Cracking the code to build trust in business applications
John Grimm, Senior Director, Thales e-Security
Establishing trust in an increasingly connected and virtualised world is something businesses strive to achieve as they increasingly depend on digital services to complete daily tasks. Cloud-based platforms and mobile computing have certainly proven popular with businesses in improving efficiency and driving down operational costs. However, the more these technologies are used, along with the arrival of the ‘app store economy’, the more business logic resides and is executed on insecure devices. This has created a challenge for anyone developing code that will run in distributed locations as they need to ensure that their software has the ability and proper protections to run in environments which they can have little control over.
In light of this challenge, Facebook announced that from October 2015, application developers will be required to move from SHA-1 to a more secure type of hashing algorithm, SHA-2, in support of digital signatures for their apps. This is definitely the right move, especially when SHA-1 has been considered too weak for proper security measures for a while, and thus makes computers vulnerable to potential hash collision attacks. But as application developers move in this direction, it is important that they do not lose sight of, or overlook the value of, signing keys when developing code.
Read the signs
Although signing keys don’t encrypt data (like encryption keys do), signing key security is the backbone of code signing technology. It is an essential tool to verify the source of software and is essential in providing proof that it has not been intercepted or altered since its publication.
Digital signatures go beyond electronic versions of traditional signatures by invoking cryptographic techniques to dramatically increase security and transparency. However, simply requiring code to be signed does not ensure security. An essential element of increasing the assurance level of a code signing process is strong protection of the private signing key. If a code signing key is lost or stolen, an attacker may be able to sign a malicious upgrade that either steals valuable and sensitive information or renders numerous devices inoperable. Furthermore, if a private key becomes known to anyone besides the authorised individual, they will be able to create digital signatures that will be seen as ‘valid’ when verified using the associated public key. It will even appear to come from the organisation identified in the associated digital certificate.
Navigating through the threat landscape
Today, businesses are faced with navigating their way through an ever more challenging threat landscape as the levels of malware continue to rise and the types of attack evolve. Business applications running on host servers are increasingly vulnerable to advanced persistent threats (APTs), introduced through malware, as well as insider attacks and hacking.
APTs are an issue for businesses as attackers can change application code or device firmware while acting in a way so as to avoid timely detection. The threats are significant and don’t necessarily involve just corporate data theft, but extend to malware on critical national infrastructure such as a flight computer in a plane, smart grids or even traffic lights. This makes the loss of a code signing key potentially catastrophic.
Such threats are putting more pressure on security professionals to increase the security assurance level of their code signing practices. Application code is an appealing target for attackers, as it opens the doors to a company’s high value data. Given that application-level attacks can be extremely hard to detect, organisations are at risk of finding themselves in the grip of long-term breaches and high volumes of data theft.
Overcoming the challenges
Despite the acknowledged threat of lost or stolen code signing keys, businesses have to deal with a number of factors that can make them challenging to protect.
The first is that signing keys are typically held on developer workstations, where developers optimize their environment for code writing and not system security. However, this is risky practise with attackers at large.
In addition, the need for centralised code signing approval processes can be challenging for large software organisations, where the volume and distribution of software build stations requires shared resources.
The solution to these key management headaches is to protect keys in a dedicated key management device called a Hardware Security Module (HSM). As well as providing a dedicated, certified environment to protect private digital signing keys, HSMs perform the code signing operations and provide three aspects of protection to ensure that the process remains effective:
- Simplification of the key backup to ensure the keys don’t get lost
- Provision of independently certified life cycle protection against accidental or malicious key theft
- Customisable controls over code signing procedures including dual control and multifactor authentication against unauthorised use of the code signing keys.
Although hardware-based security may sound like an odd choice to solving software and cloud-based vulnerabilities, it’s important to remember that all virtualised workloads are deployed on a hardware platform at one point in time. Dedicated hardware protection is a time honoured best practice.
Security threats are evolving in line with new technologies and this is leaving us open to ‘gaps’ or vulnerabilities that you can be sure attackers will be quick to exploit. It has never been so important for us to be able to trust the infrastructure that supports our reliance on automation. Code signing processes, private code signing keys, and digital certificates are of critical importance in a digital world. Organisations need to protect their systems and the people that implement and control them in order to not only guard their software, but also their brand reputation.
