Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Designing a Code Signining System

from [Saqib Ali] Network Security [Permanent Link]
Subject: Re: Designing a Code Signining System
Date: Tue, 21 Jun 2005 06:51:14 -0700 
Hi Mike,

Thanks for the feedback.

The web based ("Hi-Tech") solution can be exploited by a Trojan within your 
organization. It can pretend to be a valid request from inside the 
organization and acquire a key. The Trojan can then use this key anywhere it 
wants.


The way I have designed this, the the subject (user or malware) making
the signing request will never get to see the PVK. The reconstructed
key will be only temporarily available on the build signing system.


a) User produces a binary from a sanctioned build system based on checked-in 
sources. The build system signs the binary using its private key. (key set 1).
b) As part of the release, the build system asks an authentication system to 
officially sign the binary and submits the binary from step 1. The 
authentication system unsigns the submitted binary (using the build system's 
public key), then signs it using a private key. (key set 2).


I am not seeing any additional security with this solution. Same
effect can be achieved by using certificates to authenticate users to
High-Tech solution that I proposed.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Should login pages be protected by SSL?, Andrew van der Stock
Next by Date:  Re: Should login pages be protected by SSL? (and comment to moderator), Amir Herzberg
Previous by Thread:  Re: Designing a Code Signining System, mike
Next by Thread:  SOAP Debugger - a simple, generic SOAP client, Chuck
Indexes:  [Date] [Thread] [Top] [All Lists]