Microsoft Authenticode Signature Verification – A Cryptographic Procedure
Microsoft Authenticode Signature is one type of digital signature format used to determine the origin and integrity of software binaries, like code signing certificates. Microsoft Authenticode is based upon Public-key Cryptography Standards (PKCS) #7 signed data along with X.509 certificates for binding an Authenticode signed binary to the identity of a software publisher.
In other words, an Authenticode signature is a complex mathematical function where the hash function takes place first. And then the Microsoft Authenticode signing certificate along with the code is combined while hashing at the same time. Hashing is a cryptographic process that takes an input of any length and gives an output of a fixed size, also called a hash value. And these hash values produced at the time of signing are the thing that gets signed. Private Key of the Authenticode signing certificate signs that produced hash value while hashing it again.
However, to sign any software package, the developer/publisher must get a trusted Microsoft Authenticode signing certificate from a trusted certificate authority. It requires a stringent verification process where your organization is validated to confirm that the certificate is not issued to any malicious actor.
Also, once the signed software gets to the client, verification of that signature begins by repeating the second process of hash by using the Public Key of that Authenticode signing certificate, which is with the signed software for the verification purpose. And then, the checksum takes place. Lastly, when everything checks out, the software gets trusted while the Authenticate signature is considered verified.
Similar Procedure for Embedded Authenticode Signature
On the other hand, similar to signing software packages using Microsoft Authenticode signing certificate, it’s also possible for kernel-mode signing to use the same certificate. Besides, it’s similar for digitally signing a category file once it generates a hash file for every file within that driver package. And, in both situations, the procedure for signature verification remains the same.
Usually, people know how public key cryptography works. For instance, they are aware of how encryption works with the help of public-private key pairs. The public key is for encrypting, while the private keys are for decrypting. But, when the question is regarding digital signatures, many might not be aware of the answer. Still, it’s possible to use a public key to verify signatures that are left by the private key – which is one of the main reasons why a certificate and its public key are given within that signed software. The certificate validates that the developer is genuine by validating their identity.
Lastly, whether it’s an embedded Authenticode signature, a catalog file, or standard Authenticode signature, the verification procedure remains the same as a cryptographic procedure – which is hashing and public-key encryption.