Digital certificates are a landmark in security history. Since their introduction, vendors and users have taken advantage of encrypted communication in secure email exchanges, file and disk cryptography, and secure logon to local and online systems. Law makers have taken decisive steps in promoting their applications and regulating their usage. Despite their effectiveness however, certificates still appear cryptic and cumbersome to many.
With this new presentation, we would like to offer a comprehensive overview about certificate fundamentals and their potent role in relation to software protection, licensing and security. Through certificates, ISVs and intelligent device manufacturers can implement software authenticity and enforce user authentication, thus ensuring software integrity and access rights management.
Whether you are dealing with a computer-based or an embedded system application, certificates have reshaped the whole software security sphere.
Wibu-Systems technology is certificate-ready for straightforward integration. Smart card chips embedded in our devices, as well as security tools encompassed in our software protection tools simplify the use of certificates.
This is your chance to become certificate savvy and embark on a new journey towards a smarter use of certificates.
Watch the webinar:
https://youtu.be/tIhPs3WsCVo
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Certificates for Authenticity, Authentification or both
1. Certificates for Authenticity,
Authentification or both?
Wolfgang Voelker | Director Product Management
wolfgang.voelker@wibu.com
Ruediger Kuegler | Security Expert
ruediger.kuegler@wibu.com
Certificates
07.08.2015 Certificates for authenticity, authentification or both? 1
3. Sender
Sending a Signed Message
07.08.2015 Certificates for authenticity, authentification or both? 3
Data
Data
Signature
Calculate
Hash
Calculate
Signature
Private
Key
Data
Signature
Calculate
Hash
Verify
Signature
Public
Key
Recipient
Yes No
6. A Certificate
07.08.2015 Certificates for authenticity, authentification or both? 6
Confirms the owner of a public key
Identity:
Person
Company
IT-system (i.e. server)
Signed by issuer
Attributes
Certificate
Issued for:
Common name (CN): Wolfgang Voelker
Company (O): WIBU-SYSTEMS AG
Business unit (OU): WOPS
Serial number: 1be10001000220613…
Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71,
0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58,
0xea, 0x3d, 0xdd, 0x36, 0x89, …
Issued by:
Common name (CN): Root
Company (O): WIBU-SYSTEMS AG
..
Valid until: 31.12.2015
7. The next Challenge!
07.08.2015 Certificates for authenticity, authentification or both? 7
How do I know that the
certificate is genuine?
8. The next Solution
07.08.2015 Certificates for authenticity, authentification or both? 8
The certificate is signed
by the issuer.
(Validation through the public key of the issuer)
10. The final Solution
07.08.2015 Certificates for authenticity, authentification or both? 10
I already know a
root certificate from a
certification authority.
(Root Certificate / Certificate Authority)
11. Examples of Root Certificates
07.08.2015 Certificates for authenticity, authentification or both? 11
12. Certificate Hierarchy
07.08.2015 Zertifikate für Authentizität, Authentifizierung oder beides? 12
Root Certificate
CN: Root
Certificate
CN: Inter 2
Certificate
CN: Wolfgang
Certificate
CN: Daniel
Certificate
CN: Marc
Certificate
CN: Christian
Certificate
CN: Ruediger
Certificate
CN: Stefan
Certificate
CN: Inter 1
Certificate
CN: Inter 3
13. Self-signed Certificates
07.08.2015 Certificates for authenticity, authentification or both? 13
Self-signed
No Root-Certificate
Usually not accepted
Users have to trust the certificate
manually
Certificate
Issued for:
Common name (CN): Ruediger Kuegler
Company (O): WIBU-SYSTEMS AG
Business unit (OU): Professional Services
Serial number: 1be10001000220613…
Public key: 0x15, 0x3c, 0xd0, 0x26, 0xd6, 0x71,
0xfa, 0xae, 0x20, 0xa6, 0x15, 0x58,
0xea, 0x3d, 0xdd, 0x36, 0x89, …
Issued by:
Common Name (CN): Ruediger Kuegler
Company (O): WIBU-SYSTEMS AG
..
