Digital signature, fast course (translation of the 17th chapter of Powershell in depth)
it is so well written, concisely and practical, that I could not resist and translated.
- Powershell in depth Don Jones Richard Siddaway
Chapter 17.3.1 Digital signature, educational program
For several years, Microsoft has been promoting the idea of ​​code signing as a protection mechanism. The signed code carries an encrypted block called a digital signature . This signature contains information identifying the signer, and gives confidence that the code has not been changed since the moment of signing. From a practical point of view, the signature says that (A) who signed the application, (B) it has not been changed since the signing. Any problems with the application can thus shift the responsibility to the distributor, and the information in the certificate can help to get there.
A digital signature does not prevent the spread of harmful code. But ideally, only an extremely stupid person will put his digital signature on the malware, because the signature allows you to go to the signer . This is the ideal idea.
A digital signature is an entire business operating on a trust mechanism (in Russian-language literature, trust relationships).
Let's use an analogy: in the US, driving licenses can be used to identify people (moreover, like a passport). Among other things, they include the date of birth and the bartender or the seller in the store can check it before they sell you alcohol. In computer terms, the US has 52 "CAs": one in each of the 50 states, one in Washington DC (their capital, goes as a separate entity), and one US army. If you live in Nevada, you go to the Nevada Department of Motor Vehicles and get the rights. You go to California and buy a can of beer, because California trusts the department in Nevada. In reality, all other states trust the CA of other states, and thus your rights are valid throughout the country. Why is this so? Obviously, for legal reasons, but in reality, the reason is as follows: the state trusts another state because they all use the same basic processes of checking your identity, her age, and checks were carried out before issuing the document. This does not mean that one state has completely trusted another state, but it means that one state trusts the process in another state and the procedures are all accepted (agreed). If the news announces that the state is deprived of a license, then all driver licenses of this state will cease to operate in other states, due to the termination of trust.
Let's go to the computers. There are several classes of certificates in the world of digital certificates. Each class of certificates is created on the basis of decisions that can occur if the attacker takes possession of the certificate. Class 1 certificates are used to encrypt email, and the worst thing that happens is reading your mail when you don’t want it. Bad for you, but not so bad for society as a whole.
Certificates required for signing the code are called Class 3. And issued only to organizations (February 2016 - this is no longer the case, you can go through an individual check at the notary and send documents by fax) after thoroughly checking the data indicated by it. Usually, CA verifies the registration of a company with Dun & Bradstreet, the registration of a company in the state or state where it is registered, etc. Thus, if you have a certificate of Micrisoft Corporation then everyone thinks that you have the right to represent this company.
This is the place where trust is involved. The certificate may be issued by a commercial certification authority or private (self-CA). Windows has a built-in CA list that it can trust. Vista and earlier systems have a small CA list. You can check the certification centers on the list in the system and check how they issue certificates. If you don’t like it, you can remove this CA from the list, saying, “I don’t think they are checking certificates well, maybe they issued them without checking the attackers. This CA issues certificates without verification. ” This is the same as what happens if the state department starts issuing driver licenses to the right and left without checking - everyone stops trusting the rights of that state, the process is not respected, and that means that trust disappears.
Thus, your computer must contain a list of CAs that do their job well, and there must be confidence that the certificate was issued to the company that is listed. If the application is infected, you can easily find an organization and take action. But if your SA does the work badly, then you cannot prove that the malicious code was signed by “Adobe Inc”. When you track it, you will find that the CA does not know who issued the certificate, because did not conduct as needed authentication.
')
Thus, a digital signature does not prevent the appearance of bad code. Signed scripts do not become better scripts or begin to work safer in your environment. All that you know from the signature is who put it (signed) and that the code has not been modified since the signing time.
- chapter 17.3.3 paragraph (RemoteSigned)
- Powershell in depth Don Jones Richard Siddaway
Chapter 17.3.1 Digital signature, educational program
For several years, Microsoft has been promoting the idea of ​​code signing as a protection mechanism. The signed code carries an encrypted block called a digital signature . This signature contains information identifying the signer, and gives confidence that the code has not been changed since the moment of signing. From a practical point of view, the signature says that (A) who signed the application, (B) it has not been changed since the signing. Any problems with the application can thus shift the responsibility to the distributor, and the information in the certificate can help to get there.
A digital signature does not prevent the spread of harmful code. But ideally, only an extremely stupid person will put his digital signature on the malware, because the signature allows you to go to the signer . This is the ideal idea.
A digital signature is an entire business operating on a trust mechanism (in Russian-language literature, trust relationships).
Let's use an analogy: in the US, driving licenses can be used to identify people (moreover, like a passport). Among other things, they include the date of birth and the bartender or the seller in the store can check it before they sell you alcohol. In computer terms, the US has 52 "CAs": one in each of the 50 states, one in Washington DC (their capital, goes as a separate entity), and one US army. If you live in Nevada, you go to the Nevada Department of Motor Vehicles and get the rights. You go to California and buy a can of beer, because California trusts the department in Nevada. In reality, all other states trust the CA of other states, and thus your rights are valid throughout the country. Why is this so? Obviously, for legal reasons, but in reality, the reason is as follows: the state trusts another state because they all use the same basic processes of checking your identity, her age, and checks were carried out before issuing the document. This does not mean that one state has completely trusted another state, but it means that one state trusts the process in another state and the procedures are all accepted (agreed). If the news announces that the state is deprived of a license, then all driver licenses of this state will cease to operate in other states, due to the termination of trust.
Let's go to the computers. There are several classes of certificates in the world of digital certificates. Each class of certificates is created on the basis of decisions that can occur if the attacker takes possession of the certificate. Class 1 certificates are used to encrypt email, and the worst thing that happens is reading your mail when you don’t want it. Bad for you, but not so bad for society as a whole.
Certificates required for signing the code are called Class 3. And issued only to organizations (February 2016 - this is no longer the case, you can go through an individual check at the notary and send documents by fax) after thoroughly checking the data indicated by it. Usually, CA verifies the registration of a company with Dun & Bradstreet, the registration of a company in the state or state where it is registered, etc. Thus, if you have a certificate of Micrisoft Corporation then everyone thinks that you have the right to represent this company.
This is the place where trust is involved. The certificate may be issued by a commercial certification authority or private (self-CA). Windows has a built-in CA list that it can trust. Vista and earlier systems have a small CA list. You can check the certification centers on the list in the system and check how they issue certificates. If you don’t like it, you can remove this CA from the list, saying, “I don’t think they are checking certificates well, maybe they issued them without checking the attackers. This CA issues certificates without verification. ” This is the same as what happens if the state department starts issuing driver licenses to the right and left without checking - everyone stops trusting the rights of that state, the process is not respected, and that means that trust disappears.
Thus, your computer must contain a list of CAs that do their job well, and there must be confidence that the certificate was issued to the company that is listed. If the application is infected, you can easily find an organization and take action. But if your SA does the work badly, then you cannot prove that the malicious code was signed by “Adobe Inc”. When you track it, you will find that the CA does not know who issued the certificate, because did not conduct as needed authentication.
')
Thus, a digital signature does not prevent the appearance of bad code. Signed scripts do not become better scripts or begin to work safer in your environment. All that you know from the signature is who put it (signed) and that the code has not been modified since the signing time.
- chapter 17.3.3 paragraph (RemoteSigned)
Remember that some applications such as Firefox, Internet Explorer, Outlook add a special flag to the file when it is saved to disk. Files with this flag will be defined as receiving from the outside when trying to run them in PowerShell
Source: https://habr.com/ru/post/277691/
All Articles