Encryption software integrity test

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been an active user of many different encryption software
products available to general public, but have not yet seen a good
solution for checking the software's integrity before or during use,
or at start up of the software. I am refering to a test that can
prevent the software being subversed, changed, manipulated by a virus
or otherwise, or at least inform thr user that such an attack has
taken place.

Has anybody seen a good solution or idea for this anywhere?

.-.-.ENCRYPT YOUR EMAIL TO ME.-.-.

Find my key in these Public Key Servers: keyserver.veridis.com,
wwwkeys.de.pgp.net, wwwkeys.us.pgp.net, blackhole.pca.dfn.de,
pgp.mit.edu, pgp.uni-mainz.de, pgp.nic.ad.jp, keyserver.noreply.org

My Key ID: 0x5BE7D95D
Fingerprint: AB05 0E7B C22B F14F 7512 7027 A26C AAE3 5BE7 D95D

-----BEGIN PGP SIGNATURE-----
Version: N/A

iQIVAwUBQraKcKJsquNb59ldAQLUBw/+Jiw3ZSAaTyDmV1DO8rhe/lsOrAXJu3Sv
Fe6U1zvZrLpLiOpTpEW2qW9D26DK6kcJKMFwsCEq9T56AM0/5Ua5eCIo+/1AuhuF
ZjOpttx2qQfcyJMjQBp3qWyC1aodzZxFCw5WDcOFo7aSidbl9A El7MyYHG0MGnoR
/I/GOxOfSUSpJIew24o8xb+XtTsUUcjgB3YfF/95aPIdygd3u8Tm+aUSiENoLhzv
yIEYjCHKDOe+RxmRzQJZD7FzmJNr0M66S2rm0vMFXCdsSPFqLS 1F9eVIpIHx7z0g
dzSGgLEF91QK5joEPmed5mDbwjXWyvFBFBcAA3rgdofiCqRB4i VZyYVw2wEef2Ep
5fZWgNHgOCQcgvyLq2c/rmVCaZoKs618wR2sgI8Zf5r2j3yd6KC3t3zH+j8jb+YT
IQ2lCeprtakuUTpSYSN6+sNNqSLlzcaRhQJx9En4IyC1G3gUcw SI9iLhA2/kE8f6
adclzCXlZ2PnUIjr7o3WpKPfvW6dEvRu/N3DfEATOZc8MjTJPhNQttPMluqxtNYJ
V+v2Mik3m/8vpwHrpA61FXbXk6hrnVT0YgMJHmgSDr3UFLnFmUBxYzKWn6B4 +775
Iw050Uxtu0ddPYIseRg9kik7GfOK7+O9HxiWN4dZvWOaw8Yeup FEEAZPgALsfPSN
FtvhDyV8EYs=
=UClf
-----END PGP SIGNATURE-----

Yoy G0

Hi Yoy - See svi Netiv's Integrity Master here for one example:
http://www.stiller.com/

--
Regards, Jim Byrd, MS-MVP
My, Blog Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/

"Yoy G0" <> wrote in message
news:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have been an active user of many different encryption software
> products available to general public, but have not yet seen a good
> solution for checking the software's integrity before or during use,
> or at start up of the software. I am refering to a test that can
> prevent the software being subversed, changed, manipulated by a virus
> or otherwise, or at least inform thr user that such an attack has
> taken place.
>
> Has anybody seen a good solution or idea for this anywhere?
>
> -.-.ENCRYPT YOUR EMAIL TO ME.-.-.
>
> Find my key in these Public Key Servers: keyserver.veridis.com,
> wwwkeys.de.pgp.net, wwwkeys.us.pgp.net, blackhole.pca.dfn.de,
> pgp.mit.edu, pgp.uni-mainz.de, pgp.nic.ad.jp, keyserver.noreply.org
>
> My Key ID: 0x5BE7D95D
> Fingerprint: AB05 0E7B C22B F14F 7512 7027 A26C AAE3 5BE7 D95D
>
> -----BEGIN PGP SIGNATURE-----
> Version: N/A
>
> iQIVAwUBQraKcKJsquNb59ldAQLUBw/+Jiw3ZSAaTyDmV1DO8rhe/lsOrAXJu3Sv
> Fe6U1zvZrLpLiOpTpEW2qW9D26DK6kcJKMFwsCEq9T56AM0/5Ua5eCIo+/1AuhuF
> ZjOpttx2qQfcyJMjQBp3qWyC1aodzZxFCw5WDcOFo7aSidbl9A El7MyYHG0MGnoR
> /I/GOxOfSUSpJIew24o8xb+XtTsUUcjgB3YfF/95aPIdygd3u8Tm+aUSiENoLhzv
> yIEYjCHKDOe+RxmRzQJZD7FzmJNr0M66S2rm0vMFXCdsSPFqLS 1F9eVIpIHx7z0g
> dzSGgLEF91QK5joEPmed5mDbwjXWyvFBFBcAA3rgdofiCqRB4i VZyYVw2wEef2Ep
> 5fZWgNHgOCQcgvyLq2c/rmVCaZoKs618wR2sgI8Zf5r2j3yd6KC3t3zH+j8jb+YT
> IQ2lCeprtakuUTpSYSN6+sNNqSLlzcaRhQJx9En4IyC1G3gUcw SI9iLhA2/kE8f6
> adclzCXlZ2PnUIjr7o3WpKPfvW6dEvRu/N3DfEATOZc8MjTJPhNQttPMluqxtNYJ
> V+v2Mik3m/8vpwHrpA61FXbXk6hrnVT0YgMJHmgSDr3UFLnFmUBxYzKWn6B4 +775
> Iw050Uxtu0ddPYIseRg9kik7GfOK7+O9HxiWN4dZvWOaw8Yeup FEEAZPgALsfPSN
> FtvhDyV8EYs=
> =UClf
> -----END PGP SIGNATURE-----

