Code Signing Digital IDs(SM) for Microsoft Authenticode(TM) Technology

Code Signing Digital IDs^SM
for Microsoft Authenticode^TM Technology
Realizing the Possibilities of Internet Software Distribution

What is Authenticode?
When customers buy software in a store, the source of that software is obvious. Customers can tell who published the software, and they can see whether the package has been opened. These factors enable customers to make decisions about what software to purchase and how much to "trust" those products.

When customers download software from the Internet, the most they see is a message warning them about the dangers of using the software. The Internet lacks the subtle information provided by packaging, shelf space, shrink wrap, and the like. Without an assurance of the software's integrity, and without knowing who published the software, it's difficult for customers to know how much to trust software. It's difficult to make the choice of downloading the software from the Internet.

The solution to these issues is Microsoft's Authenticode coupled with Digital IDs from VeriSign, Microsoft's preferred provider of digital certificate services. Authenticode, through the use of digital signatures, enables software developers to include information about themselves and their code with their programs.

When customer download software signed with Authenticode and verified by VeriSign, they can be assured of:

Content Source: The software really comes from the publisher who signed it.
Content Integrity: The software has not been altered or corrupted since it was signed.

Users benefit from this software accountability because they know who published the software and that the code hasn't been tampered with. In the extreme case that software performs unacceptable or malicious activity on their computers, users can also pursue recourse against the publisher. This accountability and potential recourse serve as a strong deterrent to the distribution of harmful code.

Developers and Webmasters benefit from Authenticode because it puts trust in their name and makes their products harder to falsify. By signing code, developers build a trusted relationship with users, who then learn to confidently download signed software from that publisher or Web site. With Microsoft Authenticode, developers can create exciting Web pages using signed ActiveX™ controls, signed Java™ applets, or other signed executables. And users can make educated decisions about what software to download, knowing who published the software and that it hasn’t been tampered with.

Who Needs a Code Signing ID?
Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks impersonation and tampering. VeriSign Code Signing IDs for Authenticode Technology protects against these hazards. Authenticode is currently used to sign 32-bit .exe files (PE files), .cab files, .ocx files, and .class files. In particular, if you are distributing active content (such as ActiveX controls) for use with such Microsoft end user applications as Internet Explorer, Exchange, Outlook, or Outlook Express, you will want to sign code using Authenticode.

VeriSign offers A Class 3 Digital ID designed for Commercial Software Publishers. These are companies and other organizations that publish software. This class of Digital IDs provides greater assurance about the identity of a publishing organization and is designed to represent the level of assurance provided today by retail channels for software.

What does Authenticode Look Like to Consumers?
Microsoft client applications, such as Internet Explorer, Exchange, Outlook, and Outlook Express, come with security features which incorporate Authenticode. These applications are often used to obtain other pieces of software. In a component model such as ActiveX or Java this happens frequently, often without the end user being aware of it. For example, when a user visits a Web page that uses executable files to provide animation or sound, code is often downloaded to the end user’s machine to achieve the effects. While this may provide substantial value, users risk downloading viruses or code from a disreputable publisher.

If an end user of one of these applications encounters an unsigned component distributed via the Internet, the following will occur:

If the application's security settings are set on "High," the client application will not permit the unsigned code to load.
If the application's security settings are set on "Medium," the client application will display a warning like this screen:

By contrast, if a user encounters a signed applet or other code, the client application will display a screen like the following:

Through Authenticode, the user is informed:

Of the true identity of the publisher (in this case Microsoft Corporation).
Of a place to find out more about the control (in this example MSN Versioning Control).
That the authenticity of the above information is provided by VeriSign.

Users can choose to trust all subsequent downloads of software from the same publisher. They can also choose to trust all software published by Commercial Publishers (see above) that have been certified by VeriSign.

Simply by clicking the "More Info" button, users can inspect the certificate and verify its validity:

Technical Overview: (Optional Reading)

What is a Digital ID?
A Digital ID (also known as a digital certificate) is a form of electronic credentials for the Internet. Similar to a driver's license, employee ID card, or business license, a Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA).

Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys--a public key and private key--which function only when they are held together. Public keys are widely distributed to users, while private keys are kept safe and only used by their owner. Any code digitally signed with the publisher's private key, can only be successfully verified using the complementary public key. Another way to look at this is that code successfully verified using the publisher's public key (which is sent along with the digital signature), can only have been digitally signed using the publisher's private key (thus authenticating the source of the code), and has not been tampered with. For more information on public keys and private keys, please see Introduction to Public Key Cryptography).

The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA such as VeriSign issues Digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues you a passport it is officially vouching for the fact that you are who you say you are, when a CA issues you a digital certificate it is putting its name behind the statement that you are the rightful owner of your public/private key pair.

Certification Authorities
Certification Authorities, such as VeriSign, are organizations that issue digital certificates to applicants whose identity they are willing to vouch for. Each certificate is linked to the certificate of the CA that signed it.

As the Internet's leading Certification Authority, VeriSign has the following responsibilities:

Publishing the criteria for granting, revoking, and managing certificates.
Granting certificates to applicants who meet the published criteria.
Managing certificates (for example, enrolling, renewing, and revoking them).
Storing VeriSign's root keys in an exceptionally secure manner.
Verifying evidence submitted by applicants.
Providing tools for enrollment.
Accepting the liability associated with these responsibilities.
Time stamping digital signatures.

How does Authenticode work with VeriSign Digital IDs?
Authenticode relies on industry standard cryptography techniques such as X.509 v3 certificates and PKCS #7 and #10 signature standards. These are well-proven cryptography protocols, which ensure a robust implementation of code signing technology. Developers can use the WinVerifyTrust API, upon which Authenticode is based, to verify signed code in their own Win32 applications.

Authenticode uses digital signature technology to assure users of the origin and integrity of software. In digital signatures, the private key generates the signature, and the corresponding public key validates it. To save time, the Authenticode protocols use a cryptographic digest, which is a one-way hash of the document.

The process is outlined below

Publisher obtains a Code Signing Digital ID from VeriSign.
Publisher creates code.
Using the SIGNCODE.EXE utility, the publisher:
- Creates a hash of the code, using an algorithm such as MD5 or SHA,
- Encrypts the hash using his/her private key,
- Creates a package containing the code, the encrypted hash, and the publisher's certificate.
The end user encounters the package.
The end user's Microsoft browser examines the publisher's Digital ID. Using the VeriSign root Public Key, which is already embedded in Authenticode-enabled applications, the end user browser verifies the authenticity of the Code Signing Digital ID (which is itself signed by the VeriSign root Private Key).
Using the publisher's public key contained within the publisher's Digital ID, the end user browser decrypts the signed hash.
The end user browser runs the code through the same hashing algorithm as the publisher, creating a new hash.
The end user browser compares the two hashes. If they are identical, the browser messages that the content has been verified by VeriSign, and the end user has confidence that the code was signed by the publisher identified in the Digital ID, and that the code hasn't been altered since it was signed.

The entire process is seamless and transparent to end users, who see only a message that the content was signed by its publisher and verified by VeriSign.

Timestamping
Because key pairs are based on mathematical relationships which can theoretically be "cracked" with a great deal of time and effort, it is a well-established security principle that digital certificates should expire. Your VeriSign Digital ID will expire one year after it is issued. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, VeriSign and Microsoft introduced a timestamping service. Now, when you sign code, a hash of your code will be sent to VeriSign to be timestamped. As a result, when your code is downloaded, clients will be able to distinguish between:

Code signed with an expired certificate, which should NOT be trusted, and
Code signed with a certificate which was valid at the time the code was signed, but which has subsequently expired. This code SHOULD be trusted.

This means that you will not need to worry about resigning code when your Digital ID expires.VeriSign is the only certification authority offering the time stamping service. This service is free to all VeriSign Commercial and Individual Code Signing ID customers.

