Best Practices for Building Trust in Cyberspace

In an increasingly hostile and volatile cyber landscape, trust is a vital yet sometimes elusive component of business. Establishing trust is easier said than done, and it’s not getting any easier.

Mobile computing and the explosion of cloud-based services have significantly impacted business efficiency, driving down operational costs and creating unprecedented growth opportunity. However, these technologies – along with the arrival of the app store economy and the deployment of intelligent connected devices – are increasing the proportion of business logic that resides and executes on insecure devices. Given this landscape, anyone developing code that will run in distributed locations needs to help ensure the integrity of their software as it runs in environments over which they have minimal control.

Facebook (News - Alert) recognizes this ongoing difficulty and recently announced that as of October 1, 2015, it will require application developers to move to a more secure type of hashing algorithm in support of digital signatures for their apps – using SHA-2 rather than SHA-1. SHA-2 is a newer, stronger hash algorithm, and far less prone to collision attacks than the 20-year-old SHA-1.  Facebook production engineer Adam Gross has described this change as “part of a broader shift in how browsers and websites encrypt traffic to protect the contents of online communications.”

It’s important to remember the value of signing keys in this context. Although they don’t encrypt data (like encryption keys do), signing key security is the backbone of code signing technology. They’re an essential tool to verify the source of software, prove it has not been tampered with since it was published, and verify the identity of the publisher. This latter point is particularly important – today’s major operating systems all present warning dialogs to users prior to installing software, highlighting the lack of information about the publisher if the software is unsigned. Over time, user awareness of the risks of installing software from unknown, or untrusted, publishers has significantly increased, contributing to the likelihood of users abandoning the installation process on these grounds.

Signing Keys

How do electronic and digital signatures compare? Digital signatures forge ahead of electronic versions of traditional signatures by invoking cryptographic techniques to dramatically increase security and transparency, both of which are critical in establishing trust and legal validity. However, merely requiring that code be signed does not by itself ensure security.

Strong protection of the private signing key is a critical and fundamental element of increasing the assurance level of a code signing process. If a code signing key is lost, the recovery process to publishing any further software upgrades for existing smart devices can be hampered. If a key is stolen, or the signature is performed using a weak algorithm, an attacker may be able to sign a malicious upgrade that either steals sensitive data or renders potentially millions of devices inoperable.

If the private key becomes known to anyone besides the authorized entity, just as with any public key infrastructure (PKI) based technology, that individual can create digital signatures that will be seen as “valid” when verified using the associated public key and will appear to come from the organization identified in the associated digital certificate. Private key compromise was one of the cornerstones of the infamous Stuxnet attack five years ago.

APTs and Stolen Keys

The occurrence of malware has risen significantly in recent years. Business applications running on host servers are increasingly vulnerable to advanced persistent threats (APTs), introduced through malware, as well as insider attacks and hacking.

APTs are so thorny because malicious actors can change application code or device firmware (that’s what makes them "advanced") without being noticed (that’s what makes them "persistent"). The threats are significant and don't necessarily involve just corporate data theft but extend to malware on critical national infrastructure such as a flight computer in a plane, smart grids or even traffic lights. This becomes an even greater concern in light of the rising number of Internet-connected devices that are now routinely updated over the Internet. From smartphones to TVs, game machines to routers and industrial control equipment, upgrades can be anything from a new operating system to a new application or application plug in. The rise of the “app store” has further increased the range and number of applications that are downloaded over the Internet, with end users giving little thought to the author’s credentials. Against this backdrop, the potential impact of losing control of a code signing key could be catastrophic.

APTs employ stolen private keys associated with valid digital certificates. This threat is putting many software-producing organizations, online service providers and enterprise IT organizations under pressure to increase the security assurance level of their code signing process as well as expand the scope of software being signed to include scripts, plug-ins, libraries and other tools. These requirements can be driven by multiple factors, but all tie back to reducing the risk of malicious software alteration, and the potential for associated reputation damage and revenue loss.

Because application code provides targeted access to high-value data, it is a particularly attractive target for attackers. Even if your data is encrypted in your storage environment, it will eventually be used by—and potentially exposed at—an application, at the point of use. What’s more, high-value applications are easy to identify – it is not hard for an attacker to work out that the billing system accesses account information for current, active users and could provide laser-like access to this valuable data.

