Last Updated: 2007-10-20 21:19:35 UTC
by Tony Carothers (Version: 1)
Software authenticity: If it runs, it's right. Simple enough, no? Not quite. You downloaded the latest and greatest network app, text editor, or whatever your CPU desires. The software program you downloaded installed clean, runs great, works exactly as advertised. Is the new application you installed the only new thing running? Did you get exactly what was advertised, and *only* what was advertised? In the previous scenario I implied that a Trojan accompanying the new application may have been downloaded and installed. How do we protect ourselves from something like this occurring? One way is by using only software purchased from reputable vendors (99% of the time 'shrink-wrapped' software is a safe bet. There is that 1% that is not safe.) Another is Software Authenticity.
Software Authenticity, a.k.a. Digital Signatures, is defined by Wikipedia as "a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form". In the realm of Information Assurance there are three aspects which digital signatures are typically used, and they are authenticity, integrity, and non-repudiation. In short, when we download a digitally signed message or piece of software, we know the data is exactly what the originator intended it to be, it has not been altered in transit, and the originating source of the item is never in question.
This is just one example of the use of software authenticity. In the spirit of the month, I ask for inputs from you, the readers. Simply go to our "Contacts" page and submit tips with a subject similar to "Tips #20 - Software Authenticity"
Matt Smith brought up a good point that needs to be emphasized: Just because a piece of software has a signature assosciated, and the local signature matches the source signature, doesn't mean that it is malware free; it only means that the software is exactly as the originator intended. If the originator created the software with malicious code built in, then the signature does nothing more than tell you that the malicious portion is still in there!