The Role of Publisher Certificates
• Strong names provide an assembly a unique identity in the .NET universe; however they do not
identify the literal publisher of the assembly (e.g. Microsoft Corporation, Intertech Training, Bob’s Software
Shop, etc).
• The .NET platform supports the use of publisher certificates for this purpose.
• Companies obtain a digital Software Publisher Certificate (SPC) from companies such as VeriSign.
• Strong names and publisher certificates both provide a digitally sign an assembly.
• Understand that both approaches are equally valid and may be used together in the same assembly.
• Ponder the following differences between the approaches.
Intriguing Question Assembly Strong Name Publisher Certificate
Does this approach uniquely identify the assembly itself? Yes No
Does this approach uniquely identify the company the assembly came from? Possibly. Depends on how
keys are handled by the company. Yes
Can this approach versioned? Yes No
Does this prevent roundtrip engineering? Yes Yes
Does this approach require direct user interaction to run the assembly? No Yes (think of
downloading signed controls from the Web).
Can this data be used as ‘evidence’ to CAS? Yes Yes
Does this approach take into consideration type names / implementation? Yes No
The Role of Obfuscation
• Strong names do prevent evil-doers from modifying your assemblies using your unique identity and can
be used to constrict who can interact with the contained types.
• However, tools such as ildasm.exe can still be used to view the underlying CIL code (which is very
human readable).
• Worse yet (from a security point of view), tools such as reflector.exe allow you to view the internal
composition of an application in C# code, VB code, etc.
• This is problematic if your assembly falls into the hands of competitors, given that they can easily steal
proprietary business logic and algorithms.
• Although evil doers can always decompile a .NET assembly using tools such as ildasm.exe, obfuscation
makes the resulting CIL code completely unreadable.
• Understand that the obfuscated assembly executes identically.
• It may however run slightly slower, depending on the obfuscation techniques you make use of.
• Obfuscation can be achieved using any number of techniques. For example:
• Member renaming: For example, naming all non-public members using extremely long random values.
• Encryption: Encrypt all string literals within the assembly.
• Flow control obfuscation: Injecting a number of complex (and unnecessary) method calls.
• Visual Studio ships with a trial version of a commercial product named Dotfuscator:
• This trial edition only has a few features enabled.
• The full product can be purchased from www.preemptive.com.
• We will not be covering the details of using Dotfuscator in this course.
• However if you need to keep the internals of your assembly safe from prying eyes, using such a tool is
necessary.
• Any assembly shipped out of your company walls which contain sensitive information should
absolutely be obfuscated.
• Strong names provide an assembly a unique identity in the .NET universe; however they do not
identify the literal publisher of the assembly (e.g. Microsoft Corporation, Intertech Training, Bob’s Software
Shop, etc).
• The .NET platform supports the use of publisher certificates for this purpose.
• Companies obtain a digital Software Publisher Certificate (SPC) from companies such as VeriSign.
• Strong names and publisher certificates both provide a digitally sign an assembly.
• Understand that both approaches are equally valid and may be used together in the same assembly.
• Ponder the following differences between the approaches.
Intriguing Question Assembly Strong Name Publisher Certificate
Does this approach uniquely identify the assembly itself? Yes No
Does this approach uniquely identify the company the assembly came from? Possibly. Depends on how
keys are handled by the company. Yes
Can this approach versioned? Yes No
Does this prevent roundtrip engineering? Yes Yes
Does this approach require direct user interaction to run the assembly? No Yes (think of
downloading signed controls from the Web).
Can this data be used as ‘evidence’ to CAS? Yes Yes
Does this approach take into consideration type names / implementation? Yes No
The Role of Obfuscation
• Strong names do prevent evil-doers from modifying your assemblies using your unique identity and can
be used to constrict who can interact with the contained types.
• However, tools such as ildasm.exe can still be used to view the underlying CIL code (which is very
human readable).
• Worse yet (from a security point of view), tools such as reflector.exe allow you to view the internal
composition of an application in C# code, VB code, etc.
• This is problematic if your assembly falls into the hands of competitors, given that they can easily steal
proprietary business logic and algorithms.
• Although evil doers can always decompile a .NET assembly using tools such as ildasm.exe, obfuscation
makes the resulting CIL code completely unreadable.
• Understand that the obfuscated assembly executes identically.
• It may however run slightly slower, depending on the obfuscation techniques you make use of.
• Obfuscation can be achieved using any number of techniques. For example:
• Member renaming: For example, naming all non-public members using extremely long random values.
• Encryption: Encrypt all string literals within the assembly.
• Flow control obfuscation: Injecting a number of complex (and unnecessary) method calls.
• Visual Studio ships with a trial version of a commercial product named Dotfuscator:
• This trial edition only has a few features enabled.
• The full product can be purchased from www.preemptive.com.
• We will not be covering the details of using Dotfuscator in this course.
• However if you need to keep the internals of your assembly safe from prying eyes, using such a tool is
necessary.
• Any assembly shipped out of your company walls which contain sensitive information should
absolutely be obfuscated.
Publisher Certificates and Obsfucation
Table of Contents
Copyright (c) 2008. Intertech, Inc. All Rights Reserved. This information is to be used exclusively as an
online learning aid. Any attempts to copy, reproduce, or use for training is strictly prohibited.
online learning aid. Any attempts to copy, reproduce, or use for training is strictly prohibited.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Courseware
Training Resources
Tutorials