Jim Byrd

Sorry, should have been Zvi Netiv

--
Regards, Jim Byrd, MS-MVP
My, Blog Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/

"Jim Byrd" <> wrote in message
news:b7CdnVUWmpOSbSvfRVn-
> Hi Yoy - See svi Netiv's Integrity Master here for one example:
> http://www.stiller.com/
>
>
> "Yoy G0" <> wrote in message
> news:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I have been an active user of many different encryption software
>> products available to general public, but have not yet seen a good
>> solution for checking the software's integrity before or during use,
>> or at start up of the software. I am refering to a test that can
>> prevent the software being subversed, changed, manipulated by a virus
>> or otherwise, or at least inform thr user that such an attack has
>> taken place.
>>
>> Has anybody seen a good solution or idea for this anywhere?
>>
>> -.-.ENCRYPT YOUR EMAIL TO ME.-.-.
>>
>> Find my key in these Public Key Servers: keyserver.veridis.com,
>> wwwkeys.de.pgp.net, wwwkeys.us.pgp.net, blackhole.pca.dfn.de,
>> pgp.mit.edu, pgp.uni-mainz.de, pgp.nic.ad.jp, keyserver.noreply.org
>>
>> My Key ID: 0x5BE7D95D
>> Fingerprint: AB05 0E7B C22B F14F 7512 7027 A26C AAE3 5BE7 D95D
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: N/A
>>
>> iQIVAwUBQraKcKJsquNb59ldAQLUBw/+Jiw3ZSAaTyDmV1DO8rhe/lsOrAXJu3Sv
>> Fe6U1zvZrLpLiOpTpEW2qW9D26DK6kcJKMFwsCEq9T56AM0/5Ua5eCIo+/1AuhuF
>> ZjOpttx2qQfcyJMjQBp3qWyC1aodzZxFCw5WDcOFo7aSidbl9A El7MyYHG0MGnoR
>> /I/GOxOfSUSpJIew24o8xb+XtTsUUcjgB3YfF/95aPIdygd3u8Tm+aUSiENoLhzv
>> yIEYjCHKDOe+RxmRzQJZD7FzmJNr0M66S2rm0vMFXCdsSPFqLS 1F9eVIpIHx7z0g
>> dzSGgLEF91QK5joEPmed5mDbwjXWyvFBFBcAA3rgdofiCqRB4i VZyYVw2wEef2Ep
>> 5fZWgNHgOCQcgvyLq2c/rmVCaZoKs618wR2sgI8Zf5r2j3yd6KC3t3zH+j8jb+YT
>> IQ2lCeprtakuUTpSYSN6+sNNqSLlzcaRhQJx9En4IyC1G3gUcw SI9iLhA2/kE8f6
>> adclzCXlZ2PnUIjr7o3WpKPfvW6dEvRu/N3DfEATOZc8MjTJPhNQttPMluqxtNYJ
>> V+v2Mik3m/8vpwHrpA61FXbXk6hrnVT0YgMJHmgSDr3UFLnFmUBxYzKWn6B4 +775
>> Iw050Uxtu0ddPYIseRg9kik7GfOK7+O9HxiWN4dZvWOaw8Yeup FEEAZPgALsfPSN
>> FtvhDyV8EYs=
>> =UClf
>> -----END PGP SIGNATURE-----

Jim Byrd

Yoy G0 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have been an active user of many different encryption software
> products available to general public, but have not yet seen a good
> solution for checking the software's integrity before or during use,
> or at start up of the software. I am refering to a test that can
> prevent the software being subversed, changed, manipulated by a virus
> or otherwise, or at least inform thr user that such an attack has
> taken place.
>
> Has anybody seen a good solution or idea for this anywhere?

