Red Gate forums :: View topic - Merging vs Embedding: which one is more secure ?
Return to www.red-gate.com RSS Feed Available

Search  | Usergroups |  Profile |  Messages |  Log in  Register 
Go to product documentation
SmartAssembly 5
SmartAssembly 5 forum

Merging vs Embedding: which one is more secure ?

Search in SmartAssembly 5 forum
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.
Jump to:  
Author Message
clement_911



Joined: 22 Dec 2010
Posts: 7
Location: AU

PostPosted: Wed Dec 22, 2010 10:01 am    Post subject: Merging vs Embedding: which one is more secure ? Reply with quote

Hi.

I'm building a silverlight app and evaluating SmartAssembly.

I was wondering what is the recommended method to maximize security between Merging and Embedding ?

Also why is not possible to do both ?

Is there a way to obfuscate all non public members of dependency ? Therefore all assemblies would be obfuscated without the need to merge.

Thanks
Back to top
View user's profile Send private message
clement_911



Joined: 22 Dec 2010
Posts: 7
Location: AU

PostPosted: Wed Dec 22, 2010 10:05 am    Post subject: Reply with quote

A couple of extra things.

I tried the Embedding functionality with encryption + compression and the resulting xap actually got bigger !?

Also, I'm assuming the decryption key is stored somewhere, so I'm wondering how secure the encryption is.

The product looks great so far though....

Cheers.
Back to top
View user's profile Send private message
ShortAngry



Joined: 02 Dec 2010
Posts: 14

PostPosted: Thu Dec 23, 2010 11:06 am    Post subject: Reply with quote

Did you check out the following couple of links?

http://www.red-gate.com/supportcenter/Content?p=SmartAssembly&c=SmartAssembly/help/5.5/SA_MergingDependencies.htm&toc=SmartAssembly/help/5.5/toc121047.htm

http://www.red-gate.com/supportcenter/Content?p=SmartAssembly&c=SmartAssembly/help/5.5/SA_EmbeddingDependencies.htm&toc=SmartAssembly/help/5.5/toc121047.htm

They give a bit more information about these functions. As for using it with Silverlight it can be a bit of a pain. If in doubt you should get in touch with support@red-gate directly.
Back to top
View user's profile Send private message
clement_911



Joined: 22 Dec 2010
Posts: 7
Location: AU

PostPosted: Thu Dec 23, 2010 11:52 am    Post subject: Reply with quote

Yes I did check those but they do not answer my questions above.
Back to top
View user's profile Send private message
Brian Donahue



Joined: 23 Aug 2004
Posts: 6641

PostPosted: Thu Dec 23, 2010 2:36 pm    Post subject: Reply with quote

Why is it not possible to do both merging and embedding? These are both two different approaches to do the same thing, which is to prevent you from having to ship the dependent DLLs. Doing both would not make sense.

The XAP could be bigger as a result because to workaround one of the strange issues in Silverlight, an additional manifest has to be added to the XAP. And if I'm not mistaken, the BAML resources are already compressed before SA gets hold of them?

I don't think the encryption key for strings and resources is stored in the assembly. Even it it was, I don't believe I would tell you where it is. Smile
Back to top
View user's profile Send private message
clement_911



Joined: 22 Dec 2010
Posts: 7
Location: AU

PostPosted: Thu Dec 23, 2010 9:16 pm    Post subject: Reply with quote

I'm thinking 2 protections would be stronger than 1.
I see, so compression does not make so much sense in the case of Silverlight where xap are already zip files.
Back to top
View user's profile Send private message
Brian Donahue



Joined: 23 Aug 2004
Posts: 6641

PostPosted: Fri Dec 24, 2010 10:30 am    Post subject: Reply with quote

Merging and embedding aren't protecting features really, unless you count merging and obfuscating, or embedding and encryption, which protect code in combination.

I had a bit of a discussion round the office and have discovered there is one circumstance where you would want to merge and embed, and that has to do with assemblies that provide interfaces for remoting, because remoting will still try to bind the assembly even if it's been merged. Sorry, I find this difficult to explain. But there may be a genuine use case for it.
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies. All times are GMT + 1 Hour
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group