ASP.NET 2.0 Security Questions and Answers - Strong Naming and Signing

From SecurityGuidanceShare

Contents 1 How do I strong-name an ASP.NET application assembly? 2 How do I delay sign an ASP.NET application assembly? 3 When should I use .pfx files? 4 When should I pre-compile my ASP.NET application? 5 How do I pre-compile my ASP.NET application? 6 How do I strong name an ASP.NET application? 7 How do I Sign .Net assemblies with Authenticode signature?

[edit] How do I strong-name an ASP.NET application assembly?

You can create strong name keys and strong name the assembly using Visual Studio 2005. In the project properties of the assembly, select the Signing pane. By checking the "Sign the assembly" checkbox, you instruct the compiler to sign the assembly with the key file specified. Strong naming .NET assembly guarantees name uniqueness, protects the version lineage and provides strong integrity check. Note: Strong names do not imply a level of trust like that provided, by a digital signature and supporting certificate. Here is how you strong name a .Net assembly.

• Configure the assembly for strong naming
  • In the Solution Explorer select the .NET assembly project and right click
  • On the popup menu select Properties
  • It will open the Project Designer page; on it select the Signing tab.
  • On the Signing tab select the Sign the assembly check box.
• Create / Select existing strong name key for signing - You can either select an existing or create a new password protected (.pfx) or plain (.snk) strong name key
• For creating new strong name key
  • In the Choose a strong name key file: drop down box select <New…>
  • In the Create Strong Name key dialog enter the Key file name
  • Select Protect my key file with a password check box for creating the .pfx file, else keep it unselected for creating plain strong name key file (.snk)
  • If you have selected to protect the file, enter password in Enter password and Confirm password text boxes and then click Ok
• For selecting existing strong name key
  • In the Choose a strong name key file: drop down box select <Browse…>
  • In the file selection dialog box browse to the strong name key (either .pfx or .snk)
  • Select the key file, in case of .pfx it will prompt for password, enter the correct password and click ok on ImportPFXKeyDlg dialog box.

• Sign the assembly - Now you just need to build the assembly, the complier will build a strong named assembly using the strong name key configured.

[edit] How do I delay sign an ASP.NET application assembly?

You can delay sign the assembly by using Visual Studio 2005 and a public key extracted from an existing strong name key. In the project properties of the assembly, select the Signing pane. By checking the "Sign the assembly" and "Delay sign only" checkbox, you instruct the compiler to delay sign the assembly with the public key file specified. Delay signing your assemblies during application development means the public key being placed in the assembly. This allows the public to be available as evidence to code access security policy, but the assembly is not signed. From a security perspective, delay signing has two main advantages:

• The private key used to sign the assembly and create its digital signature is held securely in a central location. The key is only accessible by a few trusted personnel. As a result, the chance of the private key being compromised is significantly reduced.
• A single public key, which can be used to represent the development organization or publisher of the software, is used by all members of the development team, instead of each developer using his or her own public, private key pair.

Here is how you delay sign a .NET assembly

• Extract public key from a strong name key for delay signing.
  • Use Sn.exe utility for extracting public key from the .pfx or .snk key pair file for delay signing. Here is the command for the same; test.pfx is the key pair file

Sn –p c:\test.pfx   c:\testpublickkey.snk

• Configure the assembly for delay signing
  • In the Solution Explorer select the .NET assembly project and right click
  • On the popup menu select Properties, it will open the Project Designer page;
  • On it select the Signing tab and select the Sign the assembly and Delay sign only check boxes.
• Select public key for delay signing
  • In the Choose a strong name key file: drop down box select <Browse…>
  • In the file selection dialog box browse to the public key (.snk) and click Ok
• Delay sign the assembly - Now you just need to build the assembly, the complier will build a strong named assembly signed using the public key configured.
• Final signing of the assembly - At the time of final release use following command and resign the assembly

Sn –R <assemblyName> C:\test.pfx 

Important: Note that a delay signed project will not run and cannot be debugged. You can, however, use the Strong Name Tool (Sn.exe) with the -Vr option to skip verification during development.

[edit] When should I use .pfx files?

You should always prefer to use .pfx file when strong naming your application, unless using an existing strong name key pair file (.snk).

The .pfx files are more secure as it is protected by password, so whenever another user tries to use the file, that user will be prompted for the password. Also the other advantage of a .pfx file is that you can add it to a certificate container.

[edit] When should I pre-compile my ASP.NET application?

You should consider pre-compiling your application,

• If you want to deploy your ASP.NET application without copying any of the original source code to the production server. This includes the code and markup in aspx, ascx, and master files. This especially true with shared hosted environment where your source code might be vulnerable.
• If you want to identify compile-time bugs before users see a site, for better user experience.
• If you want to strong name your ASP.NET application, so that it can work seamlessly with strong name assemblies.
• Additionally pre-compilation gives a faster response time for users, since pages do not have to be compiled the first time they are requested. This is particularly useful on large sites that are updated frequently.

