Brew MP supports countersigning to respond to the compromise of a certificate authority's private root key or a signing authority's private signing key. Manufacturers may configure Brew MP devices to require that every digital signature also be countersigned by a second signing authority. This configuration requires the inclusion and association of another root certificate, that of the countersigning service, in the compiled Brew MP image on the device. Unless both signatures are present and valid, the applications signed under roots that require countersignatures will not be executed.
With countersigning in place, in order to sign unauthorized code, an attacker would need either knowledge of the signing (or certificate) authority's private key and undetected access to the counter signing service or knowledge of both the signing (or certificate) authority's private key and the countersigning authority's private key.
Countersignature verification on the device
Roots that require countersigning along with the countersigning root certificate are configured and associated with one another in the device image by the manufacturer. Countersignature verification is performed when signature verification occurs, before an application is installed and before it is loaded into RAM for execution.
Countersignatures are typically issued at the same time the first signature is generated by accessing a countersigning service through an IP connection.
- First, the local signing authority's private signing key is used to generate a signature.
- The resultant signature is then sent to the countersigning service, which validates the signature, the signing key, and the expiration date of the signing certificate.
- If each is valid, the countersigning service generates and returns a countersignature appended to and encompassing the original signature.
The countersignature format is an IETF-standard time stamp, so any time stamp server compliant with the IETF standard can be used to generate these countersignatures, so long as it verifies liveness and correctness and monitors for revocation.
The principle of countersigning is to double a potential attacker's work. In order to enable otherwise unauthorized code to run on a device, they must successfully attack both operations, and capture private keys from each. To maximize the security benefit, and reduce the opportunity for a successful insider attack, the countersigner should be in a wholly separate organization or company and geographically removed from the signing authority.
Countersigning log verification
Signing authorities are advised to check their own signing log against the countersigning log. Generated countersignatures that do not correspond to signatures that the signing authority generated, are an indication that the signing key or the counte signing service has been compromised. In such a case, the counter signingservice should stop signing against the key in question.