Securing Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release Build

Booklet for developers and security professionals on how to implement code obfuscation, .NET strong name signing, and Authenticode code signing in order to protect applications deployment. The guide contains detailed description of different code signing implementation options from basic software to sophisticated hardware solution.

Topics include: reasons to implement code obfuscation and signing, obfuscation and strong name signing dependencies, description of Authenticode signing process, singing certificates and certificate authorities, signing certificate private key storage: hardware vs. software, three ways to implement code signing, and more (Article: ~4,460 words).

Table of Contents includes:

1. Introduction
   Several Reasons to Implement Code Obfuscation and Signing
   Additional Benefits of Strong Name Signing
   Additional Benefits of Authenticode Signing
2. Code Obfuscation and Strong Name Signing
   Code Obfuscation Tools
   Obfuscation Project and Strong Name Signing
   Obfuscation and Strong Name Signing from Command Line
3. Authenticode Code Signing
   Code Signing
   Digital Signatures
   How Code Signing Works
   Authenticode
   Code Signing Certificate
   X.509 Standard
   Obtaining Code Signing Certificate
   Signing Certificate Pricing
   Code Signing Certificate Storage: Hardware vs. Software
   Time Stamping
   Certificate Validity (Expiration Date)
4. Implementing Authenticode Signing
   Code Signing Process à la Microsoft
   Code Signing Implementation Options: Advantages, Disadvantages, Costs
   Option 1: "Full Hardware"
   Option 2: "Basic Software"
   Option 3: "Combined Software/Hardware"
5. Tips on Implementing "Combined Software/Hardware" Option
   Requirements to Signing Application
6. Tips on Implementing "Basic Software" Option
   Installing Code Signing Certificate on Signing Server
   SignTool
   Installing SignTool
   Using SignTool
7. Testing
   Testing Obfuscation
   Testing Strong Name Signatures
   Testing Authenticode Signatures
8. Resources
   Tools and Products
   Authenticode Certificates Offered by Public Certificate Authorities
   Online Authenticode Timestamping Services
   Standards
   Articles
   Books
   About the Author

Slava Gomzin, CISSP, ECSP, Security+ has more than 15 years of professional experience in software development and application security. He is Security Architect at Retalix USA.

Dettagli