David_Conrad%Wayne-MTS@um.cc.umich.edu (04/12/90)
Stephen R. van den Berg writes: >From: berg@cip-s02.informatik.rwth-aachen.de (SRB) >Subject: Re: Validating Virus Software > >I always wondered: shouldn't the crc-32 and crc-16 of zip and arc files be >unique enough to validate any file? > >Why can't we just put these checks and the length of a file on the net. >If you insist, then of course you could add any propietary validation values >like the ones obtained from the validate program. But I'm pretty sure that >most people trust their favorite zip or arc program more than some kind >of a so-called validate program. The problem with this plan lies in that the CRC algorithms used by these archive programs are public knowledge, and it is very easy to arrange for a file to have a specific CRC value. Publishing the file size in addition to the CRC value makes the problem harder, since one can't simply add inert data to the end of the file to finagle the CRC value, but even this doesn't provide sufficient protection, since some of the data in the file may be safely changed (perhaps a statically allocated buffer), or, in extreme cases, a dedicated virus writer could sacrifice some rarely-used routine in the target program. Proprietary validation routines provide slightly better security, since the algo- rithm is not public information, but once again a dedicated virus writer could reverse-engineer the algorithm from the validation program itself. The best solution at this time is to use validation algorithms from which it is computationally infeasable to produce a specific value. Snefru 2.0 and MD4 are two good examples. Regards, David R. Conrad P.S. Snefru 2.0 is The Xerox Secure Hash Function. I seem to recall that the author of MD4 requested that it be referred to by some specific name, but the name itself I have forgotten. My apologies. +-------------------------------------------------------------------------+ | David R. Conrad (preferred) dconrad%wayne-mts@um.cc.umich.edu | | /\/\oore Soft\/\/are dave@thundercat.com | | Disclaimer: No one necessarily shares my views, but anyone is free to. | +-------------------------------------------------------------------------+