21322

class library security & license technology

Question:

I asked a question regarding assembly security and someone told me few things:

<blockquote>

You could invoke a licensing technology when the library was to be instantiated. What I've done in the past is include a public key as a resource to the dll, and then look for a license xml document with a cryptographic signature signed with my private key. As long as I keep close track of my private key, it's pretty difficult to defeat.

</blockquote>

After reading this I have some questions:

<ol><li>How to invoke my licensing technology when I'm developing a class library?</li> <li>How to add a public key as a resource to the assembly?</li> <li>How to look for a license xml document with a cryptographic signature signed with my private key and from where & when to look?</li> </ol>

It will be better if anyone please help me to understand the things in detail to implement the above security. Thanks a lot.

Answer1:

"Licensing technology" is basically the methods he goes into more detail about in the rest of the paragraph. A "license" is little more than proof of permission for an actor (either the user themselves, or other code being run on their behalf) to use your code. It doesn't have to be some universal standard like an SSL certificate. It just needs to be known to you, and difficult to fake by others.

As for resources, this is just something inherent in .Net. in VS Solution Explorer, go to the project you want to be able to access your restricted DLL from. The first item in its expanded contents will be a Properties folder; under that you should find an item Resources.resx. Open it up and you'll get a GUI that will allow you to reference strings, images, plain text files, etc. which can be compiled into or kept alongside the DLL when the solution is built. This is where you'd specify a string that is some encrypted, known value. Probably the most secure string to encrypt would be the strong name or GUID of the assembly, because then you could compare what you decrypt with the assembly information of the caller, preventing someone from getting the encrypted string out of one of your libraries and using it in theirs. In your restricted DLL, you can use the same feature to store the decryption key you will use to decode the string provided by calling DLLs.

There are numerous resources available for tutorials on how to use RSA encryption (the encryption method inferred here) in .NET. There is an RsaCryptoServiceProvider that will perform encryption/decryption, generate keys, etc; all you have to do is drop it in. Something that may be confusing is that in asymmetric-key algorithms like RSA, data is usually encrypted using the "public" key and decrypted using the "private" key. This is because assymmetric keys are usually used over public communication channels, and you need to give the remote party a key they can use to write messages that you will then decode. However, in this case, your restricted DLL must decrypt the data it needs to compare, and so it needs a fixed "private key". This makes the decryption key "public" to anyone with .NET Reflector or some similar disassembler. However, if you, the developer, are the only one that can provide encrypted strings to DLLs that are authorized to access your DLL, then you can keep the encryption key secret.

Recommend

  • Get type from class name in Scala
  • Performance and static method versus public method
  • can we post on multiple user's Facebook wall at same time
  • How can I test TCP socket status in Perl?
  • Sphinx: Linking to Embedded Binary Files (PDFs)
  • awk or sed CSV file manipulation
  • Raise Session_OnStart event from custom ASP.NET SessionStateProvider class
  • How can I check the type of the next element?
  • Parallelizing random forests
  • Entity Framework Core: Include many-to-many related objects in WebAPI
  • Java : Simple XML not parsing the xml. Gives Exception
  • In Akka, is ActorContext thread safe?
  • Lua: Line breaks in strings
  • Python/Javascript: WYSIWYG html editor - Handle large documents fast and/or design theory
  • Regex for Specific Tag
  • How can we prepend rows to a react native list-view?
  • Retrieve IP address of device
  • cygwin cannot exec 'git-add--interactive' permission denied
  • What's the purpose of QString?
  • Django simple Captcha “No module named fields” error
  • Limiting recursion to certain level - Duplicate rows
  • Jackson Parser: ignore deserializing for type mismatch
  • How to set ini file attributes during an Inno install
  • C# - Serializing and deserializing static member
  • Spray.io: When (not) to use non-blocking route handling?
  • Bug in WPF DataGrid
  • Incrementing object id automatically JS constructor (static method and variable)
  • SVN: Merging two branches together
  • Hibernate gives error error as “Access to DialectResolutionInfo cannot be null when 'hibernate.
  • Unit Testing MVC Web Application in Visual Studio and Problem with QTAgent
  • Benchmarking RAM performance - UWP and C#
  • Acquiring multiple attributes from .xml file in c#
  • How to CLICK on IE download dialog box i.e.(Open, Save, Save As…)
  • Can Visual Studio XAML designer handle font family names with spaces as a resource?
  • Authorize attributes not working in MVC 4
  • How can I remove ASP.NET Designer.cs files?
  • Busy indicator not showing up in wpf window [duplicate]
  • Python/Django TangoWithDjango Models and Databases
  • java string with new operator and a literal
  • Net Present Value in Excel for Grouped Recurring CF