Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (68)

Building Security Awareness in .NET Assemblies : Part 3 - Learn to break Strong Name .NET Assemblies

By , 31 Oct 2004
 

Disclaimer

NeCoders shall not be held responsible for any cases of software/files being hacked due to the information provided in this article.

General Overview

Welcome back to part 3 of the Building Security Awareness in .Net Assemblies series. In this article, I will share with you the possibility of breaking Strong Named .Net Assemblies. Make sure you have already read through part 1 and 2 before continuing on.

Questions pertaining to Strong Name

I do believe many others have the same doubts as I do on whether Strong Name keys could really protect the assembly from being tampered. I would like to share my doubts with you in this article.

Questions:

  1. Question : Is Strong Name key secure?
    • Answer : Yes, Strong Name key uses RSA 1024 bit encryption.
  2. Question : Is Strong Name key breakable?
    • Answer : If you have enough computing power, time and knowledge on how to break RSA, the answer is yes.
  3. Question : Can Strong Name key be removed from .NET assemblies?
    • Answer : Yes, it can be removed very easily if you know how.

The Demonstration Test machine specifications :

  • Windows XP Professional Edition SP 1 1

  • Intel Pentium 4 2.6GHz

  • 256MB DDR-RAM

  • Visual Studio .Net 2003 Professional Edition

  • Microsoft .Net Framework 1.1
  1. Download the executable files that come with this article.
  2. Open your Visual Studio .Net 2003 command prompt.
  3. Make sure you are inside the CrackingIL/bin/debug directory.
  4. Type “ildasm CrackingIL.exe /out=CrackingIL.il”.

  1. You must be wondering, why we are repeating what we had done in part 1 and part 2 of the series. If you notice, the way to break Strong Name keys is by manipulating the Intermediate Language. But the problem is in part 2, we did modify the Intermediate Language and at the end when we tried to convert it back to an assembly, we will receive an error. I will explain in detail on which part of the Intermediate Language that you should modified to remove the Strong Name key.
  2. Open up the CrackingIL.il with a text editor. I use notepad.

  1. Take a look at the red boxes. From what I understand, each assemblies like System.Windows.Forms, System and mscorlib contains their own public key token and version number.
  2. Now, does our assembly contain a public key? The answer is yes. Before showing it to you, I will first show you 2 screenshots; one without Strong Name key and one with Strong Name key attached.

Without Strong Name :

With Strong Name :

  1. You will notice that the difference on both sides is that the Strong Name key assembly contains a public key. In order to tamper a Strong Named .Net Assembly, just remove that highlighted section. It will look like this.

  1. Now do some modifications to the existing Intermediate Language. You have to remove the registry checking so it will not prompt you for serial number or license. Look for this code.

  1. Then remove the lines of code from IL_0000 to IL_0075. You should have an output like this.

  1. Now just edit some text to prove that you have hijacked that Strong Named key .Net Assembly. Find the code with the phrase “Welcome to NeCoders” and replace it to “You are being hijacked, Strong Names are useless here”.

Change above to:

  1. Open your Visual Studio .Net 2003 command prompt, and type “ilasm CrackingIL.il”.

  1. Try to run CrackingIL.exe. You will see this.

  1. Congratulations! You had managed to manipulate .Net assemblies with Strong Name key attached to it.

Conclusion

Again, I hope you find this series of the article to be interesting. There will be more articles under this series, in terms of breaking and securing the .Net assemblies. Do check out article 4 when it is available as it will explaining the many theories in .NET security. This in return should provide you with a better understanding in this topic.

References

None

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

 Chua Wen Ching
Software Developer
Malaysia Malaysia
Member
I am Chua Wen Ching and it is great to be part of CodeProject network Smile | :)

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
View All ThreadsFirst Prev Next
GeneralStrong namesmemberHugo Hallman9 Nov '04 - 11:37 
Strong names are used to prove who wrote an assembly, and not to protect it. If you modify an assembly, you can't make it look like it was someone else who wrote it. Therefore, when you load any strong name asembly, you can be shure who wrote it. Even after deployment.
Sign In·Permalink
GeneralRe: Strong namesmemberchuawenching9 Nov '04 - 12:16 
Hi Hugo Hallman,
 
Point taken. Thanks.
 
Cheers.
 
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
Sign In·Permalink
GeneralRe: Missunderstanding to strong namessussAnonymous11 Nov '04 - 1:30 
Yes, this is correct statement. Microsoft created strong names to prove identity. Also this article makes mistakes in security concept. Strong names are related to .NET security infrastructure which can be partly seen in .NET Configuration wizard in Runtime security.
Here is important to understand security policies and code groups.
When you define your own code group where application will belong according to its strong name then it will get runtime permissions (maybe some higher ones because otherwise it will get the default ones from default code groups according to its origin - there can be other scenarios like when using GAC, third party assemblies etc).
 
This scenario is similar like when you would create app with strong key and you would leave doors open. Then when you loose your key then you can still pass through the door. But if the door are locked and require a key then when you remove the strong name from app you can't pass (doors = code groups).
 
So you can throw all your keys out like you can do it just droping them from your pocket. But then you'll not get at home, to your car simply anywhere where authorization is required.
 
