What is Code Signing?
Just as you want to be certain when you log into your bank account that you’ve given your password to the bank and not a man-in-the-middle attack, it’s best to be sure that the programs and updates you download are safe to install. To do that, we use the same public key infrastructure (PKI) used in HTTPS. When it’s used to verify a program, though, it’s called code signing.
Code signing is a method of putting a digital signature on a program, file, software update, or executable, to verify its authenticity and integrity. Like the wax seal of old, it guarantees to the recipient who the author is, and that it hasn’t been opened and tampered with. Developers, programmers, and software engineers use code signing to prove, for instance, that your Windows 10 update actually came from Microsoft, and not a hacker who’s trying to invade your computer.
If you’ve ever seen that little popup that comes up when you try to run a program you’ve downloaded, the one that lists who the publisher is and asks “Are you sure you want to run this?” then you’ve seen code signing in action. That dialogue box is telling you that it really is a software patch for your Mac OS from Apple Inc., and that it’s still in the same condition it was when they signed it.
How Does Code Signing Work?
To understand how code signing is done, there are a couple terms you need to know.
Public Key Encryption
Encryption is any time encode a message to protect it from unwanted viewers. Usually this is done by passing it through a mathematical function (called a “key”) to change values, and decoding the message depends on having the key that returns the values back to their original state, allowing the message to be read.
In public key encryption (or asymmetric encryption), the key that encodes the message and the one that decodes it are different (hence asymmetrical). It’s called public key, because one key is made widely available (the “public key”) while the other is kept private (the “private key”) to ensure the security of the message. This kind of encryption relies on private keys being kept safe and away from those who would intercept or adulterate messages.
Whether the public key is used to encode or decode the message depends on the nature of the transmission. If you want everyone reading it, but you don’t want anyone tampering with the message, you encode with the private and decode with the public key. If you want everyone to be able to send a message, but don’t want them intercepted by the wrong person, you encode with the public, but decode with the private key.
Hash functions are a method of cryptography that isn’t designed to be reversible. Rather than encoding with a key and using a key to decode, hash functions are meant to be one-way, using a mathematical function which changes the values in a way that can’t be undone. The most common analogy is that of mixing paint. For example, you can mix blue (the original values) with yellow (the hash function) to get green (the new values), and you’ll get green every time you mix them, but there’s no way to separate the two colors and recover the blue.
Hash functions are used whenever you need a set value, and don’t need to read the information a second time. Login passwords are the most common example: websites often hash them for storage, so that if there’s ever a breach, all the hacker has stolen is a bunch of gibberish values. Meanwhile, when you log into the website, it hashes your password again and compares it to the stored hash value. If what you entered matches what they have on file, they let you in. They don’t need to read the password, they just need the value.
Code Signing Certificates
Now back to code signing. When a developer is ready to “sign” their work to prove its authorship and such, they take all the code they wrote, and they hash it. The value that spits out is then encoded using a private key (usually obtained from a trustworthy Certificate Authority), along with a message proving who encoded it (proving the authorship). It’s then added to the software to be shipped out. This constitutes a code signing certificate.
When a user downloads the software, they use the public key to first verify the identity of the developer by reading the message in the certificate. Once the authorship is verified, the public key is used to decode the hash. Then, the software is hashed again, and the new value is compared to the decoded one. If the user’s hash value and the developer’s hash value match, then the software hasn’t been corrupted or tampered with during transmission. The user is then alerted that the software is as the developer last left it, and (if the developer is to be trusted) it’s safe to install.
Where is Code Signing Used?
Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:
• Windows applications and software patches
• Apple software
• Microsoft Office VBA objects and macros
• .jar files
• .air or .airi files
• Essentially any executable
Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, meaning that software will come unsigned, and your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines.
What Are Its Strengths?
Code signing does a couple of very important things. It ensures the identity of the developer (the authorship), meaning a random hacker can’t pass off some malware as being a software patch from Microsoft or Apple. It also double-checks the software to ensure that it hasn’t degraded, become corrupted, or been tampered with. Comparing the user-generated hash against the developer-generated value ensures that the code looks the same now as it did when the certificate was signed.
If a developer is using a private key it acquired from a certificate authority (CA), then code signing also extends the trust of the CA to the developer, meaning a relatively unknown software company can still be reasonably trusted by the public.
What Are Its Weaknesses?
The biggest downsides to code signing come when the system isn’t used properly. First, certificates are only good if the private key (the one used to encode the certificate) are kept safe. If unscrupulous individuals gain access to the private key, they can potentially encode their own messages and software as if they were the developer, and the public key will verify the identity, with leaves the user with no way of guaranteeing it was really from the developer. To this end, these keys are usually stored in Hardware Security Modules (HSM).
Second, any hacker or developer with malicious intent can obtain a private key from a CA, if they really want to. What deters most of them is that they have to register with the CA to obtain one, which makes the crime easier to pin on them if they distribute malicious code. Potentially, though, a developer with a valid certificate could distribute harmful code to the public.
Lastly, code signing is really only as good as a user’s judgement. If a user is willing to accept and install software of unverified integrity or identity, code signing is useless. Like the warning label on a bottle of bleach, it’s only effective if the user heeds the cautions listed there.
All-in-all, though, when used properly, code signing is an effective security measure that protects users from malicious software and code.
For more information on code signing and how to keep your systems safe from hackers, check out our risk assessment tool or contact Venafi today.