0

I have a need to verify the integrity of a settings file. The file is an xml document. I understand you can use readily-available functions as discussed in this stackoverflow post. I am having trouble understanding how to protect the signing key however. If I sign an xml file to act as an integrity check on it's contents the user can easily disassemble my executable and get the key and/or the way the key is generated. What methods are available for me to easily protect the key? Key containers seem to be one option but I don't see how they protect the key and/or the method used to generate said key.

Thank you!

Community
  • 1
  • 1
David W
  • 487
  • 2
  • 5
  • 12
  • We do protect config files this way at our company. We do this to make sure that nobody can eas change the config files. We do however sign the config files at another department and try to keep config files and write access to executables separate. If you don't do this all you can achieve is putting up a bit of a hurdle for the attacker to jump over. – Maarten Bodewes Jul 05 '12 at 17:17

1 Answers1

0

When you load the key into a container you can specify that it is non-exportable. This will help protect it, but you will still need to store the file somewhere anyway, in case, for example, you get a new computer.

By the way, I did mention that marking it as non-exportable will help protect it, not guarantee its protection. It is still possible to extract a non-exportable key.

The only sure-fire method is to also ensure nobody has physical access to the computer. Physical access means you can do anything.

What this means in your case is the private key must be in a secure place as it is your digital signature. The public key to verify the signature is loaded into your program. It doesn't matter if your code is decompiled and the public key is extracted, as all it can be used for is to verify something was signed by your private key.

If somebody is going to the trouble to decompile your code to circumvent verification of the settings file, they will just change your code to skip the verification.

Michael
  • 8,891
  • 3
  • 29
  • 42
  • Yes, that's what I was thinking. My problem is I will be signing the configuration file when it's used. So if a user decides to add some setting he didn't have before, the program re-signs the file. I understand that you can't prevent them from doing that. It doesn't really open an attack vector, I just want to make sure the user is loading the settings he's expecting. – David W Jul 05 '12 at 23:43
  • So in that case why not hash the file rather than signing it? – Michael Jul 06 '12 at 00:31
  • Signing just seemed logical. I suppose I could store a hash of the file in a setting. It would be just as effective. I guess I just went to signing automatically after I somehow convinced myself hashing wasn't good enough. – David W Jul 06 '12 at 01:11