nCipher plc announced that Microsoft Corporation is using nCipher’s hardware security modules (HSMs) and time stamping technology to help protect its commercially published software.
nCipher’s HSMs and time stamping hardware are important components in securing the underlying cryptography and time stamps used as part of the Microsoft Authenticode protocol for digitally signing software in order to prove its authenticity and determine that the software has not been modified, potentially for malicious purposes.
Authenticode code signing is at the heart of a broad initiative championed by Microsoft to identify software authored by commercial and corporate application developers, helping to assure users of the code’s origin and that the code has not been tampered with since its publication as it executes on Microsoft platforms. The recent launch of Windows Vista makes it more evident to the user whether or not they are downloading an application that has not been signed.
“Authenticode is a critical technology for helping to build confidence and trust in computing,” says David B. Cross, director of Program Management for Windows Security at Microsoft. “nCipher’s technology is a vital component and a critical part of the signing process for Microsoft software.”
Microsoft Authenticode is a technology provided by Microsoft to its developer community to enable the signing and time stamping of code that is to be published and shared with others. Digital signatures provide a proven way to establish the software’s authenticity and expose any attempt to tamper with the code.
However, the security provided by a digital signature is directly related to the measures taken to protect the cryptographic keys on which they are based. Furthermore, digital signatures have a finite life and can expire long before the code itself becomes obsolete. For this reason the additional use of a time-stamp is required to ensure that the original signature can always be validated even after the original certificate has expired.
“There is no doubt that the use of Authenticode will become even more prevalent and valuable as software providers increasingly distribute software online rather than as a pre-packaged shrink-wrapped product,” says Richard Moulds, vice president marketing at nCipher.
“Microsoft’s decision to use our time stamping technology and hardware security modules as the backbone of its own Authenticode deployment upholds the well established best practice of performing sensitive cryptographic functions and the associated key management tasks within a trusted hardware device.
nCipher is working with the Microsoft developer community to adopt the same high standards as Microsoft as the best way to protect their brand and deliver tangible security benefits to their customers”.
nCipher's Time Stamp Server (TSS) is an easily deployed and cost effective time stamping solution that supports the Authenticode protocol in a convenient appliance package. It allows software developers to utilize secure digital signatures and auditable time stamping functionality as part of the software publishing process.
nCipher’s TSS is fundamental to an Authenticode implementation by removing the traditional reliance on the host computer’s system clock, which is vulnerable to tampering. The TSS appliance provides an accurate and verifiable time-stamp, produced within the tamper-resistant boundary of an embedded nCipher HSM and can be calibrated and synchronized to independently provided calibration and audit services, such as the service maintained by NIST.