[edit] How do I pre-compile my ASP.NET application?

You can pre-compile your ASP.NET application using the aspnet_compiler.exe utility or Publishing web site option in Visual Studio 2005. In both cases you will have to create a strong name key pair file using Strong Name (Sn.exe) utility. Note: You can not use the password protected strong name key pair file (.pfx) Pre-compiling your ASP.NET helps you deploy your application in production server without the original source code, identifies compile time bugs, allows you to strong name your ASP.NET application, and gives faster response time for users for first time request.

Using Visual Studio 2005

• In the Build option from the tool menu select Publish http://localhost/....
• On the Publish Web Site dialog box, enter the Target Location where you want the deployable precompiled site to be copied
• Here you can choose the "Allow this precompiled site to be updateable" check box if required, please see the note for details.
• On the Publish Web Site dialog box, click Ok button.

This will pre-compile the ASP.NET application and you can XCopy the complete folder from the target location and deploy it on your production server. Note: With updateable pre-compilation the ASPX, ASCX, ASHX, and MASTER files are copied to the target directory, you can deploy these files to the server and modify them. The ASP.NET runtime will dynamically parse and compile these files. All of the source code for code-behind files and in the App_Code folder will be compiled into assemblies and will not need to be re-deployed.

Using aspnet_compiler.exe command line utility

• Open Visual Studio 2005 command Prompt
• Run the following command, specifying applications virtual path and target directory.

aspnet_compiler -v /<<ASP.NET Application Virtual path>> <<Target Directory Path>> 

• For updateable pre-compilation include the -u switch in the command as follows

aspnet_compiler -v /<<ASP.NET Application Virtual path>> <<Target Directory Path>> -u

This will pre-compile the ASP.NET application and you can XCopy the complete folder from the target location and deploy it on your production server.

• Also look at Visual Studio Web Deployment Projects - http://msdn.microsoft.com/asp.net/reference/infrastructure/wdp/default.aspx

[edit] How do I strong name an ASP.NET application?

You can strong name an ASP.NET application by pre-compiling the application and signing it with a strong name key. You can pre-compile and strong name ASP.NET application using either Visual Studio .NET 2005 or aspnet_compiler.exe, a command line utility. In both cases you will have to create a strong name key pair file using Strong Name (Sn.exe) utility. Note: You can not use the password protected strong name key pair file (.pfx) Strong naming .NET Application provides strong integrity check and can be used with strong named assemblies without needing the strong name assembly to have APTCA attribute on them.

Using Visual Studio 2005

• In the Build option from the tool menu select Publish http://localhost/....
• On the Publish Web Site dialog box, enter the Target Location where you want the deployable precompiled site to be copied
• Select the Enable strong naming on precompiled assembly checkbox
• Select the "Use a key file generated with Strong Name tool" or "Use a Key Container" radio button depending upon where your strong name key pair is stored.
• If you choose "Use a key file generated with Strong Name tool" enter the "Key file location" and click Ok

This will pre-compile the ASP.NET application and strong name it, you can XCopy the complete folder from the target location and deploy it on your production server.

Using aspnet_compiler.exe command line utility

• Open Visual Studio 2005 command Prompt
• Run the following command, specifying applications virtual path, target directory and strong name key pair file.

aspnet_compiler -v /<<ASP.NET Application Virtual path>> <<Target Directory Path>> -keyfile C:\test.snk

This will pre-compile the ASP.NET application and strong name it, you can XCopy the complete folder from the target location and deploy it on your production server.

[edit] How do I Sign .Net assemblies with Authenticode signature?

Use File Signing Tool (Signcode.exe) available with .Net Framework Tools. The File Signing tool signs a portable executable (PE) file (.dll or .exe file) with an Authenticode digital signature. You can sign either an assembly or an individual file contained in a multifile assembly. If you are distributing an assembly, you should sign the assembly rather than the individual files. Strong naming an assembly the private key used to sign the assembly is a unique for each organization, it does not provide the same level of non-repudiation that digital certificates provide. For example, there is no way to look up the developer's identity based solely on an assembly's public key. Hence it’s important to strong name and assembly and signs the .Net assemblies with Authenticode signatures. Here are is how you sign the assemblies with Authenticode signature. Using Visual Studio command prompt run following command from following location C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Deployment\Vspkgs

>signcode /spc myCertificate.spc /v myKey.pvk myAssembly

To sign with a software publisher certificate (SPC) file, you must specify the ""-spc"" and ""-v"" options if your private key is in a PVK file. If your private key is in a registry key container, you must specify the ""-spc"" and ""-k"" options. You can obtain a valid SPC from a Certification Authority such as VeriSign or Thawte