verifying the authentity of an assembly producer with strong naming?

Re: verifying the authentity of an assembly producer with strong naming?


"Reinhold Schalk" <ReiSchalk@gmx. de> wrote in message
news:%23LWrcOul DHA.2404@TK2MSF TNGP12.phx.gbl. ..[color=blue]
> Hello,
> somewhere i've read that using strong names does assure two things:
> 1. Assure that the content of the assembly is not modified (that's ok in[/color]
my[color=blue]
> opinion)
> 2. Assure that the assembly is really from the "fabricator " (?)
>
> If these two point are correct (i'm not sure), i have a problem with point
> 2.
> To assure the authentity of the fabricator, the public key (which is a[/color]
part[color=blue]
> of the manifest) has to be checked against a certificate.
> Is this really done? If yes, who does this? And what about the SN.EXE
> Tool - it's possible to generate a lot of keypairs (for testing).
> Certainly in a PKI a company would have a public - private key pair an[/color]
would[color=blue]
> probably use delayed signing.
> But how can a client computer really check, whether the installed assembly
> is really from this company (checking the public key).
> I'm a little bit confused.[/color]

Well, basically, an assembly that is linked against a signed assembly has a
reference to the public key token of the signed assembly(its part of the
full type name), so it can verify that that assembly is, indeed, the
assembly that it is supposed to link to. It also wouldn't be impossible for
a tool\class to be written that can check against a published key on the
producers server. You could, for example, have a loader class that will only
load assemblies signed with a set of keys that are under administrative
control, or you can apply permissions based on public key.

The verification can be circumvented, of course, completly removing all
signing from all assemblies is one way, possibly resigning them. Signed code
basically allows untampered with code to verify that the called assembly
hasn't been tampered with as well as allowing endusers a way to verify that
they have an assembly that was signed with a specific companys private key.
There isn't much more of a benifit than that, that I can think of anyway.

I don't understand what the questino about SN is, could you clarify it a
bit?[color=blue]
>
> Perhaps someone can help me.
> Thank in advance.
> Reinhold
>
>[/color]

Re: verifying the authentity of an assembly producer with strong naming?

Hello Daniel,
thanks for your reply.
Yes, indeed i do also think, that the primary benefit of strong named
assembly from the endusers point of view is, to know exactly that the
assembly is untampered (not modified).
And if i have understood everthing right, there is no way of "automatica lly"
checking the public key against a certificate, that means really verifying
that the assembly is really from a specific company (Company X delivers a
strong named assembly and says it's from them (does contain their public
key)).
You are right - perhaps one could write a custom loader class who does this
verification, but that's not the way one would like to go...

Concerning SN-Tool i do not have a question. I have justed mentioned it, if
there would have been a way to verifiy the public key, how would this be
accomplished using the public key generated from SN.EXE.

Again thanks for your reply
Reinhold

"Daniel O'Connell" <onyxkirx@--NOSPAM--comcast.net> schrieb im Newsbeitrag
news:HdNkb.6002 75$cF.264585@rw crnsc53...[color=blue]
>
> "Reinhold Schalk" <ReiSchalk@gmx. de> wrote in message
> news:%23LWrcOul DHA.2404@TK2MSF TNGP12.phx.gbl. ..[color=green]
> > Hello,
> > somewhere i've read that using strong names does assure two things:
> > 1. Assure that the content of the assembly is not modified (that's ok in[/color]
> my[color=green]
> > opinion)
> > 2. Assure that the assembly is really from the "fabricator " (?)
> >
> > If these two point are correct (i'm not sure), i have a problem with[/color][/color]
point[color=blue][color=green]
> > 2.
> > To assure the authentity of the fabricator, the public key (which is a[/color]
> part[color=green]
> > of the manifest) has to be checked against a certificate.
> > Is this really done? If yes, who does this? And what about the SN.EXE
> > Tool - it's possible to generate a lot of keypairs (for testing).
> > Certainly in a PKI a company would have a public - private key pair an[/color]
> would[color=green]
> > probably use delayed signing.
> > But how can a client computer really check, whether the installed[/color][/color]
assembly[color=blue][color=green]
> > is really from this company (checking the public key).
> > I'm a little bit confused.[/color]
>
> Well, basically, an assembly that is linked against a signed assembly has[/color]
a[color=blue]
> reference to the public key token of the signed assembly(its part of the
> full type name), so it can verify that that assembly is, indeed, the
> assembly that it is supposed to link to. It also wouldn't be impossible[/color]
for[color=blue]
> a tool\class to be written that can check against a published key on the
> producers server. You could, for example, have a loader class that will[/color]
only[color=blue]
> load assemblies signed with a set of keys that are under administrative
> control, or you can apply permissions based on public key.
>
> The verification can be circumvented, of course, completly removing all
> signing from all assemblies is one way, possibly resigning them. Signed[/color]
code[color=blue]
> basically allows untampered with code to verify that the called assembly
> hasn't been tampered with as well as allowing endusers a way to verify[/color]
that[color=blue]
> they have an assembly that was signed with a specific companys private[/color]
key.[color=blue]
> There isn't much more of a benifit than that, that I can think of anyway.
>
> I don't understand what the questino about SN is, could you clarify it a
> bit?[color=green]
> >
> > Perhaps someone can help me.
> > Thank in advance.
> > Reinhold
> >
> >[/color]
>
>[/color]

Re: verifying the authentity of an assembly producer with strong naming?


