Lesson 1: Signing Assemblies with Strong Names in .NET

Generating QR in .NET Lesson 1: Signing Assemblies with Strong Names

7-21

4. Add a reference to the strong-named assembly C:\Key\Contoso.dll by following these steps: a. Click the Project menu, and then click Add Reference. b. In the Add Reference dialog box, click the Browse button, select C:\Assembly \Contoso.dll, and then click Open. c. Click OK to return to Visual Studio .NET. 5. Add two text boxes, a label, and a button to the form. Users will use the text boxes to enter two integers. When the button is clicked, the two integers will be passed to the Contoso.Math.Add method, and the result will be displayed in the label. Figure 7-3 shows what your form should look like.

Figure 7-3

6. Add a method to the button that passes the values in the two text boxes as integers to the Contoso.Math.Add method, and that displays the results using the label. Though the names you use for variables will vary, your code should resemble the following:

private void addButton_Click(object sender, System.EventArgs e) {

int int1 = int.Parse(int1Textbox.Text);

int int2 = int.Parse(int2Textbox.Text);

int result = Contoso.Math.Add(int1, int2);

resultsLabel.Text = result.ToString();

} Private Sub addButton_Click(ByVal sender As Object, ByVal e As System.EventArgs) Dim int1 As Integer = Integer.Parse(int1Textbox.Text) Dim int2 As Integer = Integer.Parse(int2Textbox.Text) Dim result As Integer = Contoso.Math.Add(int1, int2) resultsLabel.Text = result.ToString End Sub

7-22

7

7. Build, run, and test your application to verify that it works correctly. Afterward, close the Calculator application and Visual Studio .NET. 8. Use Visual Studio .NET to open the Contoso project you created in Exercise 2. Modify the project by performing the following steps: a. Comment out the AssemblyKeyFile attribute. b. Change the + operator in the Add method to a -, to demonstrate how an attacker could maliciously modify an assembly. c. Rebuild the assembly. 9. Use Windows Explorer to copy the new, unsigned Contoso.dll file to the directory you used to build the Calculator project. You should overwrite the existing Contoso.dll file, which has a strong name. 10. Re-run Calculator by double-clicking the executable file in Windows Explorer. Click the Add button. An unhandled exception appears, as shown in Figure 7-4.

Figure 7-4 The runtime verifies the signature of strong-named assemblies against the signature that was present when the assembly was originally referenced.

1. Why did the runtime throw an exception 2. How does throwing an exception prevent an attacker from replacing an assembly with one that contains malicious content 3. You ve protected the components that are being called by the main application. How can you ensure that the individual components can never be called by an application that hasn t been signed

7-23

Strong names are reliable assembly identifiers that uniquely identify an assembly. They can be used to reduce the risk of an attacker replacing your software with malicious code. The Strong Name tool (Sn.exe) is a command-line tool and your primary tool for creating and managing strong name keys and for signing assemblies. The process of signing an assembly includes three steps: a. Generate a key file. b. Add strong name attributes to the assembly s source code. c. Build the assembly. Delayed signing is a two-part strong name signing process that separates the public and private strong name keys, enabling enterprises to centralize assembly signing and restrict the distribution of private keys. The fewer people who have access to a private key, the lower the risk of the key being abused. To use strong name assemblies with code access security, add the StrongNameIdentityPermission class either declaratively or imperatively. You can use code access security to limit callers to those assemblies with strong names, specific public keys, and specific version numbers.

7-24