Using the Public Key of Signed Assembly as a Security Measure

Question

I am writing a security measure with an application I'm writing where I have a securityDLL that is included and signed with an SNK. If this assembly is present, I check the Byte array that is returned when getting it's Public Key, and comparing that to my application.

Is this adequate security to ensure that someone hasn't modified my assembly or provided their own DLL in the correct location that would return the Public Key?

I've looked at what the obfuscators do and they resign my assembly, but are they actually using the SNK or are they reading the internals of the assembly and re-using that?

Answer 1

If you keep the .snk file used to sign the assembly safe, then nobody should be able to make a new security dll with the same public key.

Signing an assembly with a strong name requires a cryptographic key pair. The private key of this pair is used to sign the assembly. If someone was to modify the security assembly, it would require re-signing, which would require the original snk file. If a different snk file was used, the assembly would have a different public key.

If you were to add a reference to the security.dll, the runtime would ensure that the correct assembly was used when loading it. If an assembly was found with the same name and version but a different strong name, you would get an error because the framework would class this as a different assembly from the one originally referenced.

Have a look at the MSDN docs for more info.

Answer 2

All assemblies signed with the same SNK will have the same public key, so no, this is not a security measure in any capacity. Remember that strongly naming an assembly is not for security, it's for versioning and ensuring uniqueness.