Businesses have realized tremendous efficiency gains with the advent of cloud-based services and mobile computing, driving down operational costs and creating unprecedented growth opportunity. However, these technologies, along with the arrival of the “app store economy” and the deployment of intelligent connected devices, are increasing the proportion of business logic that resides and executes on insecure devices. Given this landscape, anyone developing code that will run in distributed locations needs to help ensure the integrity of the software as it runs in environments over which they have minimal control.
With this new reality in mind, Facebook announced in June that as of Oct.1 it will require application developers to move to a more secure hashing algorithm in support of digital signatures for their apps – using SHA-2 rather than SHA-1. SHA-2 is a newer, stronger hash algorithm that is far less prone to collision attacks than the 20-year-old SHA-1. Facebook production engineer Adam Gross describes this change as “part of a broader shift in how browsers and websites encrypt traffic to protect the contents of online communications.”
This is an important and needed change, but we must not forget the value of signing keys. Although they don’t encrypt data, like encryption keys do, signing key security is the backbone of code signing technology – an essential tool to verify the source of software, prove it has not been tampered with since it was published and verify the identity of the publisher. This latter point is particularly important, as today’s major operating systems all present warning dialogs to users prior to installing software, highlighting the lack of information about the publisher if the software is unsigned. Over time, user awareness of the risks of installing software from unknown or untrusted publishers has significantly increased, contributing to the likelihood of users abandoning the installation process on these grounds.
Securing signatures
By invoking cryptographic techniques, digital signatures surpass electronic versions of traditional signatures to dramatically increase security and transparency, both of which are critical in establishing trust and legal validity. However, merely requiring code to be signed does not ensure security.
Strong protection of the private signing key is a critical and fundamental element of increasing the assurance level of a code-signing process. If a code-signing key is lost, the recovery process to publishing any further software upgrades for existing smart devices can be hampered. If a key is stolen, or the signature is performed using a weak algorithm, an attacker may be able to sign a malicious upgrade that either steals sensitive data or renders potentially millions of devices inoperable.
As is the case with any technology based on public-key infrastructure, if the private key becomes known to anyone besides the authorized entity, that individual can create digital signatures that will be seen as “valid” when verified using the associated public key and will appear to come from the organization identified in the associated digital certificate. Private-key compromise was one of the cornerstones of the infamous Stuxnet attack five years ago.
Advanced persistent threats
Threat vectors have changed significantly in the last several years, exemplified in the rise in malware. Business applications running on host servers are increasingly vulnerable to advanced persistent threats, introduced through malware, as well as insider attacks and hacking.
APTs are so problematic because attackers can change application code or device firmware (that’s what makes them “advanced”) without being noticed (that’s what makes them “persistent”). The threats are significant and don’t necessarily involve just corporate data theft, but they extend to malware on critical national infrastructure such as a flight computer in a plane, smart grids or even traffic lights. This becomes an even greater concern in light of the rising number of devices that are now routinely updated over the Internet. From smartphones to TVs, game machines to routers and industrial control equipment, upgrades can be anything from a new operating system to a new application or application plug-in. The rise of the “app store” has further increased the range and number of applications that are downloaded over the Internet, with end users giving little thought to the author’s credentials. Against this backdrop, the potential impact of losing control of a code- signing key could be catastrophic.
APTs employ stolen private keys associated with valid digital certificates. This threat is putting many software-producing organizations, online service providers and enterprise IT organizations under pressure to increase the security assurance level of their code signing process as well as expand the scope of software being signed to include scripts, plug-ins, libraries and other tools. These requirements can be driven by multiple factors, but they all tie back to reducing the risk of malicious software alteration, and the potential for associated reputation damage and revenue loss.
Because it provides targeted access to high-value data, application code is a particularly attractive target for attackers. Even if your data is encrypted in your storage environment, it will eventually be used by – and potentially exposed at – an application, at the point of use. In addition, high-value applications are easy to identify – it is not hard for an attacker to work out that the billing system accesses account information for current, active users and could provide laser-like access to this valuable data.
The tricky thing here is to detect application-level attacks. They can be extremely hard to see because they are often capable of covering their own tracks, turning off detection mechanisms and faking audit log entries. From an organization’s perspective, the inability to detect attacks quickly can lead to long-term breaches and high volumes of data theft.
