Access Secured Code Signing (ASCS)
Sign code files with a FIPS/CC certified cryptographic hardware that secures the encryption keys and integrates with a smart access management system for code signing certificates.
Comsign is a eIDAS QTSP (Qualified Trust Service Provider)
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market.
The Efficiency of Code Signing
The efficiency of code signing as a software authentication mechanism depends on the security of the signature process using a private encryption keys used by the software developers.
A series of malicious attacks committed by malware signed with legitimate authorizations, shows that there were organizations that didn’t act in sufficient care and didn’t store the encryption keys as required (by FIPS or CC certified cryptographic devices like an HSM for example).
Like other PKI based technologies, the system integrity relies on Certificate Authorities (CAs) that secure their private keys from unauthorized access.
Reliable Identification Through a Certificate Authority (CA)
The public key which is used to authenticate the code signing needs to be trackable by a trusted root certificate based on secured public key.
A certificate authority provides a trusted root certificate, and is capable to chain other certificates to the trusted root. If a user relies on known certificates, it can be assumed that the user can rely on the legitimacy of a code that was signed by a key that was generated by the same known certificate. Operating systems and other frames include trusted root for agreed factors. It is acceptable that enterprises implement an internal private certificate authority, which provides the same features such as publicly known certificates, yet it is only reliable within the organization, therefore it is recommended to rely on known international certificates.
Time stamp allows to extend the signed code’s validity beyond the certificate’s expiration date. In case that a certificate needs to be revoked, a specific date and time will become a part of the CRL list. In such a case, the time stamp assist to determine whether the code was signed before or after the certificate was revoked.
Code Signing Process
Code signing process uses a PKI infrastructure which contains a public key and a private key to create a digital signature.
A code signing certificate is a certificate that contains special fields and special options to generate the code signing.
Integrated development environments, automatically activates the code signing tool as part of the code writing process. After initial settings, the code signing is simple and conducted automatically.
In most development environments, the code signing is generated through an API process (Comsign enables a web service for the process).
Description of Access Process to the Code Signing Certificates
The organization defines which users have access to the code signing certificate and who can sign the code using that specific certificate.
In addition to “whom”, the organization also defines the authentication method that is required to activate the code signing process (such as 2FA using an OTP). Only after the authorized user is properly authenticated, the request is approved and the code signing certificate can be activated.
In order to increase security and efficient access management, the request to activate the code signing certificate consists of two parts:
- Initial request from an authorized user through the organizationally defined authentication method which turns to our Strong Authentication Gateway
- Only after the initial request was authorized, the gateway turns directly to the cryptographic device and conducts the code signing in practice
System Abilities and Advantages
- A centralized authorization management and control capability for all users who are allowed to conduct code signing
- Ability to add a significant security layer – 2FA / MFA
- A code development process that is fully secured from end to end
- Code signing on cab, cos, exe, dll and more in MS Authenticode format
- Sealing the code file from tampering or malicious damaging attempts
- Code signing with a trusted certificate recognized by the operating systems
- Configurable access control according to organizational policies (passcode, OTP, biometric authentication, certificates and more)
- Detailed event log with specifications of each request – who made the request, when, regarding what etc.
Among Our Clients
Government offices, educational institutions, finance and insurance, and other various companies and industries such as: energy, high-tech, communications, real-estate, pharmaceutical, flight and tourism, security, service providers, automobile and more.