CRYSTALKEY 360

CODE SIGNING

Ensure the authenticity and integrity of your code with seamless code signing.

 

polygon-3
 

A ROBUST CODE SIGNING PLATFORM

 

CrystalKey 360 is a powerful platform designed to deliver comprehensive security and centralized management for cryptographic keys and certificates across a wide range of code signing tools.

CrystalKey allows you to configure and secure your code signing processes, safeguarding against threats such as private key compromises, certificate misuse, counterfeit certificates, man-in-the-middle attacks, timestamping vulnerabilities, and weak hash functions.

After all, insecure code signing can be more harmful than not signing at all, as it may falsely validate compromised code as legitimate.

Role-Based Access Control (RBAC)

Ensures proper authorization and separation of duties among users, applications, and groups

Controlled Key Management

Assign specific keys and certificates for different development stages, each with unique authorization requirements.

Endorsed Signing

Adds an extra security layer by requiring the consent of one or more supervisors to approve the signature generation, preventing single-user vulnerabilities.

Operational Continuity and Scalable Operations

Enable failover and load balancing for signature requests through robust deployment models to make the system highly available for critical operations.

API-Based Signing

Seamless integration with existing DevOps tools ensures access to keys and certificates without delays. CrystalKey 360 integrates with CI/CD tools, document workflow engines, and identity platforms via modern APIs.

CK360 architecture

 

Security, risk and compliance teams

Ensuring compliance and business continuity with business wide adoption of cryptographic controls while futureproofing your operations in cost effective manner.

Development teams

Supercharge efficiency and streamline DevOps with best-in-class security tech, industry-leading support, comprehensive training, cutting-edge tech expertise, and seamless integration with legacy systems.

Tech Leadership

We provide a world-class security solution to manage cryptographic keys across your business. Our key management platform allows a seamless integration with the existing infrastructure and enables you to harmonize every aspect of cryptographic hardware operations. We offer rapid and flexible deployment models, on-premises or in the cloud to match your IT footprint strategy.

CrystalKey 360 gives you a clear overview and complete control of your cryptographic hardware, policy enforcement, logging, auditing, cloud storage and key management.

Key management

Import, generate, export and renew keys, as well as enforcing their correct usage (who can use the key and how they can use it)

Automate complex and repetitive manual key management tasks and liberate skilled staff for higher value tasks

Compliance and auditing

Audit-log key management processes – in tamper-proof environments – to protect from deliberate attacks and human errors

Easily demonstrate compliance with standards like PCI DSS and GDPR, and confidently comply with and pass internal/external audits

Health monitoring

Keep your infrastructure and HSMs healthy with data that allows operators to monitor the status of the entire system, as well as activity on individual HSMs

Trusted access

Perform admin without restrictions on time or place

Strong authentication supported by secure PIN entry devices (PEDs) and smart cards. PEDs also support key import/export and key share printing

Grant applications just enough privilege to complete their necessary functions, via a central policy file. Unless something is explicitly allowed, it's forbidden!

Reliability

Support all widely used cryptographic algorithms, including RSA, AES, 3DES, HMAC and more

High availability, ensured through clustering of the servers, database and HSMs

Easily disable or add an HSM in a few clicks with zero downtime to related applications

Monitor and load-balance operations across a pool of general purpose and specialized HSMs, as appropriate

Simple integrations with legacy systems and new-build applications via API – avoid steep learning curves!

Private Key Compromise:

Threat: If the developer’s private key is compromised, an attacker can sign malicious code, making it appear legitimate.

Mitigation: Use strong key management practices, such as storing the private key in a hardware security module (HSM) and employing multi-factor authentication for access. Regularly audit the use of certificates and revoke any that are suspected to be compromised.

Fake Certificates:

Threat: Attackers may use fake or improperly issued certificates to sign malicious code.

Mitigation: Ensure certificates are obtained from trusted and reputable CAs, and verify the authenticity of certificates before trusting them.

Man-in-the-Middle Attacks:

Threat: An attacker intercepts the code during distribution and modifies it, then re-signs it with a different certificate.

Mitigation: Use secure channels (such as HTTPS) for code distribution and implement additional checks, such as certificate pinning.

Timestamping Issues:

Threat: Without proper timestamping, the signature might become invalid after the certificate expires.

