Re: Verifying a Signed Executable before running it on a remote machine.
From: Johnny Sandaire (webzest_at_comcast.net)
Date: 05/08/04
- Previous message: Allie: "How could my program support enterprise CA?"
- In reply to: Michel Gallant: "Re: Verifying a Signed Executable before running it on a remote machine."
- Next in thread: Michel Gallant: "Re: Verifying a Signed Executable before running it on a remote machine."
- Reply: Michel Gallant: "Re: Verifying a Signed Executable before running it on a remote machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 8 May 2004 06:07:53 -0700
Mitch,
You make some very interesting analogy and I understand your
reasoning. Please allow me to define the scenario that I am
attempting to address:
I downloaded your GuitarTuner.exe and right-clicked on it and selected
properties. Then, I clicked on the Digital Signatures Tab. In the
Signatures List window, I see the information of the Signer and the
Certificate's Time Stamp. Clicking on that line of information allows
me to click on Details and verify the Digital Signature Information.
At the very top of the Digital Signature Details property dialog I see
the Digital Signature Information, which states that "This digital
signature is OK".
However, If I had hacked a certificate generator and entered your name
and properly entered the Issued By information to generate a bogus
certificate to then use to sign code, I would then see a "Red X" in
the details area with the following information: "A certificate chain
processed correctly, but terminated in a root certificate which is not
trusted by the trust provider."
Hence, even though this particular certificate may be valid, it is not
trusted by my trust provider chain. I would then want to reject this
exe and not execute it locally.
Here then are my questions: Is there a way to verify the actual root
CA?
For Example, if Microsoft were to be its own Root CA and issued
Certificates to its developers to sign their local code, how would
Microsoft verify if an EXE came from within and allow the executable
to run locally?
Currently, the example code that I used from the outset of this thread
checked the Time Stamp, the Issuer and Signer, but not the Root CA,
which to me is the key to this "Trust Chain" concept. I would like to
be able to either compare the signed code certificate with an embeded
certificate of the calling process, or be able to pull out the signed
code certificate's Root CA and verify it against a list or one Root CA
for trust before I execute it locally.
Am I spitting into the wind, or can this be done?
Thank you for your assistance and best regards,
Johnny
"Michel Gallant" <neutron@istar.ca> wrote in message news:<OlcRwmHNEHA.2676@TK2MSFTNGP12.phx.gbl>...
> Any finally, to show that the "trust-buck" stops here, consider the last sample
> (a handy simple native Win exe guitar-tuner GUI .. works on 95 - XP):
> http://www.jensign.com/JavaScience/www/guitartuner (last sample on page GuitarChords.exe).
> That exe is Authenticode signed using a commercially-issued Class 3 code signing certificate
> from Thawte. The issuing CA trusted cert (or a cross-certified relative) is almost certainly trusted
> on your system.
>
> Therefore, technically, the signature and cert (according to default Microsoft Authenticode
> infrastructure)
> would probably consider that signature valid, and trusted from point of view of knowing the issuing
> CA (Thawte).
>
> However, that is definitely not sufficient. The Microsoft Authenticode technology cannot protect you
> against
> a bad programmer (not claiming this of myself ;-) or someone malicious that actually wanted to pay
> ~ $300/year
> to do a master hoodwink/hack!
> You would only dare execute that authenticode-trusted-signed exe IF you knew the author (myself) and
> trusted me
> (which you don't).
>
> Moral: beware of social engineeried attacks based on crypto/lock-icons/digital-signature ...
>
> - Mitch Gallant
> MVP Security
> (btw, that guitar "tuner" is quite handy ;-)
>
>
> "Michel Gallant" <neutron@istar.ca> wrote in message news:%23GSAbhHNEHA.3944@tk2msftngp13.phx.gbl...
> > For example, would you consider the Authenticode signature on the executable
> > posted here to be valid: ??
> > http://www.jensign.com/JavaScience/ListAlgs
> >
> > The signature itself is certainly valid. The certificate has expired, but the signature
> > was time-stamped while the cert WAS valid so is OK from that point of view.
> > The certificate embedded in the Authenticode signature is structurally sound.
> > But it is a self-signed certificate .. I can put any information in there I choose, any
> > expiry info, and serial number and SubjectName etc...
