As you’re probably aware (and if you aren’t, you should be!), computer viruses, Trojan horses, and other assorted malicious code-nastiness pose a major security threat to networked systems. On a constantly changing and growing global network the size of the Internet, it’s simply impossible to keep viruses and their brethren at bay. The truth is, infected code of one form or another runs rampant in many systems, and code safety is a major concern for developers and for users of Internet applications (including ActiveX controls).
For example, it’s possible that a perfectly harmless-looking ActiveX control, executable file, or code from unknown sites or authors could wipe out a user’s entire system before he knew what hit him! Worse yet, perfectly harmless code created by one programmer could be tampered with and altered by some other, malicious programmer after its release, possibly wreaking havoc on the systems of users who download and execute the altered code!
There are two basic ways to address the Internet security issue:
- Sandboxing. This term refers to restricting an application to a certain set of APIs, excluding those that would enable file I/O and other potentially dangerous function groups that could alter or destroy data on a user’s system. This security method assumes that you trust the application won’t do any harm, and that you trust the source of the application to not act maliciously.
- Shrinkwrapping. This security method uses specially encrypted digital signatures. A shrinkwrapped product verifies signed code with a private-key/public-key verification scheme. Before any signed code is allowed to execute on a user’s machine, its digital signature is verified. This verification process ensures that the code hasn’t been tampered with since the code was signed, and it also ensures that the code is from a known, authenticated source.
Digital Code Signing
Digital code signatures are used to verify code authenticity and also to identify and provide details about the publisher of the code. Digital signatures are an industry standard supported by many Web browsers. Such browsers enable a user to choose whether to download and execute code of unknown or suspicious origin.
For the most up-to-date information about digital code signing, an industry standard, access the Web site for the World Wide Web Consortium (W3C) at this URL
Signed Code and Code Certificates
As an independent software vendor (ISV) who wants to use the benefits of digital code signatures in your applications, you must get something called certificates from a certificate authority (CA), a third-party company known and trusted by the industry. After a CA verifies that you comply with W3C policies, the CA issues you a digital certificate file for use in code signing. The certificate file contains important information, including the name of the software publisher, your public encryption key, the name of the CA’s certificate, and more.
Public and Private Encryption Keys
Public and private keys are created by you for use in encrypting the digital signature block used to verify your code’s authenticity. Both keys are created by you, but the private key remains your little secret. The public key must be checked by the CA to ensure that it’s unique.
You need special tools to sign your code, and these are available in the ActiveX Development Kit, available from Microsoft on CD-ROM and online at the following URL:
Fully debugged, release-ready code is run through a hash function that produces a fixed-length code digest. You then encrypt this digest with your private key and combine it with your certificate file. The result is linked back into your executable file. Presto! Your digitally signed masterpiece is ready for distribution over the Internet. The tools used for code signing are listed in Table 16.1 and are available in the ActiveX SDK.
|MAKECERT.EXE||A tool that creates a fake certificate for development purposes.|
|CERT2SPC.EXE||The tool used to build a signature block from your certificate.|
|SIGNCODE.EXE||A tool that links the signature block into your executable.|
|CHKTRUST.EXE||A tool that verifies that code has been successfully signed.|
As you’ve seen, code signing is a robust system for creating trustworthy code. Users can rest assured that signed code is safe to download and execute. The nagging question in your mind at this point is probably, “How much does a certificate cost?” Good question!
Microsoft estimates that commercial software publishers will pay around $400 U.S. dollars for the initial certificate and around $300 for an annual renewal. Certificates for individual software publishers will ring in at about $20.