I have created an app that creates a signed XML file.
Microsoft has some straight forward examples it was not that difficult to implement but much is hidden/ encapsulated in the libraries below
System.Security.Cryptography
System.Xml,
System.Security.Cryptography.Xml
I now need to export the public key and put it (the public key) in a second application so it can verify that the signed XML document is genuine.
My second application can then enable/disable various program features based on the contents of the signed XML file.
Microsoft goes on about not exporting the contents of the key container but that is exactly what I think I need to do because in my mind I need to accomplish a couple of things.
One as mentioned above I need to export the public key and then import it into a key container that resides in the application that uses the signed XML file.
Secondly I think I need to export both private and public keys in order to back them up.
Since my application will be distributed with the public key I need to back up the public, the private key and the hashing algorithm in a safe location.
Microsoft goes on about not exporting keys to clear text but I am uneasy/and don't know how to back up the key container and I'm unsure how to look at the thing and know what I want to store is actually in there when I try to view the key container in the debugger it seems to go on forever (some sections appear to repeat recursively??)
Can anyone offer advice on how to export/import RSA keys to a key container and an approach to backing up mykeys or contaner?.
Open the Microsoft Management Console (mmc.exe), navigate to File -> Add/Remove Snap-in
This dialog will pop up
On the Available snap-ins pick "Certificates"; click Add and choose to add My user account, then click Add again and choose Computer account.
Click OK. Now you find any certificates you'll need and functions to import/export them - both private (if available and exportable), and public.
Related
we have created an application like adobe reader to read a special encrypted document file format which does recognize only by our application.
what we want to do is to let user buy the application using his/her account from a website & after that we'll let him/her download that document using this program and start reading it.
here is our concerns:
1) document files should not be read in another user computer which means if user1 gives the raw downloaded file to user2 which has our application in his/her own computer the second user must not be able to read that file
2) after users download their files, they can just read those file offline (not constantly be online to be able to read)
3) this security must not break down easily because these document data are vital & the user information & application must not be hacked and cracked !
4) maybe later we want to have our android/IOS version so the solution must be cross platform
5) solution like providing login mechanism for each document won't work because users are able to give the copy of their own files together with their username & password to other users.
6) file encrypting mechanism must not break down by crackers so that they just decrypt the document & post the free version all around the internet
Do you have any programming method, security mechanism or suggestion ?
You could use public-key (or asymmetric) cryptography. You encrypt the document with the public key of the user. Then only people with access to the private key (ideally: only the user) can decrypt it.
However if the user has access to his own key (and he should), nothing can keep the user from decrypting the document and sharing it with others (or sharing his private key with others).
In the end: if a user, or the program needs access to the unencrypted product and the user has no interest in keeping the document secure, confidentiality can and - if the product is interesting enough - will be broken.
This is the problem with .NET it's easily reversed, because of the executables having a lot of meta data stored and that it does not compile to native (asm), but to IL. Your best bet would be to use an obfuscator and something like .NET Seal (However if I am correct it requires the users to be on the net) http://forum.elitevs.net/
Again you want to go cross platform and for C# to do that you'll have to use something like Mono:
http://www.mono-project.com/Main_Page
Although that would require the end user to also have mono.
Now to answer your "points".
1) Make each file and application share some sort of encryption that is unique to each file and application, making sure that the file only matches for the application one user have ex.
User X downloads the application.
User Y downloads the application.
Both downloads are unique with some sort of encryption algorithm or encryption key.
User X downloads Document A.
Document A will be sharing the same algorithm / key as User X's application which makes it unique to him only.
User X gives Document A to User Y.
As User Y's application does not share the same algorithm / key as User X then the Document is not readable.
2) I will referre to what I said first in my answer.
3) I will referre to what I said first in my answer.
4) I will referre to what I said first in my answer. However I want to point out that it's not entirely a bad idea, but it's something that should be taken into consideration if C# really is the language of choice for this.
5) I will reffere to answer #1 here.