What makes signing keys so vulnerable
Understanding that lost or stolen code-signing keys present a real security problem is an important first step. However, there are a number of factors that can make them challenging to protect. One factor is that signing keys are typically held on developer workstations. Most developers are much more focused on writing code than on system security, and attackers are wise to that.
For medium to large software organizations, the need for centralized code-signing approval processes can be particularly challenging because the volume and distribution of software build stations warrants shared services and resources, which will therefore require a shared signing resource to accommodate signing requests from multiple platforms.
Additionally, most application security research focuses on the early stages of the app development life cycle – making sure that developers create secure code with no natural flaws, followed by code analysis, to ensure that the design process has remained secure. In the wake of the increase in malware-based attacks, we should be looking beyond code creation to guarantee secure code execution. How can we ensure that the app is not at risk of corruption or vulnerable to “eavesdropping” or modification by rogue applications?
Using hardware to protect software
A best practice for key management is to protect keys in a dedicated key management device called a hardware security module. HSMs provide a dedicated, certified environment used to protect private digital signing keys and to perform the code-signing operations. Three important strands of protection that HSMs offer to ensure that the process remains effective are as follows: Firstly, simplification of key backup and archival to ensure that the keys can never be lost; secondly, provision of independently certified life cycle protection against accidental or malicious key theft from generation all the way through to destruction; and finally, enforcement of customizable controls over code-signing procedures including dual control, multifactor authentication and other methods to protect against unauthorized use of the code-signing keys.
Hardware acts as a trust anchor in an untrustworthy environment, contributing significantly to an overall application security strategy. Additionally, some HSMs even offer the ability to execute security-sensitive application code within the safe confines of the HSM – allowing users to move that code off of traditional application servers and construct a new and stronger layer of defense for it.
It may seem anachronistic to use a hardware-based solution to protect against software and cloud-based vulnerabilities, but it’s important to remember that all virtualized workloads are deployed on a hardware platform, in a physical location at one point in time. It’s all very well that the content of the HSMs is safe and sound, but the applications that “talk” to the HSMs via APIs are clearly under increasing threat.
An example of this threat comes from Bitcoin. Signing Bitcoin transactions involves multiple stages. Even if the signatures are performed in an HSM, the temporary and transitory “secrets” that make up the signature can be exposed to attackers if they are processed on host servers before being passed on to the HSM.
Time to tighten security
To further augment the security of a code-signing system, organizations can use digital or electronic time-stamping technology. This provides an additional means to validate precisely when code was signed via an embedded trusted time stamp – creating an auditable pathway to a trusted source of time. This is integral to an organization’s ability to enforce nonrepudiation for electronic signing, to verify data and application integrity, and to ensure long-term auditability of electronic records. While software-only time-stamping solutions are vulnerable to threats such as computer clock tampering, high-assurance hardware-based time stamping appliances increase the trustworthiness of the solution, thereby increasing business confidence in its integrity.
As digital records become more easily verified and electronic time stamps become more accurate, organizations can also increase their level of automation, reducing the cost of processes that today rely on paper-based signatures and dates. But with that increased process automation, it is vital that we are able to trust the infrastructure that sits underneath those processes – and that’s a challenge as mobility and interconnectivity multiply at a remarkable rate.
New technologies have spawned new security threats, as attackers are always on the lookout for new “gaps” and vulnerabilities in new service and delivery models. As the types of possible threats grow, they become increasingly difficult to discover and manage, and their economic impact keeps rising. Just recently, we have seen a fresh wave of headlines regarding an attack, dubbed Duqu 2.0, against Russian security firm Kaspersky Lab using digital credentials stolen from Foxconn, one of the world’s top electronics makers.
As the world transitions to a digital universe, security requirements skyrocket in tandem with security threats. Creating trust in inherently untrusted environments is the issue that businesses face time and time again, as they navigate a world that is increasingly connected, distributed and virtualized. Private code-signing keys, digital certificates and code-signing processes are vital to an organization’s ability to safeguard their software from cybercriminals.
John Grimm is a senior director with Thales E-Security. He has over 25 years of experience in the information security field, starting as a systems and firmware engineer building secure cryptographic key distribution systems for government applications, and progressing through product management, solution development, and marketing leadership roles. He received his bachelor’s degree in electrical engineering from Worcester Polytechnic Institute in Worcester, Mass., and is a member of Tau Beta Pi, the engineering honor society.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.