Yesterday, I highlighted the focus on the chain of trust. I would like to come back to it.
Chain of trust is based on the concept that an authority is trusted. This authority then delegates its trust by signing a certificate to another authority. This is the way Public Key Infrastructures (PKI) do work. A Certification Authority has a root trust and all the certificates will cascade back to it.
In the case of downloaded/loaded software, it works in a similar way. The software to be downloaded is signed with the private key of an authority. The host, which should load the software, checks the signature using the corresponding certified public key. The certificate may be part of a hierarchical signature scheme. This seems extremely sound. Where is the problem?
From the cryptographic point of view, the trust model has mainly two assumptions (in addition to the traditional use of robust proven algorithms and secure implementation)
1- No private key involved in the signature schemes does leak. In reality, the assumption is mainly that the private root key does not leak. The other leakages can be coped through revocation.
2- The attacker cannot replace or add a new root public key.
The second assumption is often forgotten. Nevertheless, this seems still sound.
Unfortunately, the trust model is more complex. It adds a third assumption.
3- If a piece of software is signed, it means that this software is safe.
In an ideal world, assumption 3 means that the signing authority carefully checked the software and certifies that it is safe. Any developer knows how it is difficult to carefully review a small piece of software to find flaws, then reviewing the complete software…
In real world, if the host may receive many applications, for instance in game consoles, or future TPM based software for computers, we may assume that the signing authority will sign any piece of software presented by a software editor that it trusts. It means that the trust model has a fourth assumption:
4- A piece of software provided by a known software editor can be trusted.
Unfortunately, this assumption is rather weak. Many attacks or errors can invalidate it (malware insertion, security flaws, impersonation of the editor, …). It is why the chain of trust is not as efficient as we could expect in an environment that handles many applications.
The chain of trust may be stronger in more restricted environment such as Set Top Boxes.