Re: if I encrypt key data why do I want or need SSL?

<i>How would they put junk data into my system? Are you assuming
they've been
able to hack in via an account? </i>

Google for "man in the middle attack"

<i> I could encrypt the
entire message also, all that SSL does for me is provide encrypted
access to
external sources beyond the control of my security. </I>

And nothing would stop a man in the middle from discarding your message
and encrypting their own. SSL prevents this.

<i>Slammer real world impact has been relatively low threat</i>

really? I seem to recall several major businesses were greatly
affected, and I also recall that many people's internet connections
were slower due to the connection attempts.

<i>the
only way they can obtain any value is if they were able to locate my
strong
name DLL responsible for all security aspects, assuming they could get
into
the DLL and somehow decompile it (without the public/private key pair)
they
would then have to discover where in the DLL the call is to get the
encrypted key and then also have to realize that key needs to be
unencrypted. </i>

I'm sure it wouldn't be hard to discover wher the dll is. And strong
naming does squat for decompliation. Its trivial to decompile ANY .net
assembly; even the ones MS ships. Download .Net Reflector; it can show
you source code, in your choice of 6 languages.

<i>In fact, the way my security is enforced has minimal reliance on the
OS or
the SQL server </i>

Which means as soon as your DLL is comprimised, your SOL. You have no
other barries to stop an attacker.

<i>Can you provide details of how you might attack a strongly named
assembly?
Opening the file in binary will not be terribly helpful and you can't
decompile it to any useful context, so please explain? </i>

There are plenty of examples; just google for them.

<i>Web Services use the same approach, none of my web service will do
anything
if they don't get a valid encrypted key as a parameter to all and any
method
made available by the service and any sensitive data passed to from a
web
service is always encrypted. </i>

For someone to send your web service they have to know the key? And
what if your web server is comprimised and your assemblies replaced?
True, SSL won't help you here, but I don't think the measures you've
taken will either.

.

Relevant Pages

  • Re: if I encrypt key data why do I want or need SSL?
    ... I could encrypt the ... external sources beyond the control of my security. ... name DLL responsible for all security aspects, ... Web Services use the same approach, none of my web service will do anything ...
    (microsoft.public.dotnet.security)
  • Re: SSL question
    ... It has some methods which are accessible by some client applications. ... I have developed this web service with the use of SSL in my head, ... > SSL will encrypt this information. ...
    (microsoft.public.inetserver.iis.security)
  • SSL question
    ... I have made a Web Service with .NET remoting classes, ... These methods will return immediatly so the client can do some other stuff. ... SSL will encrypt this information. ...
    (microsoft.public.inetserver.iis.security)
  • SSL question on async data
    ... I have made a Web Service with .NET remoting classes, ... These methods will return immediatly so the client can do some other stuff. ... SSL will encrypt this information. ...
    (microsoft.public.inetserver.iis.security)
  • Re: SSL question
    ... It has some methods which are accessible by some client applications. ... I have developed this web service with the use of SSL in my head, ... > SSL will encrypt this information. ...
    (microsoft.public.inetserver.iis.security)