Code Signing Reading Time: 10 minutes

Everything You Need to Know About Time Stamping Authority

In this discussion whiteboard, what is a trusted time stamp and what is Time Stamping Authority (TSA)? What are various protocols followed by Time Stamping Authority (TSA)? What are various steps involved in time stamping process performed by Time Stamping Authority? How is this concept critical in code signing process? What is CodeSign Secure by Encryption Consulting? Let’s get into the topic to understand responses to these questions:

Code signing is a type of digital signature used to provide security and authentication for the intellectual property in the form of code or software program. Code signing process leverages several modules for completion of the process in order to provide technical security and integrity for your code/ software program. Time stamping is one of the key aspect of the code signing process architecture.

Let us go first understand what exactly is the code signing process and what are different components involved in the code signing architecture. This will lead us to the trusted time stamping concept and Time Stamping Authority (TSA). One important point to note is time stamping process can be applied to documents which are signed either through digital signatures or electronic signatures. 

What is a Code Signing process?

In the recent past many technology firms are being targeted by hackers to tamper and corrupt the source code. These attacks heavily impact brand reputation and leads to huge losses for firms victimized. To tackle this scenario, Code Signing technique can be used for safeguarding the code integrity and to provide authenticity of the author to the end user by providing digital signatures.

Code Signing provides secure and trusted distribution of software preventing tampering, corruption, and forgery. Code signing improves end-user confidence in software/code integrity and sender authenticity.  

Code signing is the process of applying a digital signature to any software program that is intended for release and distribution to another party or user, with two key objectives. One is to prove the authenticity and ownership of the software. The second is to prove the integrity of the software i.e. prove that the software has not been tampered with, for example by the insertion of any malicious code.

Code signing applies to any type of software: executables, archives, drivers, firmware, libraries, packages, patches, and updates. An introduction to code signing has been provided in earlier articles on this blog. In this article, we look at some of the business benefits of signing code.

Code signing is a process to validate the authenticity of software and it is one type of digital signature based on PKI. Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code. It assures users that this digital information is valid and establishes the legitimacy of the author. Code signing also ensures that this piece of digital information has not changed or been revoked after it was validly signed.

Code Signing plays an important role as it can enable identification of a legitimate software versus malware or rogue code. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.

Software powers your organization and reflects the true value of your business. Protecting the software with a robust code signing process is vital without limiting access to the code, assuring this digital information is not malicious code and establishing the legitimacy of the author.

Code Signing Architecture

Code Signing Architecture provides a detailed explanation on how the Code Signing process works along with its components. Below mentioned are the four important differentiating components in the Code Signing Architecture.  

These four components together will achieve the full cycle completion of code signing process. Public Key Infrastructure (PKI) plays a crucial role in achieving the code signing for your important documents.

To understand more about Code signing process, read our blog posts here:

In the above architecture, our point of focus is on “Time Stamping Authority” which is an optional part of code signing process right now, but slowly it is gaining importance in achieving authenticity for your code/software program. So, what is time stamping process and how is this time stamping authority important for time stamping process? Let’s take a look now:

What is time stamping process?

Time stamping is an optional part of the code signing process, where validity of code signing signature by the software even after expiry of the certificate used for code signing. This acts like an additional control where the signature used for code signing process is preserved even after the expiry ensuring the smooth flow of operations without interruption. 

Whenever the signed software’s executable is run/executed on any client machine/system, its digital signature is verified by the user’s operating system. Now, suppose the user has time stamped the software. The users’ computer will verify the signature based on the time it was digitally signed, rather than the current time of the system when the software is executed.

What is Time Stamping Authority (TSA)?

An optional but important component in Code Signing Architecture is Time Stamp Authority (TSA). Time stamping preserves the source time when the code was signed and allows software to be accepted by the OS and other client device platforms even after the certificate expires. Signed software is validated with the source time when the certificate was signed rather than the current time. Hence, it is always advisable to use Time stamping technique while performing code signing.

Digital signature signed code is sent to TSA for time stamping. TSA applies its own signature along with the valid source time stamp. TSA is independent from Code Signing System and synchronizes its clock with an authoritative time source. 

Time stamping protocols

Time Stamping Authorities follow certain protocols for performing time stamping activity to ensure higher protection and security. There are two major protocols usually followed by TSAs for time stamping.

