News

Microsoft-Required Digital Cert Code Signing Requirements

• By Jeffrey Schwartz
• 12/09/2016

Microsoft this week announced it will require online cert authorities to implement certain requirements for verification of Windows-based executables and scripts.

The move is being made in hopes of making it much more difficult to distribute malware. The new requirements apply to code signing, the process of applying digital signatures to executables and scripts to verify an author's identity and validate that the code hasn't changed and isn't malicious. Following two years of discussions, the Certificate Authority Security Council (CASC), a group that includes the top seven CAs, this week said they have agreed on the code-signing requirements for Windows-based systems.

The new requirements will apply to Windows 7 and above, which introduced the dynamic root store update program enabling the removal of roots easily from the root store. CASC officials said standardizing code signing has become essential in verifying that software installed in an OS is authentic.

Code or executables won't run in Windows and most browsers if their certificates are unsigned, as user authentication is required first for them to execute. However, more sophisticated rogue actors have issued seemingly legitimate certificates. Because CAs had no code-signing standards, a rogue signature only needed to get by once for the malicious code to spread. The new CASC requirements, which the CAs and Microsoft will implement Feb. 1, aims to block such attempts to distribute malicious code with invalid signatures. CASC officials said Microsoft will be the first to institute the new guidelines, with other key players expected to follow in the near future.

"The main aim was to encourage better [digital] key protection, make sure there was a standard for validating identity information within digital certificates and to make sure there is a very prompt and streamlined process for revoking certificates if they are found to be used with malware. And then implement brand new standards for time-stamping services so that you can time-stamp your code and it will work on a longer period," Jeremy Rowley, VP of business development at DigiCert and a member of the CASC, said. "What we came up with is something everyone is happy with. It looks like it will accomplish those advantages." Rowley said all of the members of CASC are supportive of the new code-signing requirements, including the top CAs, which in addition to his company include Comodo, Entrust, GlobalSign, GoDaddy, Symantec and Trustwave. "The entire CA community and industry have bought into this," he said.

"Since it's being added to Microsoft's policy and part of their root distribution policy, it ends up being a mandatory item for any CAs working with that policy to follow the guidelines," added Bruce Morton, another CASC member and a director at Entrust Certificate Services. "In other words you didn't have a choice."

Morton added that this will extend beyond just Windows and Microsoft's browsers. "We did write the policy so it could work with non-Microsoft root policies with the expectation that other browser providers or other software vendors who rely on code-signing certificates would eventually want to use it," he said.

Having spent the entire week at the Live! 360 conference in Orlando, I asked some security experts attending TechMentor sessions about the new rules. MVP Sami Laiho, CEO of Adminize, who last week disclosed a Windows in-place upgrade security flaw, said the move is important.

"It's very big, because before this the whole certificate issuing industry has been the biggest cause of lacking trust," Laiho said. "We've had these issuers but we've had no restrictions on who the issuers can be or how they operate. This will increase security on the technical side. The whole issue of this is the whole concept of finally having some sort of a certification for those partners."

Dale Meredith, an ethical hacking author for Pluralsight, was among a few who wondered if the move will make it harder for legitimate users such as students, researchers and startups. Nevertheless, Meredith agreed with Laiho that it should improve security. "It will definitely make it harder for attackers," he said. "If it's done right it will protect users and companies from malicious attacks."

CASC spelled out three of the key guidelines, which include:

• Stronger protection for private keys: The best practice will be to use a FIPS 140-2 Level 2 HSM or equivalent. Studies show that code signing attacks are split evenly between issuing to bad publishers and issuing to good publishers that unknowingly allow their keys to be compromised. That enables an attacker to sign malware stating it was published by a legitimate company. Therefore, companies must either store keys in hardware they keep on premises, or store them in the new secure cloud-based code signing cloud-based service.
• Certificate revocation: Most likely, a revocation will be requested by a malware researcher or an application software supplier like Microsoft if they discover users of their software may be installing suspect code or malware. After a CA receives a request, it must either revoke the certificate within two days, or alert the requestor that it has launched an investigation. 
• Improved code signatures time-stamping: CAs must now provide a time-stamping authority (TSA) and specify the requirements for the TSA and the time-stamping certificates. Application software suppliers are encouraged to allow code signatures to stay valid for the length of the period of the time-stamp certificate. The standard allows for 135-month time-stamping certificates.

The CASC published a technical white paper that describes the new best practices, which is available for download here.