C# Friend Libraries Security


I was researching on Friend Libraries as part of Library Security project for college.
I noticed that one would have to specify the public key when trying to Friend a Strong Named library.
I tested, all of it worked fine, I tried swapping dll into a different project with similar name there also it seemed to as expected i.e fails to expose internal methods to the malicious project.

But what I would like to understand is the inner functionality on how libraries validate the identity of the application or project referring it. Is it checking for hashes of the application to find it or how is it approaching this issue ?

I would also like to learn the level of security this approach offers, If someone were to change the public key mentioned in the library by decompiling it and build it again, will the attacker be able to call functions from a malicious project ?

Thanks & Regards,
Karthik Hebbar

This forums are dedicated to .NET Foundation issues and not .NET library / runtime / framework issues,

You’ll find better help at stackoverflow.com.

That being said, strong naming is not a security feature, so there’s no attack. strong naming an assembly gives it a strong name that includes the public key. If the public key changes, then the name changes and it’s no longer the same assembly name.

.NET Foundation Website | Blog | Projects | Code of Conduct