cryptography - How does driver signing work when Windows is offline? -
i understand basics of signing. must have private key , certificate (not necessarily) reputable certificate authority. must have public key of signer verify integrity.
i can see working online; site given certificate (not necessarily) reputable certificate authority (such verisign example), , firefox (for example) can check authenticity of certificate contacting said certificate authority.
yes, know can sign things self-generated certificate, firefox complain when happens , windows when installing 3rd-party driver.
my question thus; how windows know driver signed reputable certificate authority when offline , can't check said reputable certificate authority?
does windows keep collection of public keys reputable certificate authorities within windows? wouldn't 1 able alter list load driver if had certificate of reputable certificate authority?
how driver signing work offline?
yes, windows keeps collection of trusted root certificates. software, such ie , chrome, uses collection; software, such firefox, ships own list. that's how certificate verification works; nobody gets root certificates ca on internet, because how know talking ca?
you can view windows root certificate store using mmc, via certificates plugin. note each user account has own certificate store, in addition global ("computer account") store.
however, windows not use list of trusted certificates driver signing. instead, windows kernel has built-in list of root certificates. certificate verification drivers based on built-in list, which, if understand correctly, consists entirely of root certificates belonging microsoft.
when driver signed third-party certificate authority, cross-signed certificate used.
one further complication in cases, device drivers cryptographically verified in 2 separate ways; once during installation, , again when driver code loaded kernel. verification during installation uses main root certificates list , can overridden on case-by-case basis administrator; verification when driver code loaded uses kernel's root certificates list , cannot overridden on case-by-case basis.
Comments
Post a Comment