Re: StrongNameIdentityPermission

---

• From: "Henning Krause [MVP]" <newsgroups.remove@xxxxxxxxxxxxxxxxx>
• Date: Mon, 27 Mar 2006 18:04:55 +0200

---

You cannot effectively stop fully trusted code from doing that.

In the worst case, an attacker could decompile, modify an recompile your
assemblies and any protection whatsoever would be gone for good.

Greetings,
Henning Krause

"SteveR" <SteveR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:715209C0-9676-4BAF-B459-20D49798287F@xxxxxxxxxxxxxxxx

I thought that was where I was going wrong. So my next question is how can
I
stop a fully trusted app using my class library unless the strong name
matches my criteria?
--
Steve


"Dominick Baier [DevelopMentor]" wrote:

IdentityPermissions are only enforced in partial trust - they are not
effective
when the caller is fully trusted.

quoting
http://blogs.msdn.com/eugene_bobukh/archive/2005/05/06/415217.aspx

"The bottom line is, Identity permissions Demands could not [and should
not]
be used as measure of Security protection against highly privileged code.
The best they provide in Full Trust is an illusion of protection, what
can
be even worse than no protection at all."
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I'm trying to protect my class library by using the following code

StrongNameIdentityPermission(SecurityAction.Demand, PublicKey =
"...")]

To test if this is working I wrote another application with a
different public key. When I try to call the function it still works.
Why is it allowed to call the function?

.

---

• References:
  • Re: StrongNameIdentityPermission
    • From: Dominick Baier [DevelopMentor]

• Prev by Date: Re: StrongNameIdentityPermission
• Next by Date: Re: Best way to provide security when need a WindowsIdentity
• Previous by thread: Re: StrongNameIdentityPermission
• Next by thread: Re: StrongNameIdentityPermission
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: What NSA? ... > 3DES was originally intended for protection of transfer ... > for certain banks, see e.g. ... http://www.garlic.com/~lynn/2003m.html#50 public key vs passwd authentication? ... (sci.crypt) Re: Elliptic Curve Cryptography algorithm for key exchange ... AES can be compromised through the weaker security ... >> your public key cryptography. ... this would mean the large key sizes required to match AES ... > protection with easily crackable pswd-derived AES keys!! ... (microsoft.public.platformsdk.security) Re: Securing hashing algorithm ... > still not get 100% protection. ... > knows public key. ... none of this matters if your code is plain .net as hacker can ... >> We are building applications here and have hashing algorithms to secure ... (microsoft.public.dotnet.languages.csharp) Re: Protection against software crack ... > application etc with the CPU's public key. ... > would encrypt their software with, and then you could use the relevant ... A better solution, and one proposed by TCPA IIRC, is the typical chained ... Basically, with CPU-based TCPA, the software protection ... (comp.lang.pascal.delphi.misc) Re: StrongNameIdentityPermission ... to do than decompiling my code modifying it etc. So how can I ensure ... your assemblies and any protection whatsoever would be gone for good. ... stop a fully trusted app using my class library unless the strong ... different public key. ... (microsoft.public.dotnet.framework.aspnet.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2006-03