|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Authenticode signing with keys on smart cardsnot exactly a security issue... We Authenticode-sign our drivers and other binaries and the signing system is currently set up in a "manual" way. That is, the signing key is in a dedicated, stand-alone and securely stored laptop, and every time we have to sign a binary, someone with access to the signing laptop, has to copy the binary manually to the laptop, sign it, and copy back. This has become a problem, as the manual signing step complicates, and sometimes delays, the software release process. So, we want to automate the signing and are now planning to keep our signing keys on smart cards. As this seems non-trivial, to my surprise, I'm looking for an advice. In particular, I'd appreciate any info or pointers concerning: - is SignTool still the right utility for Authenticode signing with smart cards? - smart card types supported by SignTool (or any other MS signing tool supporting smart cards) - examples of SignTool command line for signing with smart cards - any known problems and limitations in the smart card support by the MS signing tools (platforms, versions, etc.). Thank you. I use smart cards for this exact purpose and it works fine. The actual
usage is totally transparent. Your signtool command line stays the same. Essentially, if the smart card is inserted, then the cert+priv key it is "available" to the machine. Someone will need to type in the PIN when prompted, but you won't see any other major changes. I like the Gemalto .NET smart cards for this purpose. Note that part of the transparency I see may be because their cards work with default CSPs. I'm not sure if you'll have slightly different experiences with other vendors. I got a starter kit from them which included a set of 25 and have been able to use their web-based smart card management site to copy cert+priv key onto their cards importing from P12 format to do the provisioning work. To make this really really secure, you need to actually change the admin pin of the cards from the default of 0000 or else the cards are fairly hackable if stolen. I haven't quite made it over this hurdle yet as I'm uncertain what card management toolset you need to accomplish that. Hope that helps! -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "Al_spectrum" <Al_spect***@discussions.microsoft.com> wrote in message news:650971A5-DFC4-4F16-B0D0-23ACDF7525A6@microsoft.com... > Hello, > > not exactly a security issue... > > We Authenticode-sign our drivers and other binaries and the > signing system is currently set up in a "manual" way. That is, > the signing key is in a dedicated, stand-alone and securely > stored laptop, and every time we have to sign a binary, someone > with access to the signing laptop, has to copy the binary manually > to the laptop, sign it, and copy back. This has become a problem, > as the manual signing step complicates, and sometimes delays, > the software release process. > So, we want to automate the signing and are now planning to keep > our signing keys on smart cards. > As this seems non-trivial, to my surprise, I'm looking for an advice. > > In particular, I'd appreciate any info or pointers concerning: > - is SignTool still the right utility for Authenticode signing with smart > cards? > - smart card types supported by SignTool (or any other MS signing tool > supporting smart cards) > - examples of SignTool command line for signing with smart cards > - any known problems and limitations in the smart card support by > the MS signing tools (platforms, versions, etc.). > > Thank you. > Joe,
thanks for the responding, would appreciate if you find time for a few further comments . > I use smart cards for this exact purpose and it works fine. The actual I don't think it's possible in our case. When we sign now, we simply> usage is totally transparent. Your signtool command line stays the same. use "/ac" to specify the Authenticode certificate as a file. When signing with a key on a smart card, one probably has to use "/csp" and "/kc" to specify the signing key? Or, do you use "/a"? Could you show me the SignTool command line that you use when signing with smart cards? (Of course, replacing your actual paths and names with placeholders.) > Essentially, if the smart card is inserted, then the cert+priv key it is Can't one use "/p" to specify the PIN? The need to always specify the> "available" to the machine. Someone will need to type in the PIN when > prompted, but you won't see any other major changes. PIN manually would seriously hurt the idea of signing automation. > I like the Gemalto .NET smart cards for this purpose. Note that part of the Do you mean your private key and certificate are on a smart card, but> transparency I see may be because their cards work with default CSPs. you don't have to specify them for SignTool? > I got a starter kit from them which included a set of 25 and have been able You copied the private keys through their smart card management site?> to use their web-based smart card management site to copy cert+priv key onto > their cards importing from P12 format to do the provisioning work. I perhaps misunderstand you, or this doesn't sound right from the security point of view... Thanks and regards. My signtool command line looks just like this (from inside a batch file):
signtool.exe sign /n MyCertSubjectName /t http://timestamp.verisign.com/scripts/timstamp.dll /v %1 Here, you can see that I'm only specifying the certificate subject name. That certificate is actually on the smart card (with the private key), but since Gemalto's cards work with the built in CSPs, you don't have to specify anything special to have it find the cert. It just works basically. I specify a timestamp service to ensure that we use that consistently, but everything else is default. I have the intermediate CA cert for the code signing cert installed in the local machine intermediate store, so that gets included in the signed data by default as a result. Again, you don't need to specify this. You could have that in a separate file, but it isn't really needed. I don't know if you can use /p to specify the PIN. I doubt it, but you could try. One thing to consider is that by doing this, you are undermining some of the aspects of smart card's security because if the PIN is recorded somewhere in plain text, stealing the smart card effectively steals the private key. You aren't as "two factor" as you were when someone had to "know" the PIN and enter it on demand. As such, you might want to reconsider whether you really want smart cards or not for your application. In reference to the Gemalto cards and their website, I just mean that they have a web-based tool that allows you to perform operations on a smart card such as setting the PIN and importing a certificate from a P12 file onto the card. You'll need some mechanism to handle these things. The web-based tool is easy to deal with. This all works via an ActiveX control that you install separately. I hope that helps -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "Al_spectrum" <Alspect***@discussions.microsoft.com> wrote in message news:3C9CAB2A-2398-444D-84CC-5946582429ED@microsoft.com... > Joe, > > thanks for the responding, would appreciate if you find time for > a few further comments . > >> I use smart cards for this exact purpose and it works fine. The actual >> usage is totally transparent. Your signtool command line stays the same. > > I don't think it's possible in our case. When we sign now, we simply > use "/ac" to specify the Authenticode certificate as a file. When signing > with a key on a smart card, one probably has to use "/csp" and "/kc" > to specify the signing key? Or, do you use "/a"? > Could you show me the SignTool command line that you use when > signing with smart cards? > (Of course, replacing your actual paths and names with placeholders.) > >> Essentially, if the smart card is inserted, then the cert+priv key it is >> "available" to the machine. Someone will need to type in the PIN when >> prompted, but you won't see any other major changes. > > Can't one use "/p" to specify the PIN? The need to always specify the > PIN manually would seriously hurt the idea of signing automation. > > >> I like the Gemalto .NET smart cards for this purpose. Note that part of >> the >> transparency I see may be because their cards work with default CSPs. > > Do you mean your private key and certificate are on a smart card, but > you don't have to specify them for SignTool? > >> I got a starter kit from them which included a set of 25 and have been >> able >> to use their web-based smart card management site to copy cert+priv key >> onto >> their cards importing from P12 format to do the provisioning work. > > You copied the private keys through their smart card management site? > I perhaps misunderstand you, or this doesn't sound right from the > security point of view... > > Thanks and regards. >  
Other interesting topics
Question about Authorization Manager
.net 2.0: exception getting DirectorySecurity on a particular directory Creating code groups | Setup project fxcop and link demands How to encrypt/decrypt a file System.Security.SecurityException was unhandled after changed the permisssion set to "nothing", I can't set the .net configuration anymore? ReflectionPermission weird behavior? Request for Permission failed moving .net containers |
|||||||||||||||||||||||
