[cryptography] How are expired code-signing certs revoked?

Jon Callas jon at callas.org
Wed Dec 7 11:31:23 EST 2011


There are many things about code signing that I don't think I understand.

I think that code-signing is a good thing, and that all things being equal, code-signing is a good thing, and that code should be signed.

However, there seems to strange, mystical beliefs about it.

As an example, there's the notion that if you have signed code and you revoke the signing key (whatever revoke means, and whatever a key is) then the software will automagically stop working, as if there's some sort of quantum entanglement between the bits of the code and the bits of the key, and invalidating the key therefore invalidates the code.

This seems to me to be daft -- I don't see how this *could* work in a general case against an attacker who doesn't want that code to stop working (and that attacker could be either a malware writer or the owner of the computer). I can see plenty of special cases where it works, but it is fundamentally not reliable and a security system that wants to stop malware or whatever by revoking keys is even less reliable because we now have three or four parties (malware writer, machine owner, certifier, anti-virus maker).

It also seems to me that discussions on this list hit this situation from two strange directions. One is the general sneering at the daft belief. The other is continuing to discuss it. I don't care who is using it (even effectively); we're all smart enough to know both that DRM cannot work, and yet there are users of it that are happy with it. Whatever.

Slightly tangential to this is a discussion of expiration of signing keys. In reality, they don't expire. Unless you you make a device that can be permanently broken by setting the clock forward (which is certainly possible, merely not desirable), then expiry can be hacked around. The rough edge of what happens to code that expires while it is executing generalizes out to a set of other problems that just show that in fact, you can't really expire a code signing key any more than you can revoke it -- that is to say there are many edge conditions in which it works and many of these are useful to some people and some circumstances, but in the general case, it doesn't and cannot work.

But that doesn't mean that code signing is a bad thing. On the contrary, code signing is very useful because you can use the key, the signature, or the hash as a way to detect malware and form a blacklist, as well as detect software that should be whitelisted.

Simply stated, an anti-malware scanner can detect (and remove) a specific piece of malware by the simple technique of comparing its signature to a blacklist. It can compare a single object's hash to a list of hashes and that only requires the scanner to hash the code object; this catches the simple case of malware that is merely re-signed with a new key. It also permits it to do more complex operations than a simple hash (like hashing pieces, or hash at different times) to identify a piece of malware. It can also use the key to detect whole classes of malware (or good-ware).

Code signing is good because it gives the anti-malware people a set of tools that augment what they have with some easy, fast, effective ways to categorize software as known goods or known bads. 

But that's it -- you don't get the spooky action at a distance aspects that some people think you can do with revocation. You get something close, if you feed the blacklist/whitelist information to whatever the code-scanner is. Nonetheless, this answers how you deal with signed malware (once it's known to be malware, you stop it via signature), or bogus 512-bit signing keys (just declare anything signed by such to either be treated as malware or as unsigned).

So am I missing something? I feel like I'm confused about this discussion because *of* *course* you can't revoke a key and have that magically transmit to software. Perhaps some people believe that daft notion and have built systems that assume that this is true. So what? Maybe it works for them. The places where it doesn't work aren't even interesting. Perhaps observing when this daft notion meets the real world is helpful as an object lesson. Perhaps it works for *them* but not *us*.

But really, I think that code signing is a great thing, it's just being done wrong because some people seem to think that spooky action at a distance works with bits.

	Jon




More information about the cryptography mailing list