0

I am signing executables for our software both with a SHA-1 and a SHA-256 signature. In addition I timestamp both of these signatures.

Here I am wondering: I can timestamp the SHA-1 signature with a SHA-256 timestamp, but does that make sense? I would think that I include the SHA-1 signature only for compatibility, so I guess I should use a SHA-1 timestamp for it.

Is this correct, or should I use the SHA2-timestamp for the SHA1 signature?

The current layout looks like this:

enter image description here

Jens
  • 297
  • 2
  • 11
  • 1
    What do you mean when you say timestamp? – Elias Jun 23 '17 at 09:16
  • @Elias I have added a picture to show the current layout of the signatures. The timestamp is the counter signature from the CA's time server, that ensures that my certificate was valid at the time the file was signed (hope I said this correctly). It, for example, ensures that the signed file is accepted as valid even after my certificate has expired. – Jens Jun 23 '17 at 09:26
  • That doesn't really make sense to me. If your certificate is no longer valid your signatures shouldn't either because it might have become invalid due to compromise. So what you propose would require a separate revocation process for signatures. Also, if your CA publishes signatures on a counter I don't see how this prevents backdating to a point in time when your certificate was still valid. – Elias Jun 23 '17 at 09:31
  • I think I misunderstood. Your CA is not signing a counter but is also signing your document and your signature, so it would work as you described. In that case you should indeed use SHA1 if you want compatibility. – Elias Jun 23 '17 at 09:33

1 Answers1

1

What the correct answer is depends on your threat model. If you consider SHA1 to be secure and are worried about compatibility you should use two SHA1 signatures and two SHA256 signatures.

This will allow a verifier to check your SHA1 signature while your cert is valid and check the SHA1 signature of the CA if it is no longer valid.

However, if you are worried that the SHA1 hash might be forged it might make sense to use SHA1 with SHA256 for the extra signature. This way when your certificate becomes invalid the stronger SHA256 signature will be required.

Note:

  1. I'm not sure what the correct term for this kind of additional CA signature is. "counter signature" seems weird to me.
  2. This scheme means that if you revoke your certificate because you got hacked the extra signature will still attest that at the time of signing your certificate was valid. I'm still not sure how you would revoke the signature in this case.
Elias
  • 1,915
  • 1
  • 9
  • 17