So this article makes no sense.
 
Some more samples on this topic will come in my freebook on http://www.skilldrive.com/DOTNETinSamplesdoc.zip
 
Regards,
Jan
Sign In·Permalink
GeneralRe: Missunderstanding to strong namesmemberchuawenching11 Nov '04 - 15:05 
Hi Jan,
 
Thanks for the explanations. I will look into your examples.
 
Cheers.
 
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
Sign In·Permalink
GeneralRe: Missunderstanding to strong namesmemberJanSeda11 Nov '04 - 15:42 
Hi!
 
You're welcome to contact me. I'm specialized on security topics in Microsoft and we can discuss it (some topics are covered in my ebooks or articles). But thank you for your articles, maybe you could be contacted by some our MS guys to be an MVP Wink | ;)
 
Regards and wish you many success.
 
Jan
www.skilldrive.com
Sign In·Permalink
GeneralRe: Missunderstanding to strong namesmemberchuawenching11 Nov '04 - 15:53 
Thanks Jan. I hope to be a MVP one day for sure.
 
But anyway I wrote these articles for my interest in this field. Smile | :)
 
Cheers.
 
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
Sign In·Permalink
GeneralRe: Strong namesmemberKurt H11 Nov '04 - 9:58 
This is incorrect. Strong names are not used to prove publisher identity, thats what Publisher Certificates and signcode is used for. SN is to provide a globally unique name so that it may be stored in the GAC without conflicting with other assemblies that may have the same friendly names. It is not used to protect an assembly from tampering or to prove publisher identity.
Sign In·Permalink
GeneralRe: Strong namesmemberHugo Hallman11 Nov '04 - 10:10 
Well, it's right that strong names are indeed required to put assemblies in the gac, and the term "strong name" certainly indicates it too. But a strong name does indeed prove the author, given of course that you can somehow verify the public key with which the "publc key token" or fingerprint if you wish. It does prove that the assembly is signed with a certain private key. Thanks for correcting me.
Sign In·Permalink
GeneralRe: Strong namesmemberKurt H11 Nov '04 - 10:52 
In some sence you can ensure that only the person with the private key can generate an assembly with the same identity. If the calling assembly validates the strong name identity of the assembly this hack will fail. For example the .NET runtime itself will check the strong name evaluate security policies, if this assembly was explicitly granted full trust (assuming it is not granted by default, which by default all assemblies on run from local machine are given full trust) then the hacked assembly will no longer have full trust. This hack essentially only works when strong name identity is not required.
 
Although SN proves only a person with the private key can modify the assembly without changing its identity (as identity was changed here) it still is not proof of publisher identity. For example if someone aquires the private key we can no longer guarentee a specific person or organization has created it. Authenticode however is different by utilizing a trust network and timestamping services if a private key is ever stolen it is revoked. The timestamp also included in the signed data can gaurentee the assembly was signed before or after the key was stolen. This is not possible with SN which has no trust network. SN was designed for assembly identity. If publisher identity is important use Authenticode, as SN cannot make the same gaurentees.
 
For more information on the differences in intent see Authenticode and Strong Names see:
http://msdn.microsoft.com/library/en-us/secmod/html/secmod80.asp
Sign In·Permalink
GeneralRe: Strong namesmemberchuawenching11 Nov '04 - 15:10 
Hi Kurt,

Cool. Thanks a lot. I really learn a lot from the reviews here. Lasly, I will make sure i won't repeat these mistakes in article 4 onwards.
 
Cheers.
 
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
Sign In·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 24 May '13 - 14:18Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
Building Security Awareness in .NET Assemblies : Part 3 of 3
Type Article
Licence 
First Posted 31 Oct 2004
Views 195,168
Downloads 998
Bookmarked 89 times

, +
Top News

Old Japanese Man Creates Amazing Art Using Excel (Wait, Excel?)

Get the Insider News free each morning.
Related Videos
C# .NET Programming - 0908 break And continue
Visual C# 2012: Breaking Changes
Building Security Awareness in .NET Assemblies : Part 2 - Learn to protect your .NET assemblies from being tampered
Strong Names Explained
Assemblies: locating, binding and deploying
Demystifying the .NET Global Assembly Cache
Removing Strong-Signing from Assemblies at File Level (byte patching)
Building Security Awareness in .NET Assemblies : Part 1 - Learn to break a .NET Assembly
C# and the .NET Platform - Chapter 6
Understanding .NET Code Access Security
Code Access Security (CAS) and Design Patterns
Software Copy Protection for .Net Applications - a Tutorial
All About Assemblies
Using MSI or a Strong name to store .NET apps on a network server (Part 2)
How to Protect your Code from Prying Eyes and Theft
Assembly Manipulation and C# / VB.NET Code Injection
Building .NET Coverage Tool
Copy DLL from GAC
MONO: an alternative for the .NET framework
Making Log4Net Work with the .NET Client Profile
.Net Framework Infrastructure
A simple plug-in engine using Reflection
Permalink | Advertise | Privacy | Mobile
Web01 | 2.6.130523.1 | Last Updated 1 Nov 2004
Article Copyright 2004 by Chua Wen Ching
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid