Menu
I have seen in many article it is written that Delay signing and strong name for an assembly prevents it from hi-jacked.
What does that mean?
The only thing that i know is without a strong name you can not install an assembly in GAC. So suppose i have an assembly without a strong name, Can it be hi-jacked?
Someone please clarify my doubt.
381
Strong naming refers to signing an assembly with a key, producing a strong-named assembly. When an assembly is strong-named, it creates a unique identity based on the name and assembly version number, and it can help prevent assembly conflicts.
A Strong Key (also called SN Key or Strong Name) is used in the Microsoft . NET Framework to uniquely identify a component. This is done partly with Public-key cryptography. Strong keys or names provide security of reference from one component to another or from a root key to a component.
Delayed signing refers to a technique of partially signing assemblies while they are in the development phase. So, signing an assembly basically certifies that assembly by the manufacturer and prevents tampering and hi-jacking of that assembly.
A name that consists of an assembly's identity—its simple text name, version number, and culture information (if provided)—strengthened by a public key and a digital signature generated over the assembly.
There is plenty of information about this on MSDN; for example: Strong Naming, and Delay Signing
To summarize the basic idea:
Strong naming is a way of stamping your assembly with a simple identification mark, that can be used later to validate that it has not been modified since it was deployed. The strong name is basically a hash of the assembly's name, version, and a "strong-name key" unique to the developer. References to strong name assemblies go through stricter validation that reference to non-strongly-named ones; in particular, strong-named references must match version numbers, and the strong name hash must match.
This helps avoid two common sources of potential security vulnerabilities in your programs:
The strong name process will reject both of these actions because the strong name data will not match. This is why assemblies in the GAC must be strong named: they are uses so ubiquitously, they would otherwise make major targets for this kind of hijacking.
Note, however, that strong names do absolutely nothing to verify the identity of the publisher. Anyone can publish a strongly-named assembly claiming to be Microsoft and there's nothing in the strong name to refute that assertion. Verifying identify is the job of Authenticode digital signatures, which are different from strong naming. The two are often used together, but they are orthogonal concepts.
Delay signing is a technique for signing assemblies outside of the build process. The idea here is, your company might have policies that don't allow the strong name keys from being available at build time (perhaps they are kept offline, or secured behind a password.) A delay signed assembly is marked with a blank strong-name key: it basically reserves space for the key to be added later, by an authorized user. In the mean time, a partial strong-name key is included -- just enough information for other assemblies to make a strong reference, but not enough to detect changes or modifications.
130
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
