Encryption software integrity test

Discussion in 'Computer Security' started by Yoy G0, Jun 20, 2005.

  1. Yoy G0

    Yoy G0 Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I have been an active user of many different encryption software
    products available to general public, but have not yet seen a good
    solution for checking the software's integrity before or during use,
    or at start up of the software. I am refering to a test that can
    prevent the software being subversed, changed, manipulated by a virus
    or otherwise, or at least inform thr user that such an attack has
    taken place.

    Has anybody seen a good solution or idea for this anywhere?

    .-.-.ENCRYPT YOUR EMAIL TO ME.-.-.

    Find my key in these Public Key Servers: keyserver.veridis.com,
    wwwkeys.de.pgp.net, wwwkeys.us.pgp.net, blackhole.pca.dfn.de,
    pgp.mit.edu, pgp.uni-mainz.de, pgp.nic.ad.jp, keyserver.noreply.org

    My Key ID: 0x5BE7D95D
    Fingerprint: AB05 0E7B C22B F14F 7512 7027 A26C AAE3 5BE7 D95D

    -----BEGIN PGP SIGNATURE-----
    Version: N/A

    iQIVAwUBQraKcKJsquNb59ldAQLUBw/+Jiw3ZSAaTyDmV1DO8rhe/lsOrAXJu3Sv
    Fe6U1zvZrLpLiOpTpEW2qW9D26DK6kcJKMFwsCEq9T56AM0/5Ua5eCIo+/1AuhuF
    ZjOpttx2qQfcyJMjQBp3qWyC1aodzZxFCw5WDcOFo7aSidbl9AEl7MyYHG0MGnoR
    /I/GOxOfSUSpJIew24o8xb+XtTsUUcjgB3YfF/95aPIdygd3u8Tm+aUSiENoLhzv
    yIEYjCHKDOe+RxmRzQJZD7FzmJNr0M66S2rm0vMFXCdsSPFqLS1F9eVIpIHx7z0g
    dzSGgLEF91QK5joEPmed5mDbwjXWyvFBFBcAA3rgdofiCqRB4iVZyYVw2wEef2Ep
    5fZWgNHgOCQcgvyLq2c/rmVCaZoKs618wR2sgI8Zf5r2j3yd6KC3t3zH+j8jb+YT
    IQ2lCeprtakuUTpSYSN6+sNNqSLlzcaRhQJx9En4IyC1G3gUcwSI9iLhA2/kE8f6
    adclzCXlZ2PnUIjr7o3WpKPfvW6dEvRu/N3DfEATOZc8MjTJPhNQttPMluqxtNYJ
    V+v2Mik3m/8vpwHrpA61FXbXk6hrnVT0YgMJHmgSDr3UFLnFmUBxYzKWn6B4+775
    Iw050Uxtu0ddPYIseRg9kik7GfOK7+O9HxiWN4dZvWOaw8YeupFEEAZPgALsfPSN
    FtvhDyV8EYs=
    =UClf
    -----END PGP SIGNATURE-----
     
    Yoy G0, Jun 20, 2005
    #1
    1. Advertisements

  2. Yoy G0

    Jim Byrd Guest

    Jim Byrd, Jun 20, 2005
    #2
    1. Advertisements

  3. Yoy G0

    Jim Byrd Guest

    Sorry, should have been Zvi Netiv
     
    Jim Byrd, Jun 20, 2005
    #3
  4. Yoy G0

    tomstdenis Guest

    Yeah, I even have a patented install procedure

    1. Install/test as root
    2. Run as non-root

    ;-)

    Tom
     
    tomstdenis, Jun 20, 2005
    #4
  5. Yoy G0

    Tom McCune Guest

     
    Tom McCune, Jun 20, 2005
    #5
  6. Is this any good?

    MD5 Checksum 1.04

    This is a small Win32 application which is able to calculate the MD5
    digest (some kind of a secure checksum) of the content of any file.

    You can use this tool to ensure that the content of a file wasn't
    altered in any way. If e.g. someone tries to insert malicious code
    into an executable file its MD5 checksum will change and you note that
    something is wrong. Now with a complete HTML help system. Sourcecode
    included.

    http://maakus.dyndns.org/software.html

    Regards,
     
    Stephen Howard, Jun 21, 2005
    #6
  7. Yoy G0

    Steve Welsh Guest

    MD5 comes as standard with any openssl implementation - Linux, Cygwin,
    etc...

    MUCH easier than repairing a jumped on bassoon, Stephen ;)

    (for the non-musicians, the joke is "What's the difference between a
    bassoon and a trampoline? ..... Nobody takes their shoes off to jump on
    a bassoon")

    Sorry - I'll get me coat.....
     
    Steve Welsh, Jun 22, 2005
    #7
  8. Yoy G0

    Unruh Guest

    YOu cannot. You can check that your particular implimentation is the same
    as it was (md5, tripwire, sha256,....) but to test that an encryption
    product really is secure can only be done by reading the source code,
    compiling against test vectors (randomly generated) and replacing the
    encryption code and key generation code with known good stuff. The whole
    purpose of even weak crypto is that the output is a random stream.
    People have shown for example that with RSA one can encode the key pair
    into the output in such a way that it is undiscoverable by anyone except
    someone who knows how it was done. The only way you could discover it is by
    looking at the source code, and recompiling the source code yourself on a
    safe compiler.

     
    Unruh, Jun 22, 2005
    #8
  9. Yoy G0

    kurt wismer Guest

    ??? integrity master can certainly be found at http://www.stiller.com,
    however it is made by wolfgang stiller, not zvi netiv...
     
    kurt wismer, Jun 22, 2005
    #9
  10. Yoy G0

    Jim Byrd Guest

    Sorry, my apologies to Mr. Stiller - I'd (obviously mistakenly) thought that
    Zvi Netiv was the original developer.
     
    Jim Byrd, Jun 22, 2005
    #10
  11. Oooh, don't get me started....
     
    Stephen Howard, Jun 22, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.