Page 325 - StudyBook.pdf
P. 325

Communication Security: Web Based Services • Chapter 5  309

                    As with any process that depends on trust, code signing has its positive and
                 negative aspects.The following sections discuss these issues and show how the pro-
                 cess of code signing works.

                 Understanding Code Signing

                 Digital certificates are assigned through CAs.A CA is a vendor that associates a
                 public key with the person applying for the certificate. One of the largest organiza-
                 tions to provide such code signing certificates is VeriSign (www.verisign.com).An
                 Authenticode certificate is used for software publishing and timestamp services. It
                 can be attached to the file a programmer is distributing and allows users to identify
                 that it is a valid, unadulterated file.
                    Digital certificates can be applied to a number of different file types. For
                 example, using such tools as Microsoft Visual Studio’s CryptoAPI tools and VeriSign
                 code signing certificates, developers can sign such files as the following:

                      ■  .EXE An executable program

                      ■  .CAB Cabinet files commonly used for the installation and setup of
                         applications; contain numerous files that are compressed in the cabinet file

                      ■  .CAT Digital thumbprints used to guarantee the integrity of files
                      ■  .OCX  ActiveX controls

                      ■  .DLL  Dynamic link library files, containing executable functions
                      ■  .STL Contains a certificate trust list

                    When a person downloads a file with a digital certificate, the status of that cer-
                 tificate is checked through the CA. If the certificate is not valid, the user will be
                 warned. If it is found to be valid, a message will appear stating that the file has a
                 valid certificate.The message will contain additional information and will show to
                 whom the certificate belongs.When the user agrees to install the software, it will
                 begin the installation.

                 The Benefits of Code Signing

                 Digital signatures can be used to guarantee the integrity of files and that the
                 package being installed is authentic and unmodified.This signature is attached to
                 the file being downloaded, and identifies who is distributing the files and shows
                 that they have not been modified since being created.The certificate helps to keep
                 malicious users from impersonating someone else.




                                                                              www.syngress.com
   320   321   322   323   324   325   326   327   328   329   330