"Reinhold Schalk" <ReiSchalk@gmx. de> wrote in message
news:u3%23UAsul DHA.1800@TK2MSF TNGP10.phx.gbl. ..[color=blue]
> Hello Daniel,
> thanks for your reply.
> Yes, indeed i do also think, that the primary benefit of strong named
> assembly from the endusers point of view is, to know exactly that the
> assembly is untampered (not modified).
> And if i have understood everthing right, there is no way of[/color]
"automatica lly"[color=blue]
> checking the public key against a certificate, that means really verifying
> that the assembly is really from a specific company (Company X delivers a
> strong named assembly and says it's from them (does contain their public
> key)).
> You are right - perhaps one could write a custom loader class who does[/color]
this[color=blue]
> verification, but that's not the way one would like to go...
>
> Concerning SN-Tool i do not have a question. I have justed mentioned it,[/color]
if[color=blue]
> there would have been a way to verifiy the public key, how would this be
> accomplished using the public key generated from SN.EXE.
>[/color]

Well, you could publish the public key and write a tool that does the
verification, I'm kind of surprised that sn doesn't have a parameter
(atleast that I can find) that will verify an assembly against a given
public key, asit stands you'd basically need to dump the signed key and the
public key from a keypair\public key file and manually compare them...that
is kind of strange.

basically, use sn -p myKey.snk mypublicKey.snk or whatever file names you'd
use, then distribute mypublicKey.snk in a manner that end users could get at
it to verify that the assembly is properly signed.

But, this is pretty much the end of my knowledge. Hopefully someone who is
more knowledgable about the inner workings of signing will reply with more
information.
[color=blue]
> Again thanks for your reply
> Reinhold
>
> "Daniel O'Connell" <onyxkirx@--NOSPAM--comcast.net> schrieb im Newsbeitrag
> news:HdNkb.6002 75$cF.264585@rw crnsc53...[color=green]
> >
> > "Reinhold Schalk" <ReiSchalk@gmx. de> wrote in message
> > news:%23LWrcOul DHA.2404@TK2MSF TNGP12.phx.gbl. ..[color=darkred]
> > > Hello,
> > > somewhere i've read that using strong names does assure two things:
> > > 1. Assure that the content of the assembly is not modified (that's ok[/color][/color][/color]
in[color=blue][color=green]
> > my[color=darkred]
> > > opinion)
> > > 2. Assure that the assembly is really from the "fabricator " (?)
> > >
> > > If these two point are correct (i'm not sure), i have a problem with[/color][/color]
> point[color=green][color=darkred]
> > > 2.
> > > To assure the authentity of the fabricator, the public key (which is a[/color]
> > part[color=darkred]
> > > of the manifest) has to be checked against a certificate.
> > > Is this really done? If yes, who does this? And what about the SN.EXE
> > > Tool - it's possible to generate a lot of keypairs (for testing).
> > > Certainly in a PKI a company would have a public - private key pair an[/color]
> > would[color=darkred]
> > > probably use delayed signing.
> > > But how can a client computer really check, whether the installed[/color][/color]
> assembly[color=green][color=darkred]
> > > is really from this company (checking the public key).
> > > I'm a little bit confused.[/color]
> >
> > Well, basically, an assembly that is linked against a signed assembly[/color][/color]
has[color=blue]
> a[color=green]
> > reference to the public key token of the signed assembly(its part of the
> > full type name), so it can verify that that assembly is, indeed, the
> > assembly that it is supposed to link to. It also wouldn't be impossible[/color]
> for[color=green]
> > a tool\class to be written that can check against a published key on the
> > producers server. You could, for example, have a loader class that will[/color]
> only[color=green]
> > load assemblies signed with a set of keys that are under administrative
> > control, or you can apply permissions based on public key.
> >
> > The verification can be circumvented, of course, completly removing all
> > signing from all assemblies is one way, possibly resigning them. Signed[/color]
> code[color=green]
> > basically allows untampered with code to verify that the called assembly
> > hasn't been tampered with as well as allowing endusers a way to verify[/color]
> that[color=green]
> > they have an assembly that was signed with a specific companys private[/color]
> key.[color=green]
> > There isn't much more of a benifit than that, that I can think of[/color][/color]
anyway.[color=blue][color=green]
> >
> > I don't understand what the questino about SN is, could you clarify it a
> > bit?[color=darkred]
> > >
> > > Perhaps someone can help me.
> > > Thank in advance.
> > > Reinhold
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Re: verifying the authentity of an assembly producer with strong naming?

The public key is enough to indicate that the assembly is really from the
"fabricator ", but it does not at all indicate who the fabricator is.
Basically it is imply there the assist in generating a unique name for each
assembly, and to prevent impersonation. If you want to establish identity
or trust relationships with the fabricator, you would have to rely on
classic signing methods like Authenticode.

As far as validating the public key, it is quite easy. "sn.exe -vf
assembly.dll" Will validate the signature. I'm not good with crypto stuff,
but it's using simple public-private key encryption such that anybody with
the public key can decrypt, but only those with the private key can encrypt.
Thus everybody can validate the signature, but only the fabricator can
create the signature. And just like PGP, you still need some other means of
establishing who the "fabricator " really is.

--
--Grant
This posting is provided "AS IS" with no warranties, and confers no rights.