6) I will reffere to answer #1 here.
If you are going to allow the user to download the file, then there is going to be no way to 100% secure it. The reason is, there must be a way to decrypt it so that the user can read it. This decryption process must occur on the user's machine, since the program to read it will have to decrypt it and open it on their machine.
Once the program to decrypt it is running on the user's machine, he can reverse engineer it and hack it (assuming he's clever enough).
That being said, there are many way to make it difficult to crack your decryption. Now if you take away the ability to read offline, you have more control. A hacker cannot run a disassembler or decompiler on your remote server.
Hope this info helps
Good day, is there any option how to create a box, which cannot be seen from Windows? I would like to insert some files into this box. These files should be accessible only through my application, not from Windows. Thank you in advance.
How many files and how do you need to access them? If they are only for reading and you don't have too many, you always have the option to store them as a resource in your project. Have a look at this link on MSDN on how to store various file types directly inside your assembly.
NOTE: If you are planning on storing passwords or security-sensitive data, you shouldn't use this approach.
Another alternative would be to store you files inside a database. If you were to use something such as SQLite (here is the .Net data provider), Windows would have access to the database file, but not to the files contained within the database (which could be encrypted). Depending on your data, you'd have to store the file information as a binary large object (blob). See here for an example of how to do this.
It depends on the layer of abstraction you want. All files created by an application are at some level accessible by windows, however, you can mask the content of these files (i.e. encrypt them).
Generally speaking, you could still store the files in a folder, and apply encryption. Here's the msdn article on the point. The other issue is where do you store the key used for encryption.
A simple solution is to hard-code the key in some variable. However, if the assembly is decompiled, the key will become apparent. On the other hand, if you want the user that created the files to begin with, to be the only one to access the files, then you can use the Data Protection API.
If your question is how to the hide the box then you can set the "Visible" attribute to false no matter what control you are using for this "box".
if your box does not include a lot of files or not large file, you can try save it in a compress file like .zip and add a password for it. also add the hidden attribute on that box.
I am working for a big integration platform using Biztalk 2010 and VS2008 SSIS packages. Each interface is stored in one team project (TFS2010). On the root of the team project each interface is created with its unique name and underneath a default basic branch plan structure has been created (with Main, Dev, Release + branches when applicable, see TFS branching guideance from ALM rangers).
The issue is that each interface needs a strong name key because we want to be SCA compliant as far as possible and signing is part of the checks.
I don't want each interface to have its own strong name key, but only one strong name key for all the interfaces.
What is the best practice to handle this kind of reusable strong name key handling ?
The best practice I've found so far is this:
Create a new key file (e.g. MyProject.snk) through the VS command line, using sn.exe -k MyProject.snk - you should create the key file in the same folder as your solution.
Right click on the first project in the solution and select 'Add existing item...'
Browse to the key file you've created - do not press add - press the little dropdown icon next to it and select add as link
The key file will now be added as a link to the project - go to the project properties and your key file will now be selectable in the Signing tab.
Copy and paste the linked key file into all the other projects (this just copies the link) and select it to be the signing key for each them in turn.
This way you have the same key associated to each project, and if you ever need to replace the key, you just have to change it in one place.
Edit: Sorry - just noticed that you're actually talking about multiple solutions - I would probably still take the same sort of approach, but have the key file under source control in a centralised location. VS should be able handle this and recognise that the key file is in your workspace at a different location.
create the key with sn tool or from vs adding it to your root directory,
then every time you make a project strong named - refer to the same key file.
What's the smartest way to prevent a textfile (e.g. xml) from being edited by a user?
I need to make sure that the file in which I store the usernames and there privileges for the desktop application can't be simply edited.
Maybe I can generate a certificate of the file and the desktop applications checks this?
I'm using C# in a WinForms app.
You could use File system permissions to prevent editing.
You could use encryption to make editing difficult
You could get a hash value for the file to detect editing.
