|
Custom MD5 doesn't authenticate that the DLL is the right one so MD5 isn't even an option;
If you have Application A that depends on DLL B
Application A contains in the binary an MD5 sum value of say "12345"
DLL B in the binary has an MD5 sum value of say "12345"
there's nothing stopping an attacker from creating a new version of DLL B with MD5 sum of say "23456" And then just using a hex editor to modify application A to accept MD5 hash of "23456" so nothing is achieved
If; however; you attempt to do the same thing with strong named Application A and dll B, you won't be able to do it, as Application A will refuse to run when it's modified
Strong naming has nothing remotely to do with the MD5 hash of the file nor do they achieve the same thing.
|
|
|
|
|
Hi Matty,
In your example A is signed with information about B's signature, which builds a lovely hierarchy of signed assemblies. This is great tech.
However, if I decompile and compiles A, your users would not know - would they?
It doesn't matter whether the hacked A is signed or not. If the user never checks the signature of A against a public available source that is authentic to the user.
Don't be tricked into thinking that strong name signing is a solid automatic run-time authentication - neither are certificate signing. They both rely on the user initiating a signature verification using a "correct" public source - e.g. a public key or certificate.
Btw. I can recommend this post. he is much better with words than I am: http://blogs.msdn.com/b/ericlippert/archive/2009/09/03/what-s-the-difference-part-five-certificate-signing-vs-strong-naming.aspx[^]
Kind Regards,
Keld Ølykke
|
|
|
|
|
Totally agree;
The entire system hinges on validating the signature before you execute it.
My main point was more than a hand-rolled solution based only on an MD5 hash doesn't provide remotely the same features as strong signing does.
However; there are cases where run-time authentication using the strong signing is useful.
Consider following example;
You can easily grant .NET security permissions based on a particular publisher.
I grant only assemblies published by "MattyCo" access to read/write from MattyCo's super secret drive
If you decompile and recompile A with no or a different signature; the newly recompiled assembly they've sneakily placed on my machine isn't signed by MattyCo, can't access the drive, and no harm is done.
So I got a fair amount of benefit there using the inbuilt run-time authentication that .NET/Windows provides
(Also you obviously get none of these benefits just by using an MD5 sum..)
|
|
|
|
|
Yes, indeed I think your example is the way to use strong name authentication of assemblies as a windows user. Whether it is easier than MD5 checks of downloaded files is another discussion.
Btw. I wonder if this possibility is used by IT staff when managing shared workstations, or what other cases could be. I know there is some identity management when running Azure apps - don't know if it is linked to strong name signing. Would make sense though.
Kind Regards,
Keld Ølykke
|
|
|
|
|
If understand you right, you are asking whether I think MD5 hashes are great to verify that a downloaded file is authentic - e.g. like described here http://www.openoffice.org/dev_docs/using_md5sums.html[^]. I like this tech.
However, I don't think most users are able or care to do these checks. The problem here is that the user needs to authenticate the file herself, that is, to match the public available hash code of the file with a calculation she has to initiate.
If you ask me whether you should use strong name signing, my answer is yes. Not because it is a very strong security, but because it is a mechanism that runs by default for most users.
Again most users will not check the public available hash'es of the assemblies that they load, so whether they have been decompiled and compiled again by an evil person is not a question that can be answered by your users.
> Are you aware of alternatives than strong name and md5?
Not really for files. Sorry. I guess it is hard to enforce.
Between servers it is pretty common to know each others certificates / public keys. Messages are signed when sent and authenticated when received.
If you have code running at both server and client, you could add server authentication on the client side e.g. if your code is downloading files the files your code can authenticate the files against server certificates.
I think there is a gap here in the user experience that needs to be filled by a good standard and a handful of products.
Kind Regards,
Keld Ølykke
modified 30-Aug-13 6:41am.
|
|
|
|
|
Thanks for your thoughts first of all, I was hoping to see the most/more stringent argument for/against using Strong Name as supposed to md5 for "authentication" of binary.
"However, I don't think most users are able or care to do these checks. The problem here is that the user needs to authenticate the file herself, that is, to match the public available hash code of the file with a calculation she has to initiate."
I think as long as I publish the md5, that's end of my responsibility at least for the line of work that we're doing - I wouldn't go about signing all 3rd party library.
I do appreciate your argument however. It's informative.
dev
|
|
|
|
|
I need to my work (C#) projects with good unit tests. This code should have relative good coverage. I wrote relative, because good is depend on point of view  . I can wrote simple project on my self, but I need real world apps.
Thanks
|
|
|
|
|
I don't know what you are talking about, but if you need Unit Testing, get a free book by Marc Clifton. Unit Testing Succinctly[^]. What's your question?
I remain joe!
|
|
|
|
|
Links, names projects with unit tests where code is relative good covered.
|
|
|
|
|
You still didn't asked a question. What do you mean by code covered? You want a sample project that includes Unit Testing, read that book. You want a good code? Good code does what is suppose to do. You want a good website? CodeProject.
I am running around as I don't know what you are looking for.
