CheckSignature(string assemblyName, byte forceVerification, ref byte wasVerified) { return StrongNameSignatureVerificationEx(assemblyName, forceVerification, ref wasVerified ); }

Please note that this will not work by default for applications using .NET 3.5 SP1 or higher, which has the function to disable this function for your application by adding a parameter to its configuration file. But, of course, any attacker with read and write access to this configuration file can reverse your decision.

+21
Dec 15 '08 at 19:40
source share

Authenticode relies on a third-party certificate authority to verify the certificate. Strong naming conventions act as a self-signed certificate and can be considered as such. It uses standard digital signatures, but the problem is really checking the author’s public key of the assembly. If you receive it separately through a trusted channel from the author, and you trust this channel, then yes, you can verify it in the same way as a self-signed certificate.

As long as you are sure that the secret key of a strong name is kept secure by the author and you know the public author’s key, you can make sure that it is not tampered with (to the extent that you can verify that the digital signature is not tampered with ) By the way, do not get me wrong: the quote is completely correct, and an attacker can easily resign or delete an existing signature. However, the resulting assembly will have ** another * digital signature that can be verified on the original (if you have a public key).

In this case, it is similar to a self-signed certificate. If you can somehow verify the author’s public key, you can check the credentials. However, unlike Authenticode, which relies on a certification authority, there is no simple, systematically defined way to distribute a public key.

+12
Dec 15 '08 at 18:27
source share

I think that strong names are useful for version control and can be used to configure trust levels to protect the Change : access code , but you cannot use them to verify the assembly by someone who is trusted or specific. See the comment from @RoadWarrior and @RoadWarrior for this question.

Strongly naming your assembly does not protect it from unauthorized access.
Edit: See comments from @RoadWarrior and @divo. If your application checks the original secret key from the author of the assembly and forcibly checks the name is correct, my statement is incorrect. If, however, the attacker has access to all the assemblies in your application and / or you use the syntax code authentication provided for free, but I agree with what I said.

This can be undermined by a specific attacker .

I read a discussion some time ago about strong names and security, which made me believe that for the assemblies we produce, authentication was a better guarantee for our customers that the assembly was obtained from a reliable source.

+1
Dec 15 '08 at 18:40
source share

I believe that there is a way to use a strong name for the purpose of "Trust". I understand that Microsoft recommends only a strong name so that the contents of the assembly are not changed, and suggests using "Authenticode" for authentication.

But if the downloader application (the application that downloads these assemblies / programs) supports an encrypted list of “assemblies” that it can download; whether the problem of "trust" will solve?

For example, can a package loader maintain the assembly name with public keys and load the assembly / program through the fully qualified name of the assembly?

0
Jul 22 '16 at 18:27
source share


More articles:


All Articles