CodeMeter offers a means of storing private
keys securely in a CmContainer. The private key
remains in the container, while the fingerprint is
sent by the CodeMeter API to the container to
be signed. CmDongles use their built-in smart
card chip for the purpose, while “soft” CmActLicenses use the CodeMeter Runtime, which
operates as a service or demon and is protected
against illicit accessing or debugging. The certificate itself can be stored in the CmContainer,
in a readable component, or as a file on the
hard drive.
What Happens to Lost Certificates
Sample Certificate
To protect software against tampering,
Wibu-Systems uses a proprietary compact
certificate format, because X.509 uses lots of
resources and is notoriously slow – two qualities that make it a poor choice for small-scale
embedded devices in particular. X.509 also
lacks some important additional information,
although the structure and security features of
the Wibu-Systems format resemble X.509.
CodeMeter can store standard X.509 certificates to be compatible with all standard
applications, needing only PKI middleware
(CSSI) to link up with the standard interfaces
(PKCS#11 / Microsoft CSP).
Certificates are not limited to specific encryption algorithms. They can use e.g. MD5, SHA1,
or SHA256 as fingerprints and RSA or ECDSA
as signing algorithms.
Losing a certificate itself does not cause any
problem, since the certificate includes no
confidential information. Losing a private key
for a certificate (or allowing somebody else
to acquire it), on the other hand, can have
dramatic consequences. A person with the
private key can sign anything in the name of
the original owner and use the certificate to
authenticate the corresponding public key.
In common parlance, we speak of “signing
something with a certificate.” This is incorrect –
we sign something with a private key and add
the public key, authenticated by the certificate.
The private key is not part of the certificate,
although there are certain file formats in which
the certificate and the allocated private key are
kept in a single file.
How to Obtain Certificates
There are two basic ways of obtaining a
certificate. The traditional way is by personally creating a pair of keys. CodeMeter can
do so either by means of the CSSI middleware (pair of RSA keys) or by means of the
CodeMeter API (RSA or ECC keys). When
using a CmDongle and a pair of ECC keys,
this can also rely on the random number
generator integrated on the smartcard chip.
The private key is created on the dongle and
never leaves it. The public key can be calculated by the CodeMeter API.
This was one of the reasons for the impact of
Stuxnet. Software developers sign their code,
especially for drivers, with their private keys.
Certificates from trusted certificate authorities are used to confirm the public keys. Virus
scanners typically work with points systems;
software from reputable sources gets bonus
points. In the Stuxnet case, the private keys of
two known producers of drivers were stolen
and used to sign the virus. This meant that
the virus could not be recognized by anti-virus
software and had an opportunity to spread
undetected.
In the next step, a certificate signing request
(CSR) is produced, which already includes
relevant data like the owner’s name and the
public key. This CSR is sent to the certificate
authority.
For such cases, there are so-called certificate
revocation lists (CRL) with the immediately
identifiable serial numbers of revoked certificates. These CRL are themselves signed to
ensure their integrity.
The finished certificate is sent
back for storage by the client.
Both certificates and revocation lists have
distinct expiry dates, making it necessary to
update both of them on a regular basis. This is
Certificates and Private Keys
not a problem for internet-connected PCs, but
it is an issue for embedded devices that are
expected to control hardware over many years
without ever going online. It should be carefully
considered for how long a certificate should