All geek questions in one place

Security and licensed class library technology

I asked a question about build security, and someone told me a few things:

You can use licensing technology when creating an instance of the library. What I did in the past is to include the public key as a resource in the dll, and then look for the license xml document with a cryptographic signature signed with my private key. As I continue to keep track of my private key, it’s pretty hard to win.

After reading this, I have a few questions:

  • How to call my licensing technology when developing a class library?
  • How to add a public key as a resource for assembly?
  • How to search for an xml license document with a cryptographic signature signed with my private key, and where and when to search?

It would be better if someone please help me sort out the details in order to implement the above security. Thank you very much.

0
source share
1 answer

“Licensing technology” is basically the methods that he outlines in detail in the rest of the paragraph. A “license” is nothing more than a confirmation of permission for an actor (the user himself or another code executed on their behalf) to use your code. This does not have to be a universal standard, such as an SSL certificate. You just need to know this, and it’s hard to fake others.

As for resources, this is just something inherent in .Net. in VS Solution Explorer go to the project with which you want to access your limited DLL. The first item in its expanded content will be the Properties folder; under this you should find the Resources.resx element. Open it, and you will get a graphical interface that allows you to reference strings, images, text files, etc., which can be compiled or saved along with the DLL when building the solution. Here you must specify a string that is an encrypted known value. Probably the safest encryption string would be the strong name or GUID of the assembly, because then you could compare what you decrypt with the caller’s collection information, preventing someone from getting the encrypted string from one of your libraries and use it in them. In your limited DLL, you can use the same function to store the decryption key, which you will use to decode the string provided when the DLL is called.

There are many resources for tutorials on using RSA encryption (the encryption method suggested here) in .NET. There is an RsaCryptoServiceProvider that will perform encryption / decryption, generate keys, etc .; all you have to do is reset it. Something that can be confusing is that in algorithms with an asymmetric key, such as RSA, data is usually encrypted using the "public" key and decrypted using the "private" key. This is because asymmetric keys are usually used over public communication channels, and you need to provide the remote side with a key that they can use to record messages that will then be decoded. However, in this case, your limited DLL must decrypt the data that needs to be compared, and therefore a fixed "private key" is required for this. This makes the decryption key "publicly available" to anyone who has a .NET Reflector or some similar disassembler. However, if you, the developer, are the only ones who can provide encrypted strings for DLLs that are allowed access to your DLL, then you can keep the encryption key secret.

+3
source

Source: https://habr.com/ru/post/1336504/

More articles:


All Articles