p1@rlyeh.wimsey.bc.ca (Rob Slade) (12/01/90)
oper1%drcv06.decnet@drcvax.af.mil (DRCV06::OPER1) suggests that files could be garanteed safe if the authors used the -AV switch when ZIPping the files. What is to prevent anyone from infecting the file, and then reZIPping the infected files ... with -AV on? A genuine, authentic infection ...
berg@cip-s01.informatik.rwth-aachen.de (AKA Solitair) (12/07/90)
Rob Slade writes: > What is to prevent anyone from infecting >the file, and then reZIPping the infected files ... with -AV on? One can only use the -AV option when PKzip is registered. When you do, you can specify the string that is to be displayed when someone unzips an archive created with your registered PKzip. The message is encrypted into the zip-file. And can only be decrypted correctly if the archive is in identical state (unmodified in any way). That means, if you know what message normally should be displayed by PKunzip when you unzip an zip-file from a particular vendor, you're safe. [Ed. Sounds (to me) to be at least a rudimentary public key system of sorts. Does anyone know how cryptographically sound this option is? Also, I assume that PK is maintaining the database of developers' signatures; could someone please post info on how a developer goes about getting registered? Making the (rather broad) assumption that the system is cryptographically secure and that it's not prohibitive for vendors (big and small) to register, this seems (in my opinion) to be a great service that PK is providing - at least to users in the U.S. For what that's worth...] - -- Sincerely, berg%cip-s01.informatik.rwth-aachen.de@unido.bitnet Stephen R. van den Berg. "I code it in 5 min, optimize it in 90 min, because it's so well optimized: it runs in only 5 min. Actually, most of the time I optimize programs."
OPERTHH@ROSEVC.Rose-Hulman.Edu (Tom Hopson) (12/07/90)
Regarding PKZIP authenticity verification... >[Ed. Sounds (to me) to be at least a rudimentary public key system of >sorts. Does anyone know how cryptographically sound this option is? When you receive the registration notice, you are given the name you chose to register under as well as (for me at least) a 9-digit number that seems to be based on the string in some way. The string and the number are then entered into the PUTAV program that verifys them and encrypts them into the PKZIP.EXE program. If either the name or the 9-digit serial number are mis-entered, PUTAV flags an error. When the AV is verified during an UNZIP, your name and a 3-character/3-digit code appear. Presumably, PKWARE maintains a listing of names, serial numbers, and result codes. I would guess that people could (additionally) verify programs by calling PKWARE and seeing that the name matched the result code. However, I doubt that PKWARE is going to flaunt the code around just to prove that it's secure. >Also, I assume that PK is maintaining the database of developers' >signatures; could someone please post info on how a developer goes >about getting registered? You either register for AV when you register the program, or you can get one afterwards. All you provide them with is the name you want to appear when the AV is verified. >Making the (rather broad) assumption that the system is >cryptographically secure and that it's not prohibitive for vendors >(big and small) to register, One particularly attractive feature is that the AV registration does not cost the registrant anything--PKWARE isn't charging to provide this service, at least not above what they charge for the program. >this seems (in my opinion) to be a great service that PK is providing >- at least to users in the U.S. For what that's worth...] I would agree... - ------------------------------------------------------------------------------- Thomas H. Hopson /\ All statements are my own, but I'm Hopson@RoseVC.Rose-Hulman.Edu (or) /\ really not as crazy as I seem, never OperTHH@RoseVC.Rose-Hulman.Edu /\ mind what everybody else keeps saying. - -------------------------------------------------------------------------------