IEEE | 3 Park Avenue | New York, NY 10016-5997 | USA
Copyright © 2015 IEEE. All rights reserved. i

IEEE T
S
O
D

IEEE believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. IEEE is not responsible for any inadvertent errors.
The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
Copyright © 2015 by The Institute of Electrical and Electronics Engineers, Inc.
All rights reserved. Published Month 20xx. Printed in the United States of America.
IEEE is a registered trademark in the U. S. Patent & Trademark Office, owned by The Institute of Electrical and Electronics
Engineers, Incorporated.
PDF: ISBN 978-0-7381-xxxx-x STDVxxxxx
Print: ISBN 978-0-7381-xxxx-x STDPDVxxxxx
IEEE prohibits discrimination, harassment, and bullying. For more information, visit http://www.ieee.org/web/aboutus/whatis/policies/p9-26.html
.
No part of this publication may be reproduced in any form, in an electronic retrieval system, or otherwise, without the prior written permission of the publisher.
To order IEEE Press Publications, call 1-800-678-IEEE.
Find IEEE standards and standards-related product listings at: http://standards.ieee.org
. ii
Copyright © 2015 IEEE. All rights reserved.

Notice and Disclaimer of Liability
Concerning the Use of IEEE-SA Industry Connections Documents
This IEEE Standards Association (“IEEE-SA”) Industry Connections publication (“Work”) is not a consensus standard document. Specifically, this document is NOT AN IEEE STANDARD. Information contained in this Work has been created by, or obtained from, sources believed to be reliable, and reviewed by members of the IEEE-SA Industry
Connections activity that produced this Work. IEEE and the IEEE-SA Industry Connections activity members expressly disclaim all warranties (express, implied, and statutory) related to this Work, including, but not limited to, the warranties of: merchantability; fitness for a particular purpose; non-infringement; quality, accuracy, effectiveness, currency, or completeness of the Work or content within the Work. In addition, IEEE and the IEEE-SA
Industry Connections activity members disclaim any and all conditions relating to: results; and workmanlike effort.
This IEEE-SA Industry Connections document is supplied “AS IS” and “WITH ALL FAULTS.”
Although the IEEE-SA Industry Connections activity members who have created this Work believe that the information and guidance given in this Work serve as an enhancement to users, all persons must rely upon their own skill and judgment when making use of it. IN NO EVENT SHALL IEEE OR IEEE-SA INDUSTRY CONNECTIONS
ACTIVITY MEMBERS BE LIABLE FOR ANY ERRORS OR OMISSIONS OR DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO: PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS WORK, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE AND REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE .
Further, information contained in this Work may be protected by intellectual property rights held by third parties or organizations, and the use of this information may require the user to negotiate with any such rights holders in order to legally acquire the rights to do so, and such rights holders may refuse to grant such rights. Attention is also called to the possibility that implementation of any or all of this Work may require use of subject matter covered by patent rights. By publication of this Work, no position is taken by the IEEE with respect to the existence or validity of any patent rights in connection therewith. The IEEE is not responsible for identifying patent rights for which a license may be required, or for conducting inquiries into the legal validity or scope of patents claims. Users are expressly advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is entirely their own responsibility. No commitment to grant licenses under patent rights on a reasonable or nondiscriminatory basis has been sought or received from any rights holder. The policies and procedures under which this document was created can be viewed at http://standards.ieee.org/about/sasb/iccom/ .
This Work is published with the understanding that IEEE and the IEEE-SA Industry Connections activity members are supplying information through this Work, not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought. IEEE is not responsible for the statements and opinions advanced in this Work.
Copyright © 2015 IEEE. All rights reserved. iii

C
1.
OVERVIEW ................................................................................... 1
2.
PROCESS OF SPV ONBOARDING .............................................. 1
Initial Contact ...................................................................................................1
PKI Enrollment Ceremony ..............................................................................1
Setting up new SPV in PKI Management portal ...........................................1
Accessing PKI Manager Portal ......................................................................2
3.
PROCESS OF SSV ONBOARDING .............................................. 2
4.
LIBRARY AND SOURCE CODE ................................................... 3
5.
EXPECTATIONS FROM SPV ....................................................... 3
6.
EXPECTATIONS FROM SSV ....................................................... 4
7.
EXPECTED ONBOARDING TIMELINE ........................................ 4
8.
REFERENCES .............................................................................. 5
iv
Copyright © 2015 IEEE. All rights reserved.

