Blog

Understanding The New CAB Code-Signing Certificate Requirements

The Recent Compromise of U.S Government Outlook Accounts
What Changes Are Coming to Code-Signing Requirements?
What Does FIPS 140 Level 2, Common Criteria EAL 4+ Mean?
FIPS 140-2 Level 2
Common Criteria EAL 4+:
Who is the Certificate Authority / Browser (CAB) Forum?
Conclusion

Understanding the new CAB code-signing certificate requirements is a necessity for any cybersecurity or cybersecurity-adjacent professional.

Why? Well, let's start from the top:

The Recent Compromise of U.S Government Outlook Accounts

In a major cybersecurity incident, Chinese hackers and a stolen signing key were blamed for the compromise of U.S. government Outlook accounts, and Microsoft has now disclosed precise information about what caused the incident. After successfully compromising a corporate account belonging to a Microsoft engineer, the threat actors discovered the key amongst the data of a crash dump log containing the RAM contents of a crashed system.

It's worth asking: what did Microsoft do wrong here? How could they have avoided leaking sensitive signing keys in the future? The answer to that question appears to be that the signing of the keys should not have been in RAM in the first place. Hardware Security Modules (HSM) are specialized hardware devices designed to provide a high level of security for cryptographic operations, including the protection of cryptographic signing keys. Using an HSM, cryptographic private keys do not have to be stored on the hard drive or RAM of the system that needs to use them. Instead, they are physically segmented to highly protected systems operating in isolation.

Although Microsoft may be to blame for the leak due to lax security practices, this issue exemplifies the need for stronger security controls to protect against the leak of highly valuable private encryption keys. Recent incidents such as this one highlight the risks of depending on PKI for authentication and authorization and have prompted industry leaders to revise the issuance and installation processes for code-signing certificates.

What Changes Are Coming to Code-Signing Requirements?

The code-signing certificate policy is undergoing significant changes, particularly regarding Organization Validation (OV) code-signing certificates, Personal or Individual Validation (IV), and key generation methods. Originally planned to roll out in November 2022, these changes were postponed and came into effect on June 1st, 2023.

The most critical changes for software vendors are the new Key Storage Requirements. OV and IV code-signing certificates will now be issued and stored on specialized physical security hardware. The issuance process will resemble the procedure currently used for Extended Validation (EV) code-signing certificates.

New and reissued publicly trusted OV and individual validation (IV) code-signing certificates must be issued or stored on a list of specially-configurated secure hardware. These secure hardware options include Federal Information Processing Standards (FIPS) 140-2 Level 2, Common Criteria EAL 4+ (or equivalent) compliant devices or signing solutions, such as hardware security modules (HSMs), physical security tokens (e.g., USB devices), and key storage and signing services.

Here are the new options for meeting Key Storage Requirements:

A secure USB security key device compliant with FIPS 140-2 Level 2, Common Criteria EAL 4+ (or equivalent)
Consider utilizing a dedicated cloud-based Hardware Security Module (HSM) service, such as AWS CloudHSM or Azure Dedicated HSM that is compliant with FIPS 140-2 Level 2, Common Criteria EAL 4+ (or equivalent)
Implement an on-premises Hardware Security Module (HSM) compliant with FIPS 140-2 Level 2, Common Criteria EAL 4+ (or equivalent)

What Does FIPS 140 Level 2, Common Criteria EAL 4+ Mean?

Hardware security modules (HSMs) or other devices used for code-signing certificates must meet the security standards outlined by FIPS 140 Level 2, Common Criteria EAL 4+ to ensure the highest level of security and protection against tampering or unauthorized access. Let's explore what that means.

FIPS 140-2 Level 2

FIPS stands for Federal Information Processing Standards, and is a set of standards developed by the United States federal government for U.S. government information systems and more broadly for any organizations or entities that interact with U.S. government systems or handle sensitive government information.

In the case of the new industry standards for code-signing certificates, the FIPS set of information processing standards is being applied to all individuals or organizations seeking to obtain code-signing certificates that major OS and vendors will recognize.

FIPS 140-2: "Security Requirements for Cryptographic Modules" is a standard that addresses explicitly security requirements for cryptographic modules, including hardware security modules (HSMs) and other devices used for encryption and secure key management
Level 2: FIPS 140-2 defines four security levels (1 through 4), each with increasingly stringent security requirements. Level 2 is a moderate security level, and compliance with FIPS 140-2 Level 2 means that a cryptographic module has met specific security requirements, including tamper-evident seals, role-based authentication, and protection against unauthorized physical access

Common Criteria EAL 4+:

Common Criteria: Common Criteria is an international standard (ISO/IEC 15408) for evaluating the security of information technology products and systems. It provides a framework for specifying security requirements and conducting security evaluations
EAL 4+: This is one of the Evaluation Assurance Levels (EALs) defined by the Common Criteria. EAL 4+ represents a high level of security assurance required for critical infrastructure, essential services, and government agencies. Achieving EAL 4+ certification involves a thorough security evaluation process, including formal design analysis, vulnerability assessment, and independent testing to ensure that the product or system resists a wide range of security threats

Who is the Certificate Authority / Browser (CAB) Forum?

The Certificate Authority/Browser (CAB) Forum, also known as the CA/Browser Forum or just the CAB Forum, is a consortium of certificate authorities (CAs) and certificate consumer members (such as web browser vendors) that collaboratively work to establish industry standards and guidelines related to digital certificates and secure web browsing.

The forum's primary focus is on promoting the adoption of best practices and standards to enhance the security and trustworthiness of digital certificates used on the Internet for SSL/TLS and other use cases like code-signing certificates for application security. These standards aim to provide robust security in the face of motivated cyber attackers seeking to exploit any potential vulnerability.

Conclusion

The CAB Forum has recently implemented significant changes to code-signing certificate standards to increase the security controls for protecting certificates from being stolen in cyber attacks. These changes mandate that Organization Validation (OV) and Personal or Individual Validation (IV) code-signing certificates be issued and stored on secure physical hardware, mirroring the practices of Extended Validation (EV) certificates.

The new Key Storage Requirements include meeting FIPS 140-2 Level 2 and Common Criteria EAL 4+ compliance standards. These alterations signify a collective IT industry commitment to strengthening code-signing certificate security, to reduce incidents when stolen code-signing certificates can be used in cyber attacks. Software vendors who wish to maintain a presence in major OS such as Microsoft Windows, Apple's macOS, iOS, and Google's mobile app Play Store update their practices to maintain compliance and bolster their cybersecurity defences.

Looking for more free resources on breaking cybersecurity news? View our library of online resources or subscribe to the Packetlabs newsletter today.