Re: Strong names - are these cryptographic??

From: Daniel Fisher\(lennybacon\) (info_at_(removethis)lennybacon.com)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 11:42:32 +0200

Hi Sholto

1. You can allways create a stong name assembly without a VeriSignID.
use Sn.exe
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfStrongNameUtilitySNexe.asp

2. You can sign an with a VeriSignID assembly by using the SignCode.exe
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfFileSigningToolSigncodeexe.asp

Michael Willers posted this yesterday:

... strong name garanties referal integrity by providing a unique name.
That's
why versioning works with a strong name only. In addition it garanties code
integrity. It uses public key encryption to create a digital signature that
contains a hash of the assembly. At load time the CLR creates a hash again
and "extracts" the hash embedded in the signature by using the public key.
It then compares both hashes and if they are not equal the assembly has been
tampered with. In this case the CLR will not load it and as a result no code
gets executed. So in order to modify the assembly you need to have the
private key.
This is how a strong name provides code integrity. But where did the
assembly come from? There is no proven identity. And this is where
certificates come into play. They bind a public key to an identity.
So the decision is up to you: If you know the issuer of the assembly
personally and trust him there is no need for a certificate. If not, then
certificates are the way to go....

For more visit his blog http://staff.newtelligence.net/michaelw/ 

-- 
Daniel Fisher(lennybacon)
 MCP C# ASP.NET
Blog: http://www.lennybacon.com/

Relevant Pages

  • Re: Strong names - are these cryptographic??
    ... VeriSign ID, will this add yet another public key, or does it replace the ... You can sign an with a VeriSignID assembly by using the SignCode.exe ... strong name garanties referal integrity by providing a unique name. ... > certificates are the way to go.... ...
    (microsoft.public.dotnet.security)
  • Re: PKI: the end
    ... The end of SSL, X.509 certificates, digital signature ... PKI is a business process that makes use of asymmetric key ... use of the "private key" are met, then a relying party may infer from ... use of the registered public key to verify a digital signature. ...
    (sci.crypt)
  • Re: General PKI Question
    ... > encrypt the message with the intended recipient's public key. ... digital signature authentication ... Certificates were somewhat the "letters of credit" analogy (from the ...
    (microsoft.public.security)
  • Re: X.509 and ssh
    ... was the eventual realization that certificates potentially grossly ... As essential, as the ID present when you conduct an in-person transaction, or get aboard an airplane. ... Or can I just write you a check for $100 and claim that a1b2c3d4 is my real public key / authentication code?? ... purpose of appending certificates to payment transactions was to ...
    (comp.security.ssh)
  • Re: Proposal for a new PKI model (At least I hope its new)
    ... CA/PKI scenario for SSL domain name certificates ... ... adequate authentication mechanism. ... the CA can retrieve the public key from the domain name ...
    (sci.crypt)