Monday 19 December 2011

Why DLL's Should be Signed




Ever been in a project where you are asked to create Strong Name for DLL and you created a Strong Name for one project and the compiling project solution started giving you weird compilation errors. I have been there many times. When facing those issues I had some questions that crossed my mind.  

·        What is Strong Name?
·        What is significance of a Strong Name?
·        Why we need strong name? Do all DLL's need strong names to be created?
·        What happens actually when Strong Name is created
·        How Strong Name is used in real time scenario?

Basics before Deep Dive

           Before deep dive let us brush through following basics. We will look into following
1.      Assembly
2.      Encryption
3.      Hashing
4.      Digital Signatures

Assembly 

        Assembly is a compiled code library used for Deployment, Security and Versioning. EXE and DLL are different type of assembly. It consists of Name, Culture, Version and Public key token.

Encryption

            Encryption is a process of converting information into unreadable using an algorithm and unreadable information can only be converted to readable format using special information called as key.

   They are of two types
a)     Symmetric Cryptography
b)     Asymmetric Cryptography
Let us concentrate only on Asymmetric cryptography since the symmetric cryptography is flat straight forward cryptography.

Asymmetric cryptography provides a very secure mechanism for encrypting and decrypting data, due to its use of a pair of keys called the private and public keys.

Private Key should never be passed to another entity.
 Public key is opposite it should be passed.

The private key is held by one entity and securely locked down. It should never be passed to another entity. The public key is the opposite; you can give the public key to anyone who requests it.


Let us consider an analogy, Gates and Steve wants to communicate with each other. They choose the Asymmetric way. Gates send an open box with automatic numeric padlock. This numeric padlock can be closed automatic but it needs key to open.

Open Box = Public Key
Numeric padlock key = Private Key


Open box is considered as public key where everyone can be aware of them. Steve places the message and closes the automatic open numeric padlock box. Here the key that is used to open the box is the private key.

Hashing

       What if the data is changed after the data is placed in the box (Even box along with content). To avoid the change of data after or before encryption, we use the process called hashing. A Cryptographic hashing function will take a block of data of arbitrary size and returns a fixed size of binary data known as Hash value. If you change the original block of data in any way, the calculated hash value changes. If a single bit is changed in the original data, at least fifty percent of the calculated hash value’s bits change. If the data has not changed and you calculate the hash value over and over, the hash value will be the same. If you copy the data and calculate its hash value, it’ll be the same.

Digital Signatures

A digital signature proves that a message hasn’t been modified and proves the identity of its author.

Combination of Asymmetric encryption and Hashing

This is an essential combination of two topics that have been already covered in this topic: asymmetric encryption using the private key, and hashing. A digital signature is created by calculating a hash of data, followed by encrypting the hash, with a private asymmetric encryption key.

Deep Dive is over guys let’s go back to surface to discuss about what we are really for.

What is Strong Name?

        Strong Name is Technology used to uniquely identify Assemblies. It consists of Name, Version Number, Culture, Public key token and Digital signature.

What is Significance of a Strong Name?

           Strong Name solves two purposes. 

1.      Versioning  
2.      Authentication.

Versioning solves the problem called “DLL Hell”. Since it is technology to uniquely identify assembly, the same DLL name can exist in same folder (GAC) with different version number.
Authentication, the process we want to ensure ourselves the origin of the code. This is solved since we sign the assembly, which solves the authentication issues.


Why we need Strong Name? Do all DLL's need Strong Names to be created?


As we have discussed the Strong Name solves the purpose of versioning and authentication, the Shared or public assembly when signed with Strong Name it can be published in GAC (Global Assembly Cache). Any one who uses our assembly can be sure that they are using correct version and assembly which is not modified by external sources.

Strong Name signing is only for Shared or Public Assembly

Strong Name signing is only for shared or public Assembly. We don’t need to sign the assembly with Strong Name if we are only using assembly in our own executables.

