How can we put our trust in inherently untrusted environments? This is the question that businesses repeatedly ask themselves, as they navigate a digital world that is increasingly connected, distributed and virtualized
The rise of cloud-based services and mobile computing has had an extraordinary impact on business efficiency, driving down operational costs and creating unprecedented growth opportunities. As we officially reach 1.5 billion apps on the market, we are clearly living in an ‘app store economy’, increasing the proportion of business logic executed on insecure devices. This has created a challenge for anyone developing code that will run in distributed locations, to ensure that the software they create has the ability and protection to run in an environment they have little control over.
In reaction to this increasing challenge, Facebook has announced that from October 2015 application developers will be required to move to a more secure type of hashing algorithm, SHA-2, in support of digital signatures for their apps. This change is a major development for application developers, so as they start introducing the SHA-2 algorithm, it is crucial they remember the importance of signing keys in their development process.
Why is Digital Signing so Important?
Signing key security is an essential part of code signing technology. Key signing proves the source of software, the identity of its publisher, and acts as evidence that it has not been tampered with since its publication.
A major difference between digital signatures and non-electronic versions is that digital signatures have the capability of going further as they invoke cryptographic techniques to increase security and transparency which is essential to establish trust and legal validity. However developers cannot just rely on code to be signed to ensure that it is secure.
The strong protection of the private signing key is an indispensable part of the code signing process. It could be impossible to publish any further upgrades if a code signing key is lost, creating business disruptions and user dissatisfaction. Attackers can take advantage of a weak or stolen algorithm and maliciously sign an upgrade that either steals sensitive data or has the potential of rendering many devices inoperable. Plus if a person who is not the authorized individual discovers a private key, they have the option of creating digital signatures that can seem valid when verified using the associated public key.
What has Changed in the Threat Landscape?
Rising levels of malware are making many business applications running on host servers increasingly vulnerable to advanced persistent threats (APTs). Security professionals must continue to consider the threats of malware alongside other threats such as hacking and insider attacks.
APTs are a significant issue for businesses. If an attacker is able to change application code without it being noticed, the threats can progress into far bigger problems. Malware can impact many technologies we rely on daily such as traffic lights and smartphones. The extent that malware can impact our lives has created unprecedented pressure on security professionals to increase the security assurance level of their software.
This is also combined with the need to expand the scope of software being signed to other tools such as scripts and plug ins. Application code is extremely valuable for attackers as it can be a gateway to the most integral and prized data. Businesses need to remember that even if they encrypt all their data in their storage environment, at one point it will be exposed for use by an application.
How Can a Team Protect its Keys?
Signing keys can present an underappreciated challenge to overcome. Signing keys are often held on developer workstations, where the focus is development efficiency as opposed to system security. This convenience makes sense from an internal perspective, but attackers are aware of this and are now taking advantage of it. A centralized code signing process is a solution for this, but this can be considered a challenge for medium to large software organizations because often the volume and distribution of software build stations warrants shared services and resources. Consequently for a centralized code-signing solution to be successful, key management is essential.
For key management to be done effectively, a dedicated key management device, a Hardware Security Module (HSM) needs to be introduced. HSMs protect the process and ensure it remains effective in 3 ways:
- Simplifying the key backup process to prevent keys from getting lost
- Provision of independently certified life cycle protection against accidental or malicious key theft
- Control that can be customized according to each code signing process, which includes dual control and multifactor authentication against unauthorized use of the code signing keys.
In short, hardware has become the foundation of trust in a turbulent environment, and consequently acts a pillar in a security team’s overall application security strategy.
Our society has placed trust in automation in making our daily lives more efficient, but our reliance on automation also means we are relying on the infrastructure that allows for automation to happen. Threats have evolved in line with new technologies that we are enjoying, creating weak points that attackers can take advantage of. Security teams need to embrace security measures such as code signing processes, private code signing keys and digital certificates to not only protect their company information but also their reputation.
About the Author
John Grimm has over 25 years of experience in the information security field, starting as a systems and firmware engineer building secure cryptographic key distribution systems for government applications, and progressing through product management, solution development, and marketing leadership roles. He received his bachelor's degree in electrical engineering from Worcester Polytechnic Institute in Worcester, Mass., and is a member of Tau Beta Pi, the engineering honor society