.NET Security - Clearing up Some of the Confusion
Posted
Tue, Feb 24 2009 10:43 PM
by
amarsan
Several of us at SRT have formed a study group to better learn the .NET framework. Our eventual goal is to take the MCTS 70-536 certification exam.
One area of .NET that has caused us some confusion is Code Access Security (CAS). This is my attempt to sort out two of the concepts associate with CAS that have been rattling around in my brain.
Signatures and Certificates
What does it mean to sign an assembly? This means giving the assembly a strong name. When strong-naming an assembly, a hash is computed for the assembly, the hash is encrypted with a private key, and the encrypted hash and the public key are stored in the assembly, forming part of the assembly signature. Now when the CLR loads the assembly, it decrypts the hash using the public key, computes a second hash for the assembly, and then checks to make sure the two hashes are the same. If they are, we can assume that the assembly has not been tampered with.
If the public key is bundled with information about who is issuing it and verification provided by a third party that certifies the key really belongs to that person or organization, then it's called a public key certificate. The confusing part is that an assembly that contains a public key certificate is said to be
digitally signed. In CAS, I can set up a code group that looks for
Publisher Evidence, or the digital signature on an assembly, and based on the value of the digital signature grant certain permissions.
Strong Name Hash and Hash Evidence
I'm not the first person to wonder about the difference between the two of these. See
this blog post for a nice technical discussion. As I described in the above section, the strong name for an assembly contains an encrypted hash. That's the strong name hash. It's different from a general hash for an assembly because a general hash makes use of every single bit in the assembly when it is computed, whereas the strong name hash skips certain parts of the assembly. In CAS, I can set up a code group that looks for
Hash Evidence in order to grant certain permissions to an assembly. Hash evidence is a general hash computed for the assembly, not the strong name hash. The problem with hash evidence is that every time I recompile an assembly, it will have a different hash value. Therefore, hash evidence is primarily used to grant permissions to a specific build of an assembly.