Re: COM Interface Security
From: Klaus H. Probst (usenet001_at_simulplex.net)
Date: 01/19/05
- Next message: Klaus H. Probst: "Re: Make Form stay on top until application is deactivated"
- Previous message: alpine: "Re: Make Form stay on top until application is deactivated"
- In reply to: Joseph Geretz: "COM Interface Security"
- Next in thread: Joseph Geretz: "Re: COM Interface Security"
- Reply: Joseph Geretz: "Re: COM Interface Security"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 18 Jan 2005 23:56:23 -0700
Joseph,
Are you using COM+? If you are, you can set the call authentication level
for calls to the COM+ application to "packet privacy" and that will encrypt
the wire protocol used by the marshaler.
If you're not using COM+ and the call is local (ie, not over RPC or a pipe)
then I don't think you need to worry about interception very much - I'd
worry about spoofing instead. Since your interface is public and the progid
is well-known, it's probably not difficult to create a stub that looks like
your encryption DLL and offer it up to the client making the call.
I've never seen something that intercepts straight COM calls, but I assume
it's possible given that the PSDK ships (or used to) with an app that will
hook standard API calls (depends.exe does something similar). It's probably
not trivial, but I doubt it's impossible.
-- Klaus H. Probst, MVP http://www.simulplex.net/ "Joseph Geretz" <jgeretz@nospam.com> wrote in message news:u%23u4PiZ$EHA.3372@TK2MSFTNGP10.phx.gbl... > How easy or difficult is it to intercept data values passing between a > client and server via a public COM interface? I've built an encryption > component (using the VB Blowfish sample) as a public class in our utility > library. As with all encryption, the secrecy of the key must be protected. > The key is generated dynamically at run time via an internal algorithm. It > would take reverse assembly to discover the key. I'm not worried about > reverse assembly. If someone can reverse-assemble our code then the game is > over in any case. > > I am wondering though about how we submit our private key when we first > instantiate and initialize the cryptor class. (Anyone can instantiate this > class, but unless they know the key, they won't be able to decrypt our > protected ciphertext.) Can information passing through a COM interface be > easily intercepted or would it take a skill at the level of reverse-assembly > in order to do this? > > Thanks for your advice. > > Joseph Geretz > >
- Next message: Klaus H. Probst: "Re: Make Form stay on top until application is deactivated"
- Previous message: alpine: "Re: Make Form stay on top until application is deactivated"
- In reply to: Joseph Geretz: "COM Interface Security"
- Next in thread: Joseph Geretz: "Re: COM Interface Security"
- Reply: Joseph Geretz: "Re: COM Interface Security"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