As the IEEE Taggant System, a component of the IEEE Anti-Malware Support Service (AMSS), is being adopted by the industry, new vendors are being introduced to the Taggant System and each needs to adopt its systems as well as follow some requirements (legal and technical) to be setup correctly within the IEEE Taggant System as a recognized software packer vendor (SPV).
Part of the setting up process involves interaction with the PKI service provider to register and for IEEE to coordinate the signup and on-boarding. This document describes the onboarding process for SPVs and Security Software Vendors (SSVs) and provides a step-by-step guide for
IEEE to manage and coordinate the introduction of new SPVs and SSVs.
1.
SPV and IEEE make an initial contact and the SPV expresses interest to join the IEEE
Taggant System.
2.
SPV completes AMSS Subscription form located at: http://standards.ieee.org/develop/indconn/icsg/amss.html
3.
The Taggant System Management Committee (TSMC) reviews SPV form for admittance.
4.
In case TSMC decides not to accept an SPV to the Taggant System then TSMC to notify the SPV and the IEEE Industry Connections Security Group Executive Committee (ICSG
EC) of the decision.
5.
If the SPV application is accepted then TSMC sends the SPV the AMSS license agreement and an invoice to cover the one-off cost of PKI set-up.
6.
SPV signs the AMSS license and returns it to IEEE for counter-signature.
7.
SPV pays the invoice and IEEE returns the counter-signed AMSS license to the SPV for its records.
8.
TSMC instructs the certification authority (CA) provider (Symantec/VeriSign is the PKI provider at this time) to create a new PKI certificate and allow access to the portal.
1.
On approval from TSMC, CA provider initiates contact with the SPV. (IEEE would be involved in the request for information to facilitate communication, if required.)
2.
SPV receives and fills in necessary forms to be set up in PKI (official organization name, address, contact, etc.; these details are verified by the PKI provider).
3.
CA provider executes the key signing ceremony and creates the SPV certificate signed by
IEEE root. (This step takes time as the ceremony is tightly controlled step and need to be properly scheduled.)
1.
On validity of SPV credential being reported back by CA and on TSMC accepting the results: TSMC requests CA to add the SPV to the PKI Management Portal.
2.
CA provider sends SPV the instructions on how to log into the portal. A link to the installation of a local PKI client software is sent to the responsible contact at the SPV.
For any account being setup within PKI Management Portal: a.
SPV main contact would be owner/administrator of the SPV account.
1
Copyright © 2015 IEEE. All rights reserved.

b.
An IEEE contact would be assigned as technical administrator on the account to help complete initial setup and help with any issues. c.
On account setup, the SPV would receive an email from the CA provider with instructions on how to add the IEEE contact(s) as technical administrator(s) on the SPV’s account. d.
IEEE technical administrators on the SPV account may delegate setup/troubleshooting responsibilities to others within TSMC by making them admin on the SPV’s account.
3.
Before using the PKI Management portals to issue certificates the SPV needs to wait for
IEEE to perform initial setup (see Taggant System Guide for PKI Manager), configuration changes and validation on the account. This is to ensure that any certificates issued by the SPV using the account are correctly formed and acceptable by the IEEE Taggant
System.
4.
IEEE would install certificate templates that can be used to issue certificates. The templates are formal and fixed. If there are any variations that SPVs desire then they need to contact IEEE to explain their specific needs and IEEE would help with setting up the certificate profile.
4.
Once IEEE has made appropriate changes and checks the SPV can begin issuing certificates for its use. PKI portal is accessible via a browser. The portal shows the count of issued end-user certificates (will be 0 right after set up) and allows issuing them (the limit of 500 is configured automatically).
Please refer to Taggant System Guide for PKI Manager for guidance on how to access the PKI
Manager and issue certificates.
WARNING: It is important that you do not issue any certificates until the initial setup has been completed and verified by IEEE admins.
1.
An SSV and IEEE make an initial contact and the SSV expresses interest to join the IEEE
Taggant System.
2.
SSV completes AMSS Subscription form located at: http://standards.ieee.org/develop/indconn/icsg/amss.html
3.
The Taggant System Management Committee (TSMC) reviews SSV form for admittance.
4.
In case TSMC decides not to accept an SSV to the Taggant System then TSMC to notify the SSV and the IEEE Industry Connections Security Group Executive Committee (ICSG
EC) of the decision.
5.
If the SSV application is accepted then TSMC sends the SSV the AMSS license and an invoice to cover the annual AMSS subscription.
6.
SSV signs the AMSS license and returns it to IEEE for counter-signature. IEEE sends the counter-signed license back to the SSV for its records.
7.
SSV pays the invoice.
8.
TSMC provides to the SSV: a.
Access to the list PackerIDs on IEEE Central Desktop. b.
Access to the IEEE public root certificate on IEEE Central Desktop (required to verify the taggant validity). c.
Access to the Candidates Blacklist (to submit) and Final Blacklists (read-only).
2
Copyright © 2015 IEEE. All rights reserved.

