Code signing Certificate is a mechanism whereby publishers of software and content can use a certificate-based digital signature to verify their identities to users of the code, thus allowing users to decide whether or not to install it based on whether they trust the publisher. Code signing has been touted as a major security feature, but it’s important for users to understand its uses and its limitations. In this article, we’ll take a look at how code signing works and where it fits into your organization’s security plan.
What is Code Signing?
It would be great if users could know, before they install software programs and active content (such as ActiveX controls) whether the code is trustworthy – but how do you determine that? One way is to verify the identity of its author or publisher. If it’s being distributed by a company that you know and trust, you may want to allow it. If it’s distributed by a company that’s questionable or that you’ve never heard of – or even worse, if it’s being distributed anonymously – you probably want to think twice before installing it.
Code signing lets you know the origin of the code, and prevents a hacker from distributing “free software” in someone else’s name (for example, putting a malicious program or virus on a Web site for download and claiming that it’s a free tool from Microsoft). In addition to verifying the identity of the publisher, code signing can protect the code from tampering (if the code is changed, the digital signature is invalidated). Thus, code signing provides two security protections:
· Authentication of the author, publisher or distributor of the code
· Integrity of the code itself
How Code Signing Works?
Code signing is based on the use of a digital signature, which is in turn is based on a digital certificate issued by a trusted third party (a certification authority) that has verified the identity of the software or content publisher. For example, Verisign and Thawte issue code signing digital IDs to software developers. When a developer enrolls for a digital ID, he is required to submit documentation of proof of identity. A public/private key pair is generated when the certificate is requested. The private key stays on the requester’s computer and is never sent to the CA. It should not be shared with anyone. The public key is submitted to the CA with the certificate request.
After the certificate is issued, the developer uses the private key associated with that public key to sign his code. When users download the signed code, they get a copy of the certificate verifying the identity of the author/publisher. The Web browser verifies the digital signature, and the user knows that the code did indeed come from that particular developer.
Here is exactly what happens when a developer signs the code:
1. The code is put through a one-way hash function. This creates a “digest” of fixed length.
2. The developer’s private key is used to encrypt this digest.
3. The digest is combined with the certificate and hash algorithm to create a signature block.
4. The signature block is inserted into the portable executable file.
What happens at the other end (on the computer that downloads the signed code)? Here’s the process:
1. The certificate is examined and the developer’s public key is obtained from the CA.
2. The digest is then decrypted with the public key.
3. The same hash algorithm that was used to create the digest is run on the code again, to create a second digest.
4. The second digest is compared to the original.
If the two digests match, you know that the public key is the one that matches the private key used to sign the code, and you know that the code hasn’t been changed since it was signed.
Certification authorities issue different classes of Code Signing Certificates for Microsoft and Android, , depending on whether the publisher is a commercial software company, an individual software developer or an end-user. The certificate will indicate whether it is commercial or individual. Commercial publishers must submit a Dun & Bradstreet number, Articles of Incorporation, etc. and sign a pledge not to distribute malicious code. They also must pay considerably more ($400 for a commercial certificate from Verisign at the time of this writing). Individuals also have to sign the pledge and prove their identities, but the identity verification process is less stringent.
Source URL: http://www.windowsecurity.com/articles/Code-Signing.html
No comments:
Post a Comment