[Dshield] distributing windows updates (was: Proxy attackers/hijackers)

John Holmblad jholmblad at aol.com
Wed Oct 22 16:44:03 GMT 2003


to amplify on your point more specifically, the code needs to by signed 
by Microsoft using a cryptographic signature process (so called digital 
signature) based on asymmetric crypto (e.g. RSA). The private key, of 
course, is maintained in secrecy by Microsoft and the public key is made 
available to all in a Digital Certificate (DS) from Microsoft that 
itself has been issued by an entity that you, the recipient, trust (e.g. 
Verisign, Thwate, etc.). In this case the crypto is being used not for 
privacy but for authentication (i.e.to assure you,the recipient, that 
the file indeed came from Microsoft) and file integrity (i.e. that the 
file has not been tampered with)  purposes. The  "code sigining and 
verification" process is the same in principle whether the code is 
downloaded from a Microsoft www site or taken off of a CD claiming to be 
from Microsoft..

Of course, if the software that performs these  file integrity checks 
using DS technology is itself compromised then all bets are off. For 
this reason if you are suspicious of a CD that claims to be authentic. 
it is obviously not a good idea to rely on any such authentication 
software that is also stored on the CD to perform the integrity 
checking. Instead  you should rely on such software already stored on 
your presumably secure computer and therefore not compromised.

Best Regards,


John Holmblad


Televerage International


(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388


www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net


text email address:         jholmblad at vtext.com

More information about the list mailing list