CA-Issued Certificates: Grade A Value for Today’s PublishersNovember 12, 2013 No Comments
SOURCE: CA Security Council
We all want to have some idea of where the food comes from that we put into our body. Whether we shop at a local farmer’s market or a large chain store, we choose our food because we trust those who are providing it. And now, with digital information ranking so high on our list of assets to protect, the thought of trusting an obscure website with our credit card details seems as unthinkable as picking up a piece of gum we find on the street and popping it into our mouth. Fortunately, the Internet has developed a system of security that is analogous to FDA food inspections – digital code signing.
The Basics of Code Signing
Because software code – like the applications we use every day – makes changes to our computers, it’s important to know where the code is coming from. After all, as we constantly see on the news, malicious code can cause a tremendous amount of damage, from stealing financial information to physically disabling machines. To overcome this risk, software providers can digitally sign their product to certify that it is safe. Most software installations on today’s operating systems require a certificate before installation can take place.
Publishers can choose to sign their own certificates. But to the user, this is the equivalent of a man selling meat pies on the street promising that they are real beef – we have no one’s word to take but his. A far better approach is to rely on a certificate authority (CA), a third party that signs the code in conjunction with the publisher to further certify that it is safe.
To obtain a certificate from a CA, the publisher creates a pair of cryptographic keys, known as a public-private key pair, that together are used to form the certificate. They then provide the public key to the CA, which verifies the identity of the publisher. The CA then signs the bundle of code containing the publisher’s identity and the public key. The publisher then signs the key as well, and it is ready for distribution.
Creating Peace of Mind for the User
When a user installs a new program or piece of code, the system attempts to verify the authenticity of the certificate provided in the software. This involves comparing the public key in the code bundle with the signature information, and verifying that the certificate was issued by a trusted CA. If it can verify that the certificate is valid, the installation can continue.
If there is a discrepancy, however, the user is provided with a warning or the code is rejected outright, depending on the specifics of the security. The warning, typically a pop-up dialog box, will give the user the name of the file and the publisher, and the user can then decide whether or not to proceed. They will make that decision based on factors such as whether they are actually intending to install new software or code, and whether they recognize the name of the publisher.
Certificates issued by a publicly trusted CA provide an additional layer of security in that they can be revoked should a certificate be compromised. Certificates can also be set to expire; in this case, a procedure called time-stamping keeps the publisher from having to issue a new certificate and disturbing the user. Time-stamping allows code that was signed before a certain date to remain valid.
Best Practices for Code Signing
Just as there are occasional incidents of improper oversight in our food supply, the certificate issuance process is not foolproof. But it is far more effective than simply trusting our computers and private information to an unknown software publisher. Publishers who choose to utilize a CA show a higher level of trustworthiness and a greater degree of commitment to their customers. It’s important, therefore, for publishers to protect their certificates and the associated keys. The following best practices will help you ensure that you provide signatures that the installer can trust.
- Utilize hardware that provides cryptographic protection for keys. A good industry standard to follow is to use FIPS 140 Level 2-certified products or better. This hardware ensures that cryptographic keys cannot be exported to software that is at risk of attack.
- Take advantage of time-stamping for your certificates. This gives you greater control, allowing you to revoke the certificate in case of a security issue, and set expiration dates.
- When releasing test versions of products, use completely different certificates than those that will be used with publicly released products.
- Carefully track all code signing activities, creating documentation that can be used to respond to security incidents and for internal auditing activities. Also, implement strong authentication processes for all code that is submitted for signature.
- Because code signing verifies that the code is from the stated publisher – and not that the code itself is free of security issues, you should protect all code as you would an individual system. Use antivirus software to ensure the validity of all code, and exercise caution if your product incorporates code from outside sources.
- Use multiple certificates for your products. This approach distributes risk in case of the compromise of any one certificate. The compromised certificate can be revoked and a new one issued in its place. Also ensure that keys and certificates are changed regularly to further reduce security risks.
Security is top of mind for today’s consumers and businesses, especially when they are installing new software or other executables on their systems. Issuing certificates from trusted CAs helps reassure users that they can trust the publisher, and that their system will remain safe. Take advantage of certificate authorities, which are publicly trusted entities to help verify the authenticity of your products. By working with CAs and doing your part to protect your keys and certificates, your customers will come to trust your products – until they are as trusted as a dinner cooked by their mother.
Bruce Morton is on the steering committee of the Certificate Authority Security Council (CASC), an advocacy group of global certificate authorities committed to best practices that advance trusted SSL deployment and CA operations as well as the security of the Internet in general.APPLICATION INTEGRATION, DATA and ANALYTICS , Fresh Ink, SECURITY