  • RFC 3161 – RFC 5035
  • Microsoft Authenticode

RFC 3161 – The time-stamping protocol defined in RFC 3161 requires that the Cryptographic Message Syntax (CMS) SignedData [RFC5652], used to apply a digital signature on the time-stamp token, include a signed attribute that identifies the signer’s certificate.
Authenticode applies digital signature technology to guarantee the authorship and integrity of binary data such as installable software. A client web browser, or other system components, can use the Authenticode signatures to verify the integrity of the data when the software is downloaded or installed. Authenticode signatures can be used with many software formats, including .cab, .exe, .ocx, and .dll.

To know more about the Microsoft Authenticode, please read through the page mentioned below:
https://docs.microsoft.com/en-us/windows/win32/seccrypto/time-stamping-authenticode-signatures

How does Time stamping authority perform time stamping process?

Public Key Infrastructures (PKIs) play a crucial role in Time Stamping Authority (TSA) performing time stamping process. Let us understand the high level steps that are involved in the time stamping process. 

Step 1:

The client application connects with the Time Stamping Authority (TSA) service. Now, hash is created for the code or software program which needs to be code signed.

Step 2:

Hash created for the code is sent to Time Stamping Authority (TSA) for time stamping. Once the hash is sent to TSA, any changes made to code or software program hashed has to be communicated with TSA server.

Step 3:

Time stamping authority combines the hash of the original file received from client along with the trusted time stamp. The result is digitally signed with a secure private key. This signing process creates a “Time stamp token” which is sent back to the client.

Step 4:

The client receives the timestamp token created by Time Stamping Authority which is recorded along within the document or code signature.

Who can use Time stamping?

Trusted time stamping process can be add additional security control to the documents which are either digitally signed or electronically signed. Documents which are signed using electronic signature can be time stamped. Recipients can verify the integrity of the document post time stamp. For digitally signed documents, there are two main reasons for including a trusted timestamp when you digitally sign a document – ensuring Long-Term Validation (LTV) of the signature and adding non-repudiation or confidence around when the signature was actually applied. 

Encryption Consulting provides CodeSign Secure platform for digitally code signing your most important and highly sensitive code and/or software programs to ensure security and integrity. Post performing code signing process through CodeSign Secure we would guide you in performing trusted time stamping process through a Time Stamping Authority (TSA).

Below is the brief provided on Encryption Consulting’s (EC) CodeSign Secure platform and its benefits.

Encryption consulting’s (EC) CodeSign Secure platform:

Encryption consulting (EC) CodeSign secure platform provides you with the facility to sign your software code and programs digitally. Hardware security modules (HSMs) store all the private keys used for code signing and other digital signatures of your organization. Organizations leveraging CodeSign Secure platform by EC can enjoy the following benefits:

  • Easy integration with leading Hardware Security Module (HSM) vendors.
  • Authorized users only access to the platform.
  • Key management service to avoid any unsafe storage of keys.
  • Enhanced performance by eliminating any bottlenecks caused.

Why to use EC’s CodeSign Secure platform?

There are several benefits of using Encryption consulting’s CodeSign Secure for performing your code sign operations. CodeSign Secure helps customers stay ahead of the curve by providing a secure Code Signing solution with tamper proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Seamless authentication is provided to code signing clients via CodeSign Secure platform to make use of state-of-the-art security features including client-side hashing, multi-factor authentication, device authentication, and as well as multi-tier approvers workflows, and more. Support for InfoSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing. CodeSign Secure is embedded with a state-of-the-art client-side hash signing mechanism resulting in less data travelling over the network, making it a highly efficient Code Signing system for the complex cryptographic operations occurring in the HSM.

Encryption Consulting’s Managed PKI / CodeSign Secure

Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization. Also, along with PKI, Encryption Consulting also assists you in performing code signing process for your important and highly sensitive documents, codes and software programs.

Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS 140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.

Conclusion

Encryption Consulting’s PKI-as-a-Service, or managed PKI, allows you to get all the benefits of a well-run PKI without the operational complexity and cost of operating the software and hardware required to run the show. Your teams still maintain the control they need over day-to-day operations while offloading back-end tasks to a trusted team of PKI experts.

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Anish Bhattacharya's profile picture

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo