BlackVault CYNR Revolutionizes Secure Code and App Signing
Posted OnOctober 13, 2015 by Rose Mary
BlackVault CYNR Revolutionizes Secure Code and App Signing for the IoT and beyond; See the CYNR atJavaOne and AnDevCon
Engage Black, the security business unit of Engage Communication, will be demonstrating the BlackVault CYNR (“signer”) atJavaOne, October 25th thru 29th in San Francisco and AnDevCon, December 1st thru 3rd in Santa Clara. BlackVault CYNR is an all-in-one code, app and driver signing appliance that makes it easy to adopt secure code signing processes which prevent internal and external threats to safe code distribution. Ensuring reliable Publisher authentication is even more critical now as Internet of Things (IoT) software touches more and more of our daily lives (automobiles, healthcare, utilities, smart phones, etc.).
Signing software is essential for any organization that distributes Code or Apps to customers, partners, and internal organizations. The growing frequency and sophistication of malware attacks not only make code signing mandatory, but also highlight the need for increased protection of the associated cryptographic keys and code release process.
Unfortunately, code or app signing often occurs on a developer’s computer using a weak cryptographic key that is stored in the clear with the source code. Anyone gaining access to this build machine, locally or online, can hijack the enterprise’s certificate and distribute code that appears to be authentic. This simplistic approach has led to the infection of critical infrastructure, customer's computers and the demise of promising ventures.
The next step in code/app signing evolution is the use of hardware Tokens with a single individual in control of the software publishing. The Token method does not provide the checks and balances of requiring a Quorum (M of N) to publish and distribute software. Also Tokens are also easily misplaced or lost and do not automatically zeroize keys when tampered with. Additionally lost keys may make it impossible to publish and sell any further upgrades to existing software.
The next level of code signing security is achieved by incorporating a Hardware Security Module (HSM). However, implementing HSMs can be complex and costly.
The BlackVault CYNR introduces an optimum combination of convenience and high grade security to the code signing process. A single command from its touch screen generates a truly random number based RSA or Elliptical private and public key pair. Then, simply insert a USB device containing the code to be signed into CYNR, and click the appropriate command on its touch screen interface to sign the code/app using the internal private key created. Even better, the private signing keys are stored in the CYNR’sintegrated Level 3+ tamper reactive HSM.
CYNR also ensures continuity and control in the code release process. Validating the correct version of code is being signed is also easy with a built-in selectable hash verification. Sign-off of a code release can be enforced by an M of N quorum using multiple smart cards and PINs for each authorized signatory. Quorums that include Quality control personnel significantly minimizes flawed releases.
BlackVault CYNR is an exciting code signing innovation that:
- Is up and running in minutes with integrated touch screen display and smart card reader;
- Has a built-in Level 3+ tamper reactive HSM with M of N quorum and time stamp functionality;
- Supports JAR and ZIP archives;
- Integrates Standard and proprietary Elliptical Curve Cryptography that is compatible with the more limited crypto processing power of IoT devices;
- Has an integrated USB host port;
- And signs code with no additional software or hardware required.
The BlackVault platform is also available as a network attached HSM with support for PKCS#11 and Microsoft CAPI / CNG cryptographic libraries for Microsoft Authenticode, Eclipse, Android Studio and other build environments.
Engage Black, the cryptographic business unit of Engage Communication Inc. Founded in 1989, provides innovative cryptographic solutions that securely generate, use and manage cryptographic keys and material for encryption. www.engage-black.com