What happens actually when Strong Name is created? How it is used in real time scenario
                   Let’s separate the process of creation and utilization of strong Name. When you add a strong name to a library the compiler creates a hash over most of the assembly. The hash is encrypted with the publisher's private key to form the strong name signature. The strong name signature and the public key are then placed in the assembly.
  Compiler stores the full name of the signed assembly into the assembly it is creating

When you tell the compiler that you will use a strong named assembly, the compiler stores the full name of the signed assembly into the assembly it is creating. This is reason why two DLL with same name can exist in GAC Folder The full name includes the public key, and because this is large, the runtime uses part of the hash of the public key, called the public key token.









When .NET loads the referenced assembly it verifies that the assembly has specified the public key, and of course, it can do this by extracting the public key and hashing it to be able to extract the public key token. It also needs to verify the public key, and it can do this by generating the hash of the referenced assembly. The strong name signature is this hash encrypted with the private key, so only the correct public key can decrypt it.

 Thus the runtime extracts the strong name signature decrypts it with the public key and if the result does not agree with the hash it generated the runtime will not load the assembly.

Now we had close look at the DLL signing process with basic included. Hope this will be helpful even for people who are new to Encryption.



IMPORTANT: Leave a comment to share what you learned, and hit the “like” button to let others know about it (make sure you’re logged into Facebook to like and comment).

       




33 comments:

  1. I always wonder about the same thing and even asked my friends too but no one helped me. All credit goes to you for providing this satisfactory detail and justify this point in correct manner.
    digital signatures

    ReplyDelete
  2. I have read all the comments and suggestions posted by the visitors for this article are very fine,We will wait for your next article so only.Thanks! liquid hangsen menthol

    ReplyDelete
  3. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. SEO bureau Nijmegen

    ReplyDelete
  4. I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. Autoverhuur Limburg

    ReplyDelete
  5. I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. Makelaar Roermond

    ReplyDelete
  6. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Restaurant meubilair

    ReplyDelete
  7. This is my first visit to your web journal! We are a group of volunteers and new activities in the same specialty. Website gave us helpful data to work. Eindhoven schoonmaakbedrijf

    ReplyDelete
  8. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. e-liquid kopen

    ReplyDelete
  9. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. zorgmeubelen

    ReplyDelete
  10. This particular is usually apparently essential and moreover outstanding truth along with for sure fair-minded and moreover admittedly useful My business is looking to find in advance designed for this specific useful stuffs… sexy lingerie kopen

    ReplyDelete
  11. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. Heerlen slot vervangen

    ReplyDelete
  12. I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. e liquid Millers

    ReplyDelete
  13. I am impressed. I don't think Ive met anyone who knows as much about this subject as you do. You are truly well informed and very intelligent. You wrote something that people could understand and made the subject intriguing for everyone. Really, great blog you have got here. Huis kopen Venray

    ReplyDelete
  14. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... ADR certificaat

    ReplyDelete
  15. Really I enjoy your site with effective and useful information. It is included very nice post with a lot of our resources.thanks for share. i enjoy this post. Zonnepanelen kopen Parkstad

    ReplyDelete
  16. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. Samsung telefoonhoesje

    ReplyDelete
  17. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Rijschool Geleen

    ReplyDelete
  18. When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. Code95 maastricht

    ReplyDelete
  19. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. Bedrijf starten

    ReplyDelete
  20. I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. Boksbalmachine kopen

    ReplyDelete
  21. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. Eenmanszaak vof BV

    ReplyDelete
  22. I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Aanmaning

    ReplyDelete
  23. I have read all the comments and suggestions posted by the visitors for this article are very fine,We will wait for your next article so only.Thanks! Graphics designer

    ReplyDelete
  24. I'm glad I found this web site, I couldn't find any knowledge on this matter prior to.Also operate a site and if you are ever interested in doing some visitor writing for me if possible feel free to let me know, im always look for people to check out my web site. Logo designer

    ReplyDelete
  25. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. water filter systems

    ReplyDelete
  26. This blog is so nice to me. I will keep on coming here again and again. Visit my link as well.. 2d animation

    ReplyDelete
  27. I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people. motion graphic vedios

    ReplyDelete
  28. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. foro para webmasters

    ReplyDelete
  29. i never know the use of adobe shadow until i saw this post. thank you for this! this is very helpful. shisha

    ReplyDelete
  30. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. commercial power washing

    ReplyDelete
  31. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. Shopping

    ReplyDelete

Note: only a member of this blog may post a comment.

Build Bot using LUIS