This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Post

You can trust me, I’m digitally signed!

image credit: Autho logo
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,475 items added with 627,225 views
  • Apr 29, 2021
  • 1151 views

There is a broadly adopted notion that digitally signed software objects are more trustworthy than those which are not signed. There is an element of truth to this concept, but be careful this belief can produce a false sense of security that may not be warranted, leading to the installation of a “digitally signed” software object that can cause serious damage to your digital ecosystem, and your finances as you try to recover from a cybercrime induced disruption to “life as usual”.

I’m going to describe an actual case that I recently encountered with a software installation package provided by one of the 4 letter acronym U.S. government agencies that we all look to as experts for cyber security guidance. I won’t mention the name, but suffice it to say – if they can get bitten by this situation then we're all at risk! For this article, I’ll refer to the government entity that is using these risky practices in their software supply chain as ZZZZ.

A few days ago, I downloaded a software package from ZZZZ’s website, let’s call this software TRUSTME.

I ALWAYS perform a software supply chain risk assessment using SAG-PM™ before I attempt to install any software package. I want to know if there is any risk before I install software in my digital ecosystem; I can’t afford to pay the ransom. The introspection step in SAG-PM™ determines the Licensor Name and other information about the software and produces an SPDX SBOM of all the information that can be extracted from the TRUSTME installation package. Sure enough, ZZZZ is listed as the Licensor Name along with details about the product name, TRUSTME and its version number 0.0.0 (also fabricated for this article). The process continues into the “verify digital signature” step of the SAG-PM™ risk assessment process. HALT, what is this, the party that signed the TRUSTME software from ZZZZ is identified in the digital signature’s certificates as someone other than ZZZZ, let’s call the signing party “Trusty”. SAG-PM™ reports a dire warning about this ZZZZ-Trusty risky situation “---->WARNING: Unable to match digital signature with Product Licensor Name in File Properties: VERY HIGH RISK”

I reached out to ZZZZ, several times and have received no response.  I wanted to explain that this is a “red flag” situation within the SCRM vendor community and that ZZZZ may want to take steps to address the matter. Still no response from ZZZZ and it’s been a few days. I tried going through another colleague in government to nudge ZZZZ to respond; still no response. I’ve stopped trying to contact ZZZZ.

Then I thought, can anybody sign ZZZZ’s TRUSTME software and have it pass the “valid signature test” that a product like signtool performs. So, I tried to sign the TRUSTME software with my own signing key – guess what IT WORKED! The ZZZZ software remained in tact with all of the original information provided by ZZZZ, however now the signer is reported as me. This means that anyone can sign ZZZZ’s TRUSTME software and it will be reported as valid, by signtool.

The big missing piece from the puzzle is an assertion by ZZZZ that the TRUSTME software was signed with a digital certificate owned by ZZZZ (that matches the Licensor name embedded in the file); this will allow parties to verify that the party that licensed a software package, ZZZZ, is indeed the party that signed the TRUSTME software, using a digital certificate issued to ZZZZ by a trustworthy Certificate Authority. Anytime a party wants to check a digitally signed software package MAKE SURE the digital certificate’s Owner Name, matches the Name of the Product Licensor embedded in the software, in order to prevent from becoming a victim of cyber-crime. Don’t just blindly trust that everything is ok when you see a successful result from a digital signature validation, as shown below:

----> :Successfully verified: TRUSTME Software

----> :Number of files successfully Verified: 1

----> :Number of warnings: 0

----> :Number of errors: 0

Never trust software, always verify and report!

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Richard Brooks's picture
Richard Brooks on Apr 30, 2021

NOTE: I have reported this situation to NERC as it does impact their implementation guidelines for CIP-010-3 R1, Part 1.6, which states:

Some methods may complete both the verification of the identity of the software source and the verification of the integrity of the software obtained from the software source. Validation of digitally signed software is an example of a method that accomplishes both obligations required in CIP-010-3 Requirement 1, Part 1.6.

This article clearly shows that this "guidance" will not properly verify the identity of the software source. 

Eric Byres's picture
Eric Byres on May 4, 2021

Hi Dick

Great article - you have exposed a big issue with software signing, namely that the certificate has no value unless you can validate the quality of the company that signed it.

It is like a TSA agent at the airport accepting a passport as valid only for the simple reason that it is a passport. Of course, the TSA doesn't do that - their staff checks where the passport was issued from and don't consider a passport issued by say, Atlantis, equivalent to one issued by the United States.

That said, demanding that the digital certificate’s Owner Name matches the Name of the Product Licensor embedded in the software can generate a lot of false positives. The reason is that companies acquire companies and the software doesn't keep up. For example, Rockwell Automation Inc often signs software licenced by Allen Bradley. 

Keep up the good work.

Regards,
Eric

Richard Brooks's picture
Richard Brooks on May 4, 2021

Thanks, Eric. This situation is further proof that software supply chain solutions, based on SBOM, are critically important to detecting risky software. You may be wondering, was I able to install the "fake signed sw"; yes without a warning - everything looked normal, valid signature, valid installation, even though  the software was provided by another party, unrealted to the signer.

With regard to your concern about false positives, you are correct sir, that is why SAG-PM(TM) requires vendors to identify their signing keys, in addition to their legal names in the SAGPM Vendor Database:

X509SKID

Subject Key Identifier from the X.509 certificate that is used by the Vendor to sign objects (i.e. programs and SBOM’s)

PGPFingerprint

Identifier for the PGP key that is used by the Vendor to sign objects (i.e. programs and SBOM’s)

Good point.

Richard Brooks's picture
Richard Brooks on May 19, 2021

[UPDATE 5/19/2021]

I meet with NERC legal on 5/18/2021 to discuss and describe the flaw in NERC's ERO guidelines to verify the identity of a software source using digital signatures (CIP-010-3 R1, Part 1.6, 1.6.1). Will let you know NERC's response, when it's received.

https://www.linkedin.com/posts/richard-dick-brooks-8078241_you-can-trust-me-im-digitally-signed-activity-6800874876035981312-WTXn

 

Matt Chester's picture
Matt Chester on May 19, 2021

Thanks Dick-- keep the updates coming!

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »