Code signing ensures the integrity of the signed product and the authenticity of the software publisher. While this provides a level of security for the user, it is not sufficient for ensuring the reliability and safety of the verified product. Therefore, code signing is usually considered as an informative authentication mechanism rather than a security measure.
Averina addresses this issue with it's brand new patent pending technology, Universal Software Identification, by providing improved authenticity for signed software products. It is a core part of the Averina Code Signing Library and is fully backwards compatible with existing code signing systems. The main goal is to provide an open standard and allow third parties to develop value-added services based on the Universal Software Identification technology.
The technology enables a software publisher to embed a Universal Software ID in the code file adjacent to the digital signature. The embedded Universal Software ID can later be extracted from the signed file to uniquely identify the originating software product. Processing of the extracted Universal Software ID is entirely at the discretion of the end-user or third-party service provider. For example, service providers can use it for purposes such as software management, patch monitoring, and malware detection.
Universal Software ID
Critical to Universal Software Identification technology is its hierarchical software identification model. The figure illustrates this for a fictitious software publisher:
In this system, each and every software product is identified by a globally unique Universal Software ID with three components:
Publisher Token
The Publisher Token is derived from the public key of the software publisher's digital certificate. Comprising the first 128 bits of the public key's SHA1 hash value, the Publisher Token is for practical purposes virtually unique. It has the advantage of being easier to process and store than the public key, thus enhancing performance.
Product ID
The Product ID is a 32 bit integer uniquely identifying the software within the publisher's product range. Assigned by the publisher, this integer is not globally unique unless combined with the Publisher Token.
Release ID
The Release ID is used for a uniform versioning scheme. Starting with the first release, each new release of a particular product must have a 32 bit integer value greater than the previous one. This scheme is independent of any in-house versioning scheme.
Third Party Services
The usefulness of the Universal Software Identification technology is dependent on the number of services provided on top of it. Averina is actively developing its own services and also offers its industry expertise to support third-party service providers. You can contact us if you want to learn more about our third-party provider support.