Valid until: 31.12.2015
14. Blacklists
CRL (Certificate Revocation List)
Includes invalid certificates (certificate revocation)
Online enquiry possible, Online Certificate Status Protocol (OCSP)
07.08.2015 Certificates for authenticity, authentification or both? 14
18. Client
Server Certificate
07.08.2015 Certificates for authenticity, authentification or both? 18
Server
Private
Key
Server
Root Certificate
CN: Root
https
Certificate
CN: wibu.com
Client verifies the identity
of the server
19. Server Certificate – Secure Connection
07.08.2015 Certificates for authenticity, authentification or both? 19
23. Client
Client Certificate
07.08.2015 Certificates for authenticity, authentification or both? 23
Server
Private
Key
Server
Root Certificate
CN: Root
https
Certificate
CN: wibu.com
Client verifies the identity
of the server
Client
Private
Key
Certificate
CN: user
Root Certificate
CN: Wibu Root
Server verifies the identity
of the client
24. Server Configuration for Client Certificates
SSLEngine on
SSLCertificateKeyFile "c:/cert/my_private_key.pem"
SSLCertificateFile "c:/cert/the_cert_I_got_from_verisign.crt"
SSLCACertificateFile "c:/cert/my_own_ca_root_cert.crt"
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "user@domain.de"
SSLOptions +StdEnvVars
07.08.2015 Certificates for authenticity, authentification or both? 24
25. … Server Configuration for the Client Certificate
SSLCACertificateFile „c:/cert/my_own_ca_root_cert.crt“
Certificate Authority (CA) for Client Certificates
SSLVerifyClient require
Client Certificate required
SSLRequire %{SSL_CLIENT_S_DN_CN} eq user@domain.de
Example of a validation
SSLOptions +StdEnvVars
Transmission of the parameters to PHP / Application
07.08.2015 Certificates for authenticity, authentification or both? 25
26. Issuance of a Client Certificate (recommended)
Client:
Generate the key pair
Generate the Certificate Signing Request (CSR)
Send the CSR to a CA
CA / Server:
Generate a certificate
Send the certificate to a client
Client:
Import the certificate
07.08.2015 Certificates for authenticity, authentification or both? 26
27. Creation of a Client Certificate (easy)
CA / Server:
Generate the key pair
Generate the certificate
Export the private key
Send certificate + private key to a client
Client:
Import the certificate
Import the private key
07.08.2015 Certificates for authenticity, authentification or both? 27
28. Certificate / Private Key
Storage
07.08.2015 Certificates for authenticity, authentification or both? 28
29. Saving Private Keys
File on the file system (PEM file with key)
Certificate Storage
PKCS#11
Microsoft CSP (Crypto Service Provider)
Physical medium
On a disk
In a token
07.08.2015 Certificates for authenticity, authentification or both? 29
30. PKCS#11 / Microsoft CSP
07.08.2015 Certificates for authenticity, authentification or both? 30
PKCS#11 Microsoft CSP
CmDongle
Internet
Explorer
OutlookFirefox OpenVPN
My
Application
31. Example with a Token: CSSI Middleware
07.08.2015 Certificates for authenticity, authentification or both? 31
37. Started Application (with invalid signature)
07.08.2015 Certificates for authenticity, authentification or both? 37
38. Is the application still runnig?
07.08.2015 Certificates for authenticity, authentification or both? 38
The scary answer:
YES
39. Summary
Microsoft Windows starts any application
Without signature
With valid signature
With invalid signature
On-board tools are not suitable for copy / integrity protection
07.08.2015 Certificates for authenticity, authentification or both? 39
41. Software Check
Signature validation
Valid / Invalid?
Who has signed?
When was the application signed?
Reaction in case of invalid signature
Exit (hiding the calls?)
„Wrong calculation“ !?
07.08.2015 Certificates for authenticity, authentification or both? 41
42. Started Application (with Authenticode check via API)
07.08.2015 Certificates for authenticity, authentification or both? 42
45. The Vulnerability
A well known and documented Windows API verifies the signature !?