> > Since the cert IS self-signed, any code programatically would use the key in the cert itself
> > to verify its own signature. This works. But of course, the missing "link" in the trust chain is
> > that you wouldn't KNOW the cert itself, and shouldn't trust it, because it wasn't issued
> > by a KNOWN CA in your (hopefully strictly manintained) trusted Root authorities list.
> >
> > - Mitch
> > www.jensign.com
> >
> > "Michel Gallant" <neutron@istar.ca> wrote in message news:uHtd8bHNEHA.556@tk2msftngp13.phx.gbl...
> > > What do you mean by "valid" ??
> > > A certificate can be considered "valid" based on several criteria:
> > >
> > > - is the embedded signature correct, using the signers public key/cert?
> > > - is the signers publickey/cert TRUSTED?
> > > - is the signers certificate revoked via CRLs?
> > >
> > > What do you mean by your colleague's "unvalid" certificate?
> > > Anyone can create a certificate with ANY Issuer and CA name, but the
> > > signature you verify will not be "trustworthy" unless you trust the SIGNER'S
> > > certificate.
> > >
> > > - Mitch Galalnt
> > >
> > > "Johnny Sandaire" <webzest@comcast.net> wrote in message
> > > news:15baeecf.0405071252.70c3f48a@posting.google.com...
> > > > Mitch,
> > > >
> > > > I tried this example, but it doesn't address how to verify if a
> > > > certificate is authentic, or if it is actually valid. My colleague
> > > > was able to created an unvalid certificate with the same issuer and ca
> > > > name to pass through this code's validation.
> > > >
> > > > Do you know of any other method to verify a signed software for
> > > > authenticity or whether the certificate is valid?
> > > >
> > > > Thanks,
> > > >
> > > > Johnny
> > > >
> > > > "Michel Gallant" <neutron@istar.ca> wrote in message
> news:<uxMArRXLEHA.4032@TK2MSFTNGP10.phx.gbl>...
> > > > > CryptVerifySignature is for raw CMS/PKCS #7 signatures.
> > > > >
> > > > > Signing executables with signcode.exe generates an Authenticode
> > > > > (Microsoft proprietary format) which is an extension of above PKCS #7.
> > > > >
> > > > > For code sample, see:
> > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;323809
> > > > >
> > > > > - Mitch
> > > > >
> > > > > "Johnny Sandaire" <webzest@comcast.net> wrote in message
> > > > > news:15baeecf.0404281438.52a2b1b0@posting.google.com...
> > > > > > Greetings,
> > > > > >
> > > > > > I have a project where I have to sign every Executable that I generate
> > > > > > and then check the signature's authenticity before running it on a
> > > > > > remote machine.
> > > > > >
> > > > > > I obtain a code signing certificate through my CA. Then install it on
> > > > > > my Certificate Root of my PC. Then, using SignCode.exe I use the my
> > > > > > code signing certificate to digitally sign the Executable. After a
> > > > > > successful signing, if someone downloads the executable from my Web
> > > > > > site, the Warning states that the executable is signed and displays my
> > > > > > Organization etc, which lets users know that the Executable is safe
> > > > > > for them to run on their PC.
> > > > > >
> > > > > > However, I want to remotely run the same software through another
> > > > > > process, such as SMS and wanted to sign the executables that will be
> > > > > > distributed with my digital certificate and check the executable
> > > > > > before installing or running on the remote machine for authenticity.
> > > > > > If the check fails, I will not run the executable.
> > > > > >
> > > > > > Can anyone help me to successfully use C++ code to check the digital
> > > > > > signature of an executable?
> > > > > >
> > > > > > I have heard of CryptVerifySignature API, but need some example code
> > > > > > on how to use it to verify the signature.
> > > > > >
> > > > > > Thank you and best regards,
> > > > > >
> > > > > > Johnny
> > >
> > >
> >
> >
- Previous message: Allie: "How could my program support enterprise CA?"
- In reply to: Michel Gallant: "Re: Verifying a Signed Executable before running it on a remote machine."
- Next in thread: Michel Gallant: "Re: Verifying a Signed Executable before running it on a remote machine."
- Reply: Michel Gallant: "Re: Verifying a Signed Executable before running it on a remote machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
