Path: utzoo!utgpu!news-server.csri.toronto.edu!clyde.concordia.ca!uunet!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!rpi!sigma
From: sigma@pawl.rpi.edu (Kevin J Martin)