I think encrypting the file, then decrypting it will be easiest. Though users might still be able to read the contents of the file if they're smart enough. e.g. reading the plain-text from memory
The simplest way is probably to use a database with username and password authentication.
The smartest is to encrypt it so that the data is not available to them.
However, if a user truly wants access to a file on their machine, they will get it. You can make it so that they cannot read anything useful or make useful edits, but if they want to, they will be able to edit the file.
Since your aim is to store users' privileges directly in an XML file, you need a level of security beyond just preventing users from editing the file. Even if you could (hypothetically) impose some restriction at the operating system level against editing the file, any administrative user could just edit the file on a different computer and then overwrite your protected version.
Thus, you have to assume that users can edit the file. The only recourse you have is to be able to identify when they have, and ignore their edits.
The approach you suggest of creating a certificate sounds exactly right. You could either compute a hash for the entire file, or could do so on a user-by-user basis (whichever makes most sense in your context), in either case using a private or secret key to ensure that someone editing the file cannot simply recompute the hash.
IMHO you can not guarantee no one can edit it, but you can encrypt the file to secure the information.
you can not guarantee as any one can boot the machine using disk start up for example and edit the text file simply.
Personally I don't think XML is the appropriate format for storing secure information in this case. The whole point of XML, compared to binary formats, is that it is human readable/editable. Use some kind of encrypted binary format with a known hash/crc that tells you if it's been interfered with if you want total security.
You can use cryptography, but use the DPAPI built into Windows as you will also have to store the encryption key safely, which again is another hassle.
The benefit of using DPAPI is that it uses a key unique to the user or computer, and is never disclosed, even to the programmer! But if you move the file onto another user's profile or computer, it will be unreadable.
If you MUST keep that data in a XML textfile you could consider digitally signing it by your application every time it is modified and checking the digital signature when you read the file.
More details on how to sign XML file and how to verify signature.
But I think it's better to just keep that kind of data in different formats - database, encrypted file, application properties...
I am trying to secure an application to only run from a specific USB disk.
I have code to get the serial number from the device, but the only way I can make this work the way I want to is to manually code the serial number into the binary.
Is there a way I could make a stub application that would modify the existing binary to insert the serial number into it after it's compiled?
I've seen this done in C++ in the past, but that was a long time ago and I cant quite remember how we did it back then.
Storing it in the assembly is a bad idea. Here is what I would do (and have done similar in the past):
Be sure you are signing your assemblies.
Create an XML document that contains your licensing data - in your case the serial number of the USB device.
Utilize the SignedXml library in .NET (implements XMLDSIG) to sign the licensing XML document that contains the serial number. You will use the same private key that is used to sign the assembly.
When your app starts up, it verifies that the signature of the XML file is valid using the public key that it was signed with (and is embedded in the assembly).
Obviously you don't ship your private key, so if the app needs to generate the XML config file itself (rather than it be a file you ship to the user) you will need to implement a web service.
I don't know, but that hasn't stopped me from answering before.
Maybe figure out where you want to store the SN in the executable (it should be only one place, right?) and just treat the executable as a giant binary blob, and use the stub program to insert it where it needs to go?
Perhaps you want to get a separate USB license key like these ones:
http://www.bhphotovideo.com/c/buy/USB-License-Keys/ci/12454/N/4294550039
???
Why would anybody want to save anything inside an executable. If you're planning to sign the executable for distribution changing the executable in some way would break the signing and saving something in binary to the executable won't prevent someone from taking the value out the executable.
Best thing you can do is store the serial number to a file, registry, or other place then encrypt the value so it can't be modified without breaking it. I use a library that ships with License Vault from a fairly new company called SpearmanTech. You can use their library to store encrypted values to the .NET machine.config file in an encrypted form so it can't be tampered with. This way you can pull the information from the .config file when your application starts.
Are you writing a .NET application in C++ or native C++ well either way you should be able to communicate with the .NET framework so this solution would work.
I would check out their product at http://www.spearmantech.com. Hope it works for you.