I remain joe!
|
|
|
|
|
I use NUnit for Unit Testing, and that comes with a lot of tests for NUnit. The soure code for NUnit is available, and I hope their unit tests are included...
|
|
|
|
|
Skynet87 wrote: I need to my work (C#) projects with good unit tests. This code should have relative good coverage.
You want a Unittest that covers your Project good? So you have to design a Unittest that covers it. Unittests aren't automatically there, they have to be designed and written.
Best way:
- Write a concept with all Requirements
- Let Team / Person A write the Unittests for that concept
- Let Team / Person B write the Code for that concept
- Run the Unittests, while Team / Person B is coding. The Unittests should cover almost all code and the tests should work. If they don't the concept hasn't been implemented fully either by Team A or by Team B or by both.
|
|
|
|
|
I did a billing project using C# Windows Forms & MySql. But i don't know how to back up this data for every 1 week.
How many possibilities are there to backup a database? And which one is the best and how to recover the database??
|
|
|
|
|
|
can i take backup of mysql db using Windows forms???
|
|
|
|
|
Sure... but I'm not sure you understand exactly what you are asking. If you want to "backup" the data via WinForms you are really EXPORTING the data as a snapshot at some point in time. You can do this a million different ways and into a million different formats. So start with some SELECT * queries, a streamwriter, and go to town. But understand that you aren't really backing up the DB. You are only copying out the data as some point in time. If you needed to recover from an export like this, you would need to write routines to import the data or save it in an importable format like CSV or XML.
BACKING up your DB means taking a copy of the on-disk files where your data lives. This includes schema information, t-logs, etc. You can recover your database from a BACKUP much like you can restore Windows to a previous point in time using System Restore. If you want to BACKUP your database, then you need a BACKUP tool that isn't part of your WinForms application. This tool would run on the server where your DB is (or another server) and take a complete backup of your database at some given interval. That would be persisted to tape or a cloud account or something safe.
|
|
|
|
|
Thanq very much for a usefull information
|
|
|
|
|
hi,
i have bellow text :
name:[jojoba],family:[naiem],Age:[23]
now wanna to get each item seperatly :
somthing like :
Regex _regexN2 = new Regex(string.Format("([{0}]+\\d+$*[]])", _regStyle));
Match mN2 = _regexN2.Match(_textToSearch);
if (mN2.Success)
{
mN2.value;
}
How can i do that !
|
|
|
|
|
The first thing to do is: if you want multiple values, then use Regex.Matches instead of Regex.Match, or design an expression that returns multiple results.
Try this, for example:
Regex reg = new Regex(@"(?<=\[)(\w+?)(?=\])");
string input = @"name:[jojoba],family:[naiem],Age:[23]";
foreach (Match m in reg.Matches(input))
{
Console.WriteLine(m.Value);
}
This message is manufactured from fully recyclable noughts and ones. To recycle this message, please separate into two tidy piles, and take them to your nearest local recycling centre.
Please note that in some areas noughts are always replaced with zeros by law, and many facilities cannot recycle zeroes - in this case, please bury them in your back garden and water frequently.
|
|
|
|
|
I'd capture them in named groups:
name:\[(?'Name'[^\]]*)\],family:\[(?'Family'[^\]]*)\],Age:\[(?'Age'[^\]]*)\]
And we have a Regular Expression forum here.
|
|
|
|
|
thanks for solution!
string RegexGhaleb = _spliteGhaleb[p].Replace("[]", "").Replace("(", "{").Replace(")", "}");
Regex regex = new Regex(RegexGhaleb + @"\[([^\]]*)\]");
Match _mc = regex.Match(_msgSMS);
string _result = _mc.Groups[1].ToString();
if (_result != string.Empty)
{
if (typeKar == string.Empty)
typeKar = _drRes[0]["TableName"].ToString();
DataRow[] _drParams = _dtAllParams.Select(string.Format(" FarsiName like '%{0}%'", _spliteGhaleb[p].Replace(":[]", "").TrimEnd(' ')));
_ParamToSave.Add(_drParams[0]["Param"].ToString(), _result);
}
modified 26-Aug-13 15:25pm.
|
|
|
|
|
I'm binding checkboxlist values from database,from UI adding ALL option to checkboxlist.When ALL option checked all values were selecting and on deselecting i need to uncheck all values.
The problem is i'm checking condtion id(chk.selectedvalue!="0") then some action else select all value.
The above is working fine.but the condtion !=0 will work in both deselecting ALL option as well as when select someother option in checkboxlist.
|
|
|
|
|
You are doing the string comparison which may result true in all cases. Use id(chk.selectedvalue != 0) instead of id(chk.selectedvalue != "0"). Or you can also try id(chk.Checked == false)
|
|
|
|
|
Change you All id to -1
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
I bad Speak and Write English so I am Sorry.
C# 4.0 Datagridview -> " dataGridView1.Rows[0].Selected = true; "
I also want to make this Devexpress Grid Control.
I'd appreciate it if you can help.
Already Thanks .
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
