4

We ship a .NET application with an associated configuration file. Our consultants create the configuration file during installation. We'd like to make it hard for the client to tamper with the configuration file.

What avenues do we have?

At the moment, I'm thinking about signing the configuration file with our private key and verifying it against the public key when the application starts. I'd then hide the public key in the EXE somewhere.

How might I go about doing this? Are there better ways to do this?

Note: I'm aware that this will not prevent a determined attacker. We're looking at closing off some of the easiest routes and moving the effort required into deliberate, rather than negligent, infringement.

Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380
  • Your signature approach will work quite well, we use it all he time. Your client might patch your .exe or .dll to substitute another key, but I guess you don't give any warranties on binary-patched executables ;-) – Eugen Rieck Jan 24 '12 at 15:58
  • @EugenRieck: are there good ways to "hide" the public key in the EXE, or should I just embed it as a resource? – Roger Lipscombe Jan 24 '12 at 16:08
  • We never "hide" it, just have it as a hardcoded byte[] - 2048 bit public keys are not that easy to factor. – Eugen Rieck Jan 24 '12 at 16:14
  • For now, I'm just embedding the public key as a base64-encoded string. We might obfuscate that a little in future. – Roger Lipscombe Jan 24 '12 at 16:55
  • You really don't need to obfuscate it! Repeating the signing process will necessitate binary patching this way or another. – Eugen Rieck Jan 24 '12 at 16:58

2 Answers2

6

This doesn't make any sense. You are shipping a configuration file. It's used for configuring the application. But you don't want it to be changed? So then it can't be used to configure the application. So, then why even bother with a configuration file? Why not just embed it as a resource in the application itself?

What am I missing?

Edit, to respond to your new information:

Use XMLDSIG. Sign the app.config. Verify the signature.

jason
  • 236,483
  • 35
  • 423
  • 525
  • +1 Embed in a resource file - that's a good suggestion. Wish I had thought of that. – David Hoerster Jan 24 '12 at 16:01
  • Our consultant configures it during installation. It's not a shrink-wrap application. Updated question. – Roger Lipscombe Jan 24 '12 at 16:06
  • Then use `XMLDSIG`. You can sign with this: http://msdn.microsoft.com/en-us/library/ms229745.aspx. You can provide a tool to the consultant after he is done configuring the application. You can verify signatures with this: http://msdn.microsoft.com/en-us/library/ms229950.aspx. Note that, as usual, you have a key handling problem. – jason Jan 24 '12 at 16:22
  • Fails with "Unrecognised configuration section Signature" :-( – Roger Lipscombe Jan 24 '12 at 16:45
  • You need to use `System.Configuration.IgnoreSectionHandler` to force the configuration engine to ignore the `Signature` section. Sorry, I don't have time for a full-fledged example, but if you Google, it, I'm sure you can find an example of using this. The syntax would be something like `
    `. Let me know if you need more detail. I might be able to come back later and fill in some things.     – jason Jan 24 '12 at 16:49
  • Found something: http://www.beefycode.com/post/Managing-AppConfig-Integrity-using-Xml-Digital-Signatures.aspx. – Roger Lipscombe Jan 24 '12 at 16:52
  • Done. I'll mark this as accepted; I don't know if you'll want to come back and tidy it up a bit for future generations... – Roger Lipscombe Jan 24 '12 at 16:54
0

You can encrypt sections of your configuration file with the aspnet_regiis command line utility. It uses the DPAPI by default (I believe) but it can also support other encryption algorithms. So you can use this to encrypt your connection string or app setting sections of your file (or any other sections).

David Hoerster
  • 28,421
  • 8
  • 67
  • 102
  • OK. I don't want it encrypted. I want it signed. DPAPI uses machine-/user-keys, which means that we can't sign it here and ship it to the customer. How might I use it without this limitation? – Roger Lipscombe Jan 24 '12 at 16:07
  • I'm not sure how you install the application, but since aspnet_regiis is a command line utility, you can just script its execution during install. The .NET Framework comes with two `ProtectectedConfigurationProviders` - one for RSA, one for DPAPI. But you can implement your own, too, depending on your needs. http://msdn.microsoft.com/en-us/library/system.configuration.protectedconfigurationprovider.aspx Not sure if that's what you're looking for or not. – David Hoerster Jan 24 '12 at 16:15