Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

C# Application Security 2

Status
Not open for further replies.
moongirl129

moongirl129

Programmer
Sep 5, 2002
38
GB
I'm a C~ developer who has only ever has to write applications that will be released to one or two people in a controlled environment. I may be about to start work on an app that needs to be as secure as possible so that people can't steal / copy it.

I am looking for information on all security aspects that I should consider and as much info as possible as this is an area that I don't know much about.

Many Thanks,

Emily
 
Sort by date Sort by votes
authentication and authorization are the 2 biggest concerns I can think of.

.net makes it fairy simple to secure apps with different types of authentication mechanisms. The easiest is using Windows authentication which reads from the Windows security model. Your other option is to create a database of usernames/encrypted passwords and authenticate against that.

You can encrypt database connection strings within an app/web.config file. If you don't store the connection string in the config file the windows registry is the next secure option. I've only stored the connection string in the web.config file. (web app specific).

There is also assembly signing which "validates" the compiled assembly. I haven't work with these directly.

You can also add attributes to your classes that validate who/what can access public properties/functions within a DLL. This helps deter users from incorporating your assemblies (be it DAL or BLL modules) into an alternate syste which could cause harm. I have never worked with these attributes. I read an article a few months back which touched on this subject.

depending on the scale of the project and the sensativity of the data most developers opt for basic user athentication/authrozation. The only time I hear about strongly signed DLL's and controlled DLL access is enterprise level applications with in a technically advance company.

Jason Meckley
Programmer
Specialty Bakers, Inc.
 
Upvote 0 Downvote
Hi Jason, Thanks for all the useful info, but you've only just touched on what I need to know. I know about protecting classes etc, but what I need to know is about resources for learning about strongly signed dll's, and software licensing as I may shortly be involved in developing a piece of software which will need to be licensed. Can you point me in the right direction for further information on this?

Thanks!
 
Upvote 0 Downvote
licensing, I don't know anything about.

For strongly signed DLLs I would google "strong sign assembly" or "public private key assembly". VS use the Strong Name Tool (sn.exe) for signing assemblies. I would start there

Jason Meckley
Programmer
Specialty Bakers, Inc.
 
Upvote 0 Downvote
I'm planning on releasing some licensed software as well. Licensing is all up to you. One copy per server, per user, per processor, etc.

If you want to make the user register for a key or not is up to you as well. The bad thing about keys in .NET is that they can be easily cracked. .NET isn't compiled to machine code, so anyone can view your source. The only way that I could see around it is if you also implemented a web service that validates the keys, that way the keys are not hard coded into the application. But then you have to deal with things like how often do you want to check that the key is valid, what if they don't have internet connection, etc.

You could use obfuscation to make the code a little harder to read, but there is no way to completely hide anything in it.

As for strong naming, it depends on what version of Visual Studio you are using. If VS 2003, then open the Visual Studio 2003 Command Prompt and run "sn.exe -k c:\whateverlocation\KeyName.snk". Then in the AssebmlyInfo.cs file add "[assembly: [assembly: AssemblyKeyFile("..\\..\\KeyName.snk")]"

If you are using VS 2005, then just go to Project > Properties > Signing. Check the Sign the Assembly box and choose <New...>. Remember to add it to the Assmebly file.

You may have already known all that and were looking for something more in depth, but that's about all I've learned about the two since trying to create my own product. If you come across any more (or better) information, let me know.

Thanks!


Ron Wheeler
 
Upvote 0 Downvote
I think you had also mentioned protection against their stealing your code.

Under .net, there is limited protection against this, mainly using a tool called an obfuscator, which uses tricks like renaming your nice meaningful variable names to A, B, C, etc. in an attempt to make reverse engineering more difficult.

While this is a good first step, I think most of your protection ought to come from your license agreement that you have them sign before taking delivery. Work with your lawyer to get the language right, but basically it should say something awful like: "Steal this code and we kill your dog" (1)

Chip H.

(1) Just kidding, of course. Besides, cats rule. :)


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
ninjadeathmonkey and chiph - thanks a million this is EXACTLY what I was looking for!! (Oh and Chip, I agree, cats do rule ;) )

However, all of this has got me wondering - if it's so hard to protect your .NET code from being stolen then do people really use it to build 'public' software. Or is there another language / development environment which people normally use to develop this type of thing?
 
Upvote 0 Downvote
People do use it to build public software. However, those who are deeply concerned about people stealing their source will typically use C/C++/VB/etc. Anything that will compile down to machine code. However, these can be disassembled as well, just not as easily. That's why there are hacks for virtually every product on the market. Don't let the deter you though. People will still buy your product if it is good and there is a demand.



Ron Wheeler
 
Upvote 0 Downvote
I was reading a piece by Eric Sink about software licensing where he suggests that you are inclined to loose more legitimate customers by annoying them than you gain by preventing the crooks who will not buy your software anyway. See section 4 of:
If you do decided to have a licence system take a look at these:

 
Upvote 0 Downvote
Correct me if I'm wrong, but isn't just by deploying your app as an .EXE or .DLL solve your question, i.e. other people viewing your code? One cannot view code from these types of assemblies?

Did I totally miss your question?
 
Upvote 0 Downvote
star for Aptitude: that article needs to be read.

most software protection algorithms are the equivalent of the "keep out" sign on a ten year-old's door. it's a part of growing up as a programmer that you see them for what they are.


mr s. <;)

 
Upvote 0 Downvote
Correct me if I'm wrong, but isn't just by deploying your app as an .EXE or .DLL solve your question, i.e. other people viewing your code? One cannot view code from these types of assemblies?
Click to expand...

You have obviously never come accross Lutz Roeder's .Net Reflector
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xarzu
  • Locked
  • Question
How do I establish an open connection to an open web browser in C#?
Replies
0
Views
644
xarzu
xarzu
WomanPro
  • Locked
  • Question
Where do we put public functions in C# (modules don't exist) ?
Replies
3
Views
1K
docotor
docotor
Crox
  • Locked
  • Question
new to c#
Replies
3
Views
1K
Crox
Crox
hoangluc19
  • Locked
  • Question
Load data from database to Datagridview C#
Replies
0
Views
1K
hoangluc19
hoangluc19
hoangluc19
  • Locked
  • Question
Load hour and minute to datagridview C#
Replies
0
Views
1K
hoangluc19
hoangluc19

Part and Inventory Search

Sponsor

Back
Top