Attacks:
Patching WINTRUST.DLL
Hooking function with standard tools
Overwriting functions in the dll at runtime from the patched application
07.08.2015 Certificates for authenticity, authentification or both? 45
47. Started Application (Patched + Code Inject)
07.08.2015 Certificates for authenticity, authentification or both? 47
48. Conclusion: Authenticode
Certificates provide security only if the validation occurs in a trusted
environment
Authenticode = Protect the user from viruses
Authenticode ≠ Protection against piracy
07.08.2015 Certificates for authenticity, authentification or both? 48
50. Protection Suite
Wibu-Systems Protection Suite
07.08.2015 Certificates for authenticity, authentification or both?
Automatic Proctection
(IP Protection)
Anti-Debug Methods
Used
CodeMeter Variant
Individual
Encryption of Functions
Integrity Protection
(Tamper Protection)
Authenticity of Software
(Secure Loader / Authenticity)
Java SE
Java EE
Embedded
Operating System
.NETPC (Windows,
Linux, OS X)
CodeMeter
Runtime
CodeMeter
Runtime
CodeMeter
Runtime
CodeMeter
Embedded
CodeMeter
Embedded
IxProtector
AxProtector
AxProtector .NET
AxProtector Java
AxProtector CmE
ExProtector
50
51. Functions of Protection Suite
Software authenticity (Secure Load)
Prevention of the execution of non-validated software
Integrity Protection (Tamper Protection)
Detection of changes (in memory!) and reaction
Automatic Protection (IP Protection)
Protection against reverse engineering and piracy
Anti-Debug Methods
Individual Encryption of Functions
Encryption at method level
07.08.2015 Certificates for authenticity, authentification or both? 51
52. AxProtector
07.08.2015 Certificates for authenticity, authentification or both? 52
Protected ApplicationCompiled Application
Header
AxEngine
(Security Engine + Public Key)
AxProtector
Encrypted
Code Section
Encrypted
Data Section
Encrypted
Resource Section
Header
Data Section
Resource Section
Code Section
Signature
Private Key
Public Key
53. Self-Check
07.08.2015 Certificates for authenticity, authentification or both? 53
Executable
Signature
Check
Signature
(Hash, Public Key,
Signature)
Calculate Hash of the Executable
Error
Yes
No
AxEngine
(Security Engine + Public Key)
54. Check of another Module
07.08.2015 Certificates for authenticity, authentification or both? 54
Executable Dynamic Link Library
AxEngine
(Security Engine + Public Key)
Signature
AxEngine
(Security Engine + Public Key)
Signature
exe - exe
exe - dll
dll - dll
dll - exe
56. ExProtector
ExProtector = Protection of executable files on embedded operating
systems
Integration of the "AxEngine" as ExEngine in the loader of the operating
system / boot loader
Use of signatures and certificates
Rights Management: Who can sign the applications?
07.08.2015 Certificates for authenticity, authentification or both? 56
57. Usage of certificates within
CodeMeter
07.08.2015 Certificates for authenticity, authentification or both? 57
58. Secure Firmware Update
There is a Wibu root certificate
There are production certificates, derived from the root certificate
Each CmDongle gets the public root key during production
Firmware update is signed with a production certificate
Old firmware checks the update (signature and certificate) before it applies
the new firmware into the CmDongle
07.08.2015 Certificates for authenticity, authentification or both? 58
59. CodeMeter Universal Firm Code
Licenses are signed by the vendor
Licenses consist of a certificate and an encrypted part
The license certificate can contain an authorization for license transfer
In case of transfer, the original certificate is sent through and a new
certificate of the issuing CmContainer is generated
With CodeMeter, everything is done transparently in the background
07.08.2015 Certificates for authenticity, authentification or both? 59
60. Deutschland: +49-721-931720
USA: +1-425-7756900
China: +86-21-55661790
http://www.wibu.com
info@wibu.com
Germany: +49-721-931720
USA: +1-425-7756900
China: +86-21-55661790
http://www.wibu.com
info@wibu.com
Thank you for your attention
07.08.2015 Certificates for authenticity, authentification or both? 60
Vielen Dank für Ihre Aufmerksamkeit