lhamey@vision.mqcc.mq.oz.au (Len Hamey) (12/12/90)
The rash of trojan "new" releases of virus scanners is worrying. I wonder whether it might not be possible for virus scanner developers to employ public-key encryption to provide unforgeable proof of the validity of new releases of their product. The scanner developer would checksum his program using a (preferably complex) check-summing algorithm. The check-sum and the file size would then be encrypted via public-key encryption and released with the program itself. The person attempting to subvert such a program would be faced with the task of making their subverted program the same size with the same checksum. They could not simply compute a new checksum and install it because they would not know the scanner developers private key. A PD program could be provided for computing the checksum and checking it against the file. This program could be provided in source code form. The scanner programs could also include the ability to check new releases, so that a user once certain of the validity of a release could then readily check new releases. I would be interested in comments on this idea, especially from the virus scanner developers. Len Hamey Lecturer in Computing Macquarie University len@mqcomp.mqcs.mq.oz.au
HUUSKONEN@cc.helsinki.fi (Taneli Huuskonen) (12/18/90)
lhamey@vision.mqcc.mq.oz.au (Len Hamey) writes: > The rash of trojan "new" releases of virus scanners is worrying. I > wonder whether it might not be possible for virus scanner developers > to employ public-key encryption to provide unforgeable proof of the > validity of new releases of their product. > [description on how to use a public-key system deleted] There are some public domain one-way checksum generators available in source form. If there is sufficient interest, I'd be willing to write a shareware program to further compare the checksum against an encrypted correct checksum, which is distributed along with the virus scanner. Please send me a one-line message if you'd like to have such a shareware public key signature system, and suggest a price you'd consider reasonable. Please don't send me longer e-mail messages unless you are directly involved in virus fighting or public key signature systems yourself. I'll post more details within a couple of weeks, if there is interest. Taneli Huuskonen huuskonen@cc.helsinki.fi huuskonen@finuh.bitnet