Starting June 1, 2023, the Certificate Authority/Browser (CA/B) Forum will require that code signing certificate keys be stored on a hardware security module or token that’s certified as Federal Information Processing Standards (FIPS) 140 –2 Level 2 Common Criteria EAL 4+, or equivalent. This represents a major shift in the way that Organization Validation (OV) certificates are requested and used.
But it’s no surprise that the CA/B Forum would take measures to tighten security for code signing keys. There have been several high-profile attacks in recent years that have misused code signing keys. Perhaps the most notorious was the ASUS attack, where someone left code signing keys on their web update server. Attackers broke into that server, found the keys, and used them to sign software updates that contained malware. Over a million ASUS customers were infected by this attack.
But this is certainly not a new problem. Code signing certificates have long been lucrative targets for cyber criminals. Kevin Bocek, VP of security strategy and threat intelligence at Venafi warns, “With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. Any cybercriminal can use them to sign malware, ransomware, and even launch kinetic attacks that are blindly trusted.”
Stronger controls for code signing keys
The Code Signing Working Group of the CA/Browser Forum took this challenge to heart and launched a lengthy process which ended with the passing of a ballot to strengthen the requirements surrounding private keys used for code signing—but in a way that aims to reduce the burden on those complying with them.
“The CA MUST obtain a contractual representation from the Subscriber that the Subscriber will use one of the following options to generate and protect their Code Signing Certificate Private Keys in a Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+”
What does this mean for your organization?
The new requirements specify how to create, store, install, renew, and reissue corresponding private keys for organization validation (OV) code signing certificates. The new process for OV code signing certificates is similar to the process for obtaining extended validation (EV) code signing certificates. For years, keys used with EV code signing certificates had to be protected in Hardware Security Modules (HSMs) or signing services which use HSMs to secure user keys.
In most cases, CAs will ship a compliant hardware encrypted USB drive to the organization as part of the code signing product purchase. But that is likely to involve additional cost. To be FIPS compliant, these USB drives (or tokens) must include hardware and software features to run cryptographic operations designed to keep the key secure. However, this may still lead to a USB key floating around your enterprise with no traceability, no audit and control except a password.
However, you may choose to use a Hardware Security Module to secure the code signing keys. But this will still involve extra steps. And you’ll have to have your HSM certified. Plus, you’ll need to connect your systems to your organization’s hardware security module (HSM) before you can use the certificate to sign code. This will allow you to access your private key for signing, while it remains securely stored on the device.
But there is an even easier way to meet the new CA/B Forum requirements for code signing keys. Use a secure code signing process to simplify access to the HSM. For example, with Venafi CodeSign Protect, the solution talks directly to the HSM without any need for the user to know any details about the HSM or how to access it. This makes the entire process much easier for the end users and much more secure for your organization. You get the best of both worlds—centralized, secure key storage and, at the same time, reduced burden on development teams who can easily integrate the process with the tools they already use.
By automating code signing workflows and ensuring your keys never leave secure, encrypted storage, CodeSign Protect helps you maintain visibility into your enterprise’s code signing operations without slowing down developers or violating new CA/B Forum requirements for code signing key storage.
See how your organization can benefit from a solution like CodeSign Protect. There is still time to get it operational before the new requirements hit.