Method-level Protection
When you select a .NET assembly for protection, Sentinel LDK Envelope automatically determines the Protection type that will provide the best protection for your program, depending on whether you are protecting an executable or a DLL. The Protection type determines the methods that are available for individual protection.
NOTE It is recommended that you do not change the automatic Protection type settings.
This section describes how you select individual methods and the behavior of different method types, in addition to the parameters you can select for the methods.
Selecting .NET Methods for Protection
The .NET assembly is displayed in the Protection Details screen, in the Methods selected for protection list. The list displays class constructors and methods, in a tree layout that mimics the structure of the .NET assembly.
Items in the list are identified by icons that indicate the method type, and by the class or method name. Method signatures are displayed as a tool tips.
When the check box to the left of a method is selected, that method is selected for Sentinel LDK Envelope protection.
NOTE
>Selecting or clearing the check box of a higher-level item does not affect nested items. For example, if you clear the check box of a class constructor, methods nested under it remain selected.
>When a method name is grayed-out, it cannot be selected for protection.
>If the Protection type is Only Windows shell, you cannot protect individual methods in that .NET assembly.
>An assembly cannot be protected when the check boxes for all items in the list have been cleared.
Method-specific Features and Parameters in .NET Assemblies
You can use Sentinel LDK Envelope to define separate Feature IDs for individual methods in your .NET assembly. This enables you to:
>Make use of the separate encryption key inherent in each Feature to provide enhanced security for individual methods
>Determine how often the protected application logs into an individual method
At run-time, the protected application searches for all relevant Feature IDs in the Sentinel protection key.
You can determine how often the protected application logs into each Feature ID in the Sentinel protection key and performs decryption using that Feature ID by specifying the Frequency for specific methods.
NOTE
>You can only specify the Feature ID and Frequency for methods that have been selected for protection.
>If the Protection type is Only Win32 shell or Only Windows x64 shell, you cannot specify a Feature ID or Frequency for individual methods.
>You can select multiple methods and specify the same Feature ID and Frequency for all selected items.
The available Frequency options are described in the following table:
Frequency Type | Description |
---|---|
Once per program (Default) | A check is performed the first time a method using the Feature ID indicated for that method is called, regardless of the number of methods that share the same Feature ID across the program. |
Once per class instance |
A check is performed when the method is run, once for each Feature ID within the same class. If the same Feature ID is also assigned to the class constructor, the check is performed the first time the .ctor method is run. If the same Feature ID is used in other classes, the check is performed separately for each class. NOTE The Once per class instance frequency is available only for Instance methods. |
Every time | A check is performed every time the method is called. |
Recommendations:
>Use the Once per Application default setting. The Once per Instance and Every time settings may slow the performance of your program.
>If an execution-based license is being defined, use the Every time setting only for the method that determines licensing, as the counter is decremented every time the method is called.
If you choose to assign separate Feature IDs for individual methods, you must ensure that your application code can only call the Feature IDs for those methods for which a valid license has been installed in a Sentinel protection key.
If methods that do not have a valid license in a Sentinel protection key are called, it will cause Sentinel LDK Envelope to generate an error loop that can only be stopped by installing a valid license.
An API is provided as part of the Sentinel LDK installation that enables you to ensure that the error loop does not occur. The .NET Envelope Runtime API is located in:
%ProgramFiles(x86)%\Thales\Sentinel LDK\Samples\
Envelope\EnvelopeRuntime.NET
For information on using this API, see .NET_Envelope_Runtime_API.html in the above location.