The Six Steps to Signing Code
Signing Code is an easy six-step process. By following the instructions below, you will be signing code in no time.

Step 1: Make Sure that you Are Running the Correct Versions of all Tools:
These include:

Internet Explorer 4.0 or later
Internet Client SDK

These tools are all available free of charge at: http://digitalid.verisign.com/developer/ms_pick.htm

Step 2: Apply for a Code Signing ID for Authenticode from VeriSign
Go to http://digitalid.verisign.com/developer/ms_pick.htm for instructions on obtaining a Code Signing Digital ID.

In the process of applying for a Code Signing ID, your browser will generate a private key. You should store this private key (called MyPrivateKey.pvk) on a floppy disk which is stored in a safe deposit box or other secure location. Please make a back-up copy of this private key, as you will need this key to sign code. This key is never sent to VeriSign, so if you lose this private key, you will be unable to sign code. If this key is lost or stolen, please contact VeriSign immediately.

Step 3: Pick up your Digital ID
Once you have completed the application process, VeriSign will take a number of steps to verify your identity. For commercial publishers, VeriSign does a considerable amount of background checking. As a result, it will take approximately 3-5 days to verify your information and issue a Digital ID.

At the end of this process, VeriSign will send you an e-mail containing a PIN (Personal Identification Number). Follow the instructions in this e-mail to pick up your Digital ID. Save your Digital ID as a file (e.g. MyCredentials.spc).

Please note that you must use the same machine to apply for and obtain your Digital ID. You can then use the private key and Digital ID to sign files on a different machine.

Step 4: Prepare your Files to be Signed
If you are building any PE file (.exe, .ocx, .dll or other), you need not do anything special. For cab files, you need to add the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144

Step 5. Sign your Files
You can now sign your .exe, or .cab, .ocx, or .dll file. To sign, you will use the SIGNCODE.EXE utility included in the ActiveX SDK. You will also need your Digital ID file (generally called MyCredentials.spc) and the diskette containing your private key (MyPrivateKey.pvk).

Signcode should be used from the MS-DOS prompt. Here is an example of how to sign:

C:\>ActiveX\INETSDK\ signcode -prog myfilename 
            -name displayname 
-info http://www.mycompany.com -spc 
            mycredentials.spc -pvk 
a:myprivatekey.pvk -timeStamper 
            
http://timestamp.verisign.com/scripts/timstamp.dll

In the above command:

myfilename is the name of the file that needs to be signed

displayname is the description of the file that will show up in the certificate

http://www.mycompany.com is a URL where the user can find more information about the file being downloaded

mycredentials.spc is the Digital ID file that was obtained in Step 3

myprivatekey.pvk is the private key generated during Step 2 and which is securely stored on a diskette

http://timestamp.verisign.com/scripts/timstamp.dll is the URL for VeriSign's timestamping service. Please note that "timstamp.dll" does not contain the letter "e"

Step 6: Test Your Signature.
The Microsoft SDK contains a utility called chktrust.exe. This may be used to check your signature before distributing your file.

To test a signed .exe, .dll or .ocx file, run chktrust filename
To test a signed cab file, run chktrust -c cabfilename.cab

If your signing process was OK, this will bring up a certificate. Congratulations, you have just digitally signed your file. When this file is downloaded from a Web site by Internet Explorer, it will display the same certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.

Conclusion
Microsoft and VeriSign are committed to making the Internet a secure and viable platform for commerce and the distribution of content. With Authenticode and VeriSign's Code Signing Digital IDs, your code will be as safe and trustworthy to your customers as it would be if you shrink-wrapped it and sold it off a store shelf.

For more information on Code Signing IDs for Microsoft Authenticode, including pricing, availability, and Frequently Asked Questions, please visit www.verisign.com/developers

For more information on Authenticode, ActiveX, or other Microsoft Security technologies, please visit www.microsoft.com/security/default.asp