Mitigation: Apply a trusted timestamp during the signing process to ensure the signature remains valid even after the certificate expires.

Vulnerable Hash Functions:

Threat: Weak or compromised hash functions can be exploited to create hash collisions, allowing different code to produce the same hash.

Mitigation: Use strong, up-to-date cryptographic hash functions (e.g., SHA-256).

Who benefits from code signing

Code signing spans several industries and use cases but the overall goals are the same: protect intellectual property, protect the company brand and protect the end-users.

Device Security and IoT

In the emerging Internet of Things (IoT), code signing is the most effective way to ensure the integrity of devices from activation through firmware and software updates. Digitally sign firmware and validate signatures to ensure only trusted code is executed on connected devices and industrial systems.

App Development and Software Vendors

Developers of software are often required to sign code to support installation. Operating systems like Windows and macOS will warn users if software or drivers are not signed, and popular app stores from Microsoft, Google, and Apple require mobile apps to be signed before they can be submitted and published for purchase.

IT departments

Enterprise IT teams must ensure that any internal scripts or utilities applied across the business are signed to prevent tampering by internal users or external threats.

noun-padlock-7132678-151E28

Advanced Security Module Setups

Customize the setup and choose the security model that suits your needs. CrystalKey 360 supports the usage of Hardware Security Modules (HSMs), Enclave Security Modules (ESMs) operated within confidential computing or basic Software Security Modules (SSMs).

noun-process-5607837-151E28

Bring your own CA, CLM and TSA

If you have already mastered the processes around Certificate Authorities (CA), Certificate Lifecycle Management (CLM) and/or Time Stamping Authorities (TSA) and wish to extend these to your code signing, this is possible.

noun-key-126849-151E28

Centralized Key Management

Manage signing keys, automation, and permissions from a central location.

noun-rocket-7185036-151E28

Cloud, multicloud, on-premises or hybrid deployments

Deploy in the public clouds, on-premises, private clouds or hybrid deployments to match your requirements.

noun-log-6347707-151E28

Centralized Audit Logs

Maintain detailed, tamper-proof logs for all signing activities and key management events.

 

FUTURE PROOF YOUR CODE SIGNING SETUP AND UNLOCK MORE USE CASES

Crypto agile operations

Adopt a platform that enables you to be agile with your cryptographic operations. CrystalKey 360 supports the current algorithms and standards for code signing, but given its agile design, it will easily allow for addition of quantum resistant signing algorithms.

polygon-18

Grow into the platform

CrystalKey 360 is a flexible key management and data security platform, and code signing is just one of the use cases we support. Adopt the platform as you go with additional use cases like multicloud key management, data sealing, tokenization and HSM modernization. One platform for all cryptographic security decisions.

polygon-18

km architecture code signing-1

 

FUTURE-PROOF SECURITY WHEN IT MATTERS MOST

 

Manually managing cryptographic keys across an organization is both inefficient and increases the risk of security vulnerabilities.

CrystalKey 360 provides a robust solution with user-friendly, granular control over keys, ensuring they are managed through structured, secure processes. It offers organizations complete visibility into key usage, consolidating logs for more efficient operations.

CrystalKey 360 seamlessly integrates with existing infrastructure, allowing for bring-your-own CA, while automating processes and enabling endorsed signing for added validation of critical actions. Designed for the future, CrystalKey 360 is equipped to handle post-quantum cryptography (PQC) and beyond.

 

 

WHAT'S NEW

Some of the latest insights from our experts
3 min read

How Generative AI is Transforming Cyber Threats & How to Stay Secure

Feb 21, 2025 by Guillaume Forget

For an internal event atCryptomathic, we invited some our clients from the financial and trust service sectors to...
2 min read

Cryptomathic & PQShield: Partnering for PQC Solutions in Code Signing

Sep 19, 2024 by Cryptomathic

Two foremost software security experts and pioneers in cryptographic agility and post-quantum cryptography join forces...
1 min read

Azure Data Security with External Key Management & BYOK

Jul 3, 2024 by Davin Cooke

Data security can be complex, but it's essential in today's business world, especially when using cloud services. One...

 

LIKE WHAT YOU SEE?

We would love to hear from you to see how we can support and help scale your business.