It can be very difficult to detect application-level attacks because they are often capable of covering their own tracks, turning off detection mechanisms and faking audit log entries. From an organization’s perspective, inability to quickly detect attacks can lead to long-term breaches and high volumes of data theft.

Key Challenges

Though it is understood that lost or stolen code signing keys present a real threat, there are a number of factors than can make them challenging to protect. The first is that signing keys are typically held on developer workstations. Most developers are much more focused on writing code than system security, and attackers are wise to this.

In the case of medium to large software organizations, the need for centralized code signing approval processes can be particularly challenging because the volume and distribution of software build stations warrants shared services and resources (who will therefore require a shared signing resource to accommodate signing requests from multiple platforms).

It is also worth mentioning that most of the research on application security focuses on the early stages of the app development lifecycle – making sure that developers create secure code with no natural flaws, followed by code analysis, to ensure that the design process has remained secure. In the wake of the increase in malware-based attacks, we should be looking beyond code creation, to guarantee secure code execution. How can we ensure that the app is not at risk of corruption, or vulnerable to ‘eavesdropping’ or modification by rogue applications?

Managing Keys

A best practice for managing keys is to protect them in a dedicated key management device called a hardware security module (HSM). HSMs provided a dedicated, certified environment used to protect private digital signing keys, and to perform the code signing operations. Three important strands of protection that HSMs offer to ensure that the process remains effective are as follows – firstly, simplification of key backup and archival to ensure that the keys can never be lost. Secondly, provision of independently certified lifecycle protection against accidental or malicious key theft from generation all the way through to destruction. And finally, enforcement of customizable controls over code signing procedures including dual-control, multi-factor authentication and other methods to protect against unauthorized use of the code signing keys.

In a wide-open sea of untrusted processes, hardware provides a tried and tested anchor of trust. It contributes significantly to an overall application security strategy. Additionally, some HSMs even offer the ability to execute security-sensitive application code within the safe confines of the HSM – allowing users to move that code off of traditional application servers and construct a new and stronger layer of defense for it.

It’s important to remember that all virtualized workloads are deployed on a hardware platform, in a physical location, at one point in time. It’s all very well that the content of the HSMs is safe and sound, but the applications that “talk” to the HSMs via APIs are clearly under increasing threat.

The cryptocurrency Bitcoin provides us with an example. The protocol for signing Bitcoin transactions involves multiple stages. Even if the signatures are performed in an HSM, the temporary and transitory “secrets” that make up the signature can be exposed to attackers if they are processed on host servers before being passed on to the HSM.

The Benefit of Time Stamping

To further augment the security of a code signing system, organizations can use digital or electronic time stamping technology. It provides an additional means to validate precisely when code was signed via an embedded trusted time stamp – creating an auditable pathway to a trusted source of time. This is integral to an organization’s ability to enforce non-repudiation for electronic signing, to verify data and application integrity, and to ensure long-term auditability of electronic records. While software-only time-stamping solutions are vulnerable to threats such as computer clock tampering, high-assurance hardware-based time stamping appliances increase the trustworthiness of the solution, thereby increasing business confidence in its integrity.

When organizations can increase their confidence in the verifiability of digital records and the accuracy of electronic time stamps, they can also increase their level of automation, reducing the cost of processes that today rely on paper-based signatures and dates.  But with that increased process automation, it is vital that we are able to trust the infrastructure that sits underneath those processes – and that’s a challenge as mobility and interconnectivity multiply at a remarkable rate.

Looking Ahead

Attack methods are tracking right along with technology innovations, and cyber criminals seek to exploit new “gaps” and vulnerabilities in new service and delivery models – as the types of possible threats grow, they become increasingly difficult to discover and manage, and their economic impact keeps rising. Just recently, we have seen a fresh wave of headlines regarding an attack, dubbed Duqu 2.0, against Russian security firm Kaspersky Lab (News - Alert) using digital credentials stolen from Foxconn, one of the world’s top electronics makers.

As attack methods become more advanced, it’s vital that organizations use code signing processes, private code signing keys and digital certificates if they are serious about safeguarding their own and their customers’ data.

John Grimm has over 25 years of experience in the information security field, starting as a systems and firmware engineer building secure cryptographic key distribution systems for government applications, and progressing through product management, solution development, and marketing leadership roles. He received his bachelor's degree in electrical engineering from Worcester Polytechnic Institute in Worcester, Mass., and is a member of Tau Beta Pi, the engineering honor society.