Yeah, I even have a patented install procedure

1. Install/test as root
2. Run as non-root



Tom

tomstdenis@gmail.com

> *** PGP SIGNATURE VERIFICATION ***
> *** Status: Bad Signature from Invalid Key
> *** Alert: Signature did not verify. Message has been altered.

--
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc/PGP.htm

Tom McCune

On Mon, 20 Jun 2005 08:48:23 -0700, Yoy G0 <> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I have been an active user of many different encryption software
>products available to general public, but have not yet seen a good
>solution for checking the software's integrity before or during use,
>or at start up of the software. I am refering to a test that can
>prevent the software being subversed, changed, manipulated by a virus
>or otherwise, or at least inform thr user that such an attack has
>taken place.
>
>Has anybody seen a good solution or idea for this anywhere?
>
Is this any good?

MD5 Checksum 1.04

This is a small Win32 application which is able to calculate the MD5
digest (some kind of a secure checksum) of the content of any file.

You can use this tool to ensure that the content of a file wasn't
altered in any way. If e.g. someone tries to insert malicious code
into an executable file its MD5 checksum will change and you note that
something is wrong. Now with a complete HTML help system. Sourcecode
included.

http://maakus.dyndns.org/software.html

Regards,



--
Stephen Howard - Woodwind repairs & period restorations
www.shwoodwind.co.uk
Emails to: showard{whoisat}shwoodwind{dot}co{dot}uk

Stephen Howard

MD5 comes as standard with any openssl implementation - Linux, Cygwin,
etc...

MUCH easier than repairing a jumped on bassoon, Stephen

(for the non-musicians, the joke is "What's the difference between a
bassoon and a trampoline? ..... Nobody takes their shoes off to jump on
a bassoon")

Sorry - I'll get me coat.....

Stephen Howard wrote:
> On Mon, 20 Jun 2005 08:48:23 -0700, Yoy G0 <> wrote:
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>I have been an active user of many different encryption software
>>products available to general public, but have not yet seen a good
>>solution for checking the software's integrity before or during use,
>>or at start up of the software. I am refering to a test that can
>>prevent the software being subversed, changed, manipulated by a virus
>>or otherwise, or at least inform thr user that such an attack has
>>taken place.
>>
>>Has anybody seen a good solution or idea for this anywhere?
>>
>
> Is this any good?
>
> MD5 Checksum 1.04
>
> This is a small Win32 application which is able to calculate the MD5
> digest (some kind of a secure checksum) of the content of any file.
>
> You can use this tool to ensure that the content of a file wasn't
> altered in any way. If e.g. someone tries to insert malicious code
> into an executable file its MD5 checksum will change and you note that
> something is wrong. Now with a complete HTML help system. Sourcecode
> included.
>
> http://maakus.dyndns.org/software.html
>
> Regards,
>
>
>

Steve Welsh

>>>
>>>I have been an active user of many different encryption software
>>>products available to general public, but have not yet seen a good
>>>solution for checking the software's integrity before or during use,
>>>or at start up of the software. I am refering to a test that can
>>>prevent the software being subversed, changed, manipulated by a virus
>>>or otherwise, or at least inform thr user that such an attack has
>>>taken place.

YOu cannot. You can check that your particular implimentation is the same
as it was (md5, tripwire, sha256,....) but to test that an encryption
product really is secure can only be done by reading the source code,
compiling against test vectors (randomly generated) and replacing the
encryption code and key generation code with known good stuff. The whole
purpose of even weak crypto is that the output is a random stream.
People have shown for example that with RSA one can encode the key pair
into the output in such a way that it is undiscoverable by anyone except
someone who knows how it was done. The only way you could discover it is by
looking at the source code, and recompiling the source code yourself on a
safe compiler.


>>
>>

Unruh

Jim Byrd wrote:
> Hi Yoy - See svi Netiv's Integrity Master here for one example:
> http://www.stiller.com/

??? integrity master can certainly be found at http://www.stiller.com,
however it is made by wolfgang stiller, not zvi netiv...

--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"

kurt wismer

Sorry, my apologies to Mr. Stiller - I'd (obviously mistakenly) thought that
Zvi Netiv was the original developer.

--
Regards, Jim Byrd, MS-MVP
My, Blog Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/

"kurt wismer" <> wrote in message
news:Jr4ue.35707$
> Jim Byrd wrote:
>> Hi Yoy - See svi Netiv's Integrity Master here for one example:
>> http://www.stiller.com/
>
> ??? integrity master can certainly be found at http://www.stiller.com,
> however it is made by wolfgang stiller, not zvi netiv...

Jim Byrd