d.
Permissions to take part in discussions, evaluation of blacklist (BL) entries
(promoting taggants from candidates to the final black list). e.
Access to the mailing list to communicate with other Taggant system participants.
The source code and sample code is made available on GitHub at this
( https://github.com/IEEEICSG/IEEE_Taggant_System ) location. This can be used to do any proof of concept (PoC) work. The library for generating a Taggant is also included in addition to sample verification code.
Some content at GitHub may be password protected. Please reach out to the TSMC at amsssupport@ieee.org
for any relevant passwords.
1.
SPVs are to offer the taggant-enabled product upgrade to their users free of charge to allow quicker adoption of the system.
2.
SPVs would need to register their PackerId with IEEE. Send email to the Taggant Interest
Group at taggant@ieee.org
.
3.
Make sure that the packing product with taggant support creates files compatible with the Taggant System Library (v1, v2 and any other future public release). Use SSVtest.exe from https://github.com/IEEEICSG/IEEE_Taggant_System to verify/QA the taggant validity, hash map, timestamping, etc. on a wide variety of suitable files and packing options.
4.
Circulate a representative collection of clean files (min 10-20 files packed with different product options to demonstrate the appearance of files to SSVs and minimize false positives (FPs)). Send a link to the Taggant Interest Group at taggant@ieee.org
and use password-protected archive with pwd=clean. (All provided files should have the same
PackerID as was registered.)
5.
All freely accessible packer versions (demo/evaluation) should carry a user cert which is blacklisted via taggant-bl@IEEE.org
*before* said software is released. Software release notes for demo/evaluation packer software should state that the only safe way of testing the operation of software created with a blacklisted demo software is to turn off security products.
6.
Each paying customer must receive a packer which carries a unique end user certificate.
Sharing the same certificate between multiple users is a bad idea (it may create massive
“cross-blacklisting” problems).
7.
Taggant-enabled versions should be provided to the users at no extra charge and, if possible, as an automatic upgrade. This is to maximize the speed of deployment for the taggant technology and effective removal of obsolete non-tagganted versions (which will become less safe to use due to output of tagganted version having better overall reputation).
8.
Users of taggant-enabled packer versions must be told that packing while Internet connection is not available means that a trusted timestamp won’t be included and this
3
Copyright © 2015 IEEE. All rights reserved.

denies security (Anti-virus) software an ability to blacklist selectively (block only software after the moment of known compromise).
9.
Each end-user certificate known to be stolen, abused, compromised or illegally obtained
(e.g. via a stolen credit card and detected via a chargeback) must be reported to taggant-bl@IEEE.org
as quickly as possible. The process is described in the Taggant
System Operations document.
10.
Avoid making changes to the Taggant System library sources (e.g. to modify the timestamping service). Before you do, discuss in the Taggant Interest Group
( taggant@IEEE.org
).
1.
Make sure that packed files with taggants do not create additional suspicion to your backend systems and endpoint products. They may look as “patched packed files” and cause heuristic triggers. Reputation of files with taggants must not be lower than for files without them.
2.
If you find a tagganted program which is malicious – report as quickly as possible to IEEE as a candidate for blacklisting. The process is described in the Taggant System
Operations document.
3.
Help promptly review blacklist submissions by other SSVs to promote BL candidate entries into the full blacklist. Same for disputes.
4.
Taggant-enabled versions of endpoint security (anti-virus) software should be provided to the users at no extra charge and, if possible, as an automatic upgrade.
5.
Avoid making changes to the Taggant System library sources (e.g. to change PE file parsing). Before you do, discuss in the Taggant Interest Group ( taggant@ieee.org
).
# Expected Duration
(days)
1 7
2 7
3 7
4 7
5 28
6 1
7 1
8 1
9 7
10 1
11 7
Activity/Action
IEEE acknowledgement to AMSS Form submission from SPV/SSV
TSMC Review of application
VeriSign initial vetting process (for SPV onboarding only)
TSMC response to VeriSign vetting results (for SPV onboarding only)
VeriSign ready for key ceremony (for SPV onboarding only)
Verisign key ceremony (for SPV onboarding only)
PKI Manager access completed for SPV (for SPV onboarding only)
SPV to add IEEE contact as administrator (for SPV onboarding only)
IEEE Setup/configuration/verification of SPV Account (for SPV onboarding only)
SPV ready to issue certificates
TSMC provides access to PackerIDs, root cert(s) and mailing lists (for SSV only)
4
Copyright © 2015 IEEE. All rights reserved.

Anti-Malware Support Services (AMSS) Web page: http://standards.ieee.org/develop/indconn/icsg/amss.html
CA documentation: https://pki-manager.symauth.com/pki-manager/
(Note: The link works only when one is logged into the PKI portal)
Taggant System Library documentation: https://ieee-sa.centraldesktop.com/p/eAAAAAAAC5_6AAAAACFluRg (both the link and the
ZIP require a password - please contact the TSMC at amss-support@ieee.org
)
Taggant System Operations Manual: https://ieee-sa.centraldesktop.com/p/eAAAAAAAFqsfAAAAAGV3hgg
Taggant System Guide for PKI Manager: https://ieee-sa.centraldesktop.com/p/eAAAAAAAFqshAAAAACumWNc
Copyright © 2015 IEEE. All rights reserved.
5