Monday, December 22, 2008

Strong names and Signing

What is a strong name?

A strong name is a .NET assembly name combined with its version number and other information to uniquely identify the assembly. This allows multiple versions of the same assembly to peacefully co-exist in the global assembly cache, where shared assemblies are typically stored.

A strong name consists of five parts:

  1. Simple Name - Usually the name of the file (without the extension) that contains the assembly
  2. Public Key - RSA cryptographic public key that helps verify the assembly’s authenticity
  3. Version - Four-part version number, in the form of Major.Minor.Build.Revision
  4. Culture - Target audience for the assembly, such as “neutral” (default audience), “en-us” (English - United States) or “fr” (France) etc.
  5. Processor Architecture - Defines the assembly’s format, such as MSIL (intermediate language) or x86 (binary for Intel x86 processors)

An example strong name is “Mini-Launcher, Version=0.3.612.24542, Culture=neutral, PublicKeyToken=ffa52ed9739048b4, ProcessorArchitecture=MSIL”.

Why use strong names?

Strong names are required to store shared assemblies in the global assembly cache (GAC). This is because the GAC allows multiple versions of the same assembly to reside on your system simultaneously, so that each application can find and use its own version of your assembly. This helps avoid DLL Hell, where applications that may be compiled to different versions of your assembly could potentially break because they are all forced to use the same version of your assembly.

Another reason to use strong names is to make it difficult for hackers to spoof your assembly, in other words, replace or inject your assembly with a virus or malicious code.

What is a strong name key file?

A strong name key file has a .snk extension and contains a unique public-private key pair. You use the strong name key file to digitally sign your assembly (see below). Note that this type of file is not secure, as the private key in a .snk file can be easily compromised.

For added protection, Visual Studio can encrypt a strong name key file, which produces a file with the .pfx (Personal Information eXchange) extension. The .pfx file is more secure because whenever someone attempts to use the encrypted key, she will be prompted for the password.

How do I create a strong name key file for a .NET assembly?


Reference : http://www.csharp411.com/net-assembly-faq-part-3-strong-names-and-signing/

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)