Re: Encryption software integrity test
From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 06/22/05
- Next message: Nog: "Re: Hard Drive scrub"
- Previous message: Nog: "Re: Hard Drive scrub"
- In reply to: Steve Welsh: "Re: Encryption software integrity test"
- Next in thread: Stephen Howard: "Re: Encryption software integrity test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 22 Jun 2005 00:01:21 GMT
>>>
>>>I have been an active user of many different encryption software
>>>products available to general public, but have not yet seen a good
>>>solution for checking the software's integrity before or during use,
>>>or at start up of the software. I am refering to a test that can
>>>prevent the software being subversed, changed, manipulated by a virus
>>>or otherwise, or at least inform thr user that such an attack has
>>>taken place.
YOu cannot. You can check that your particular implimentation is the same
as it was (md5, tripwire, sha256,....) but to test that an encryption
product really is secure can only be done by reading the source code,
compiling against test vectors (randomly generated) and replacing the
encryption code and key generation code with known good stuff. The whole
purpose of even weak crypto is that the output is a random stream.
People have shown for example that with RSA one can encode the key pair
into the output in such a way that it is undiscoverable by anyone except
someone who knows how it was done. The only way you could discover it is by
looking at the source code, and recompiling the source code yourself on a
safe compiler.
>>
>>
- Next message: Nog: "Re: Hard Drive scrub"
- Previous message: Nog: "Re: Hard Drive scrub"
- In reply to: Steve Welsh: "Re: Encryption software integrity test"
- Next in thread: Stephen Howard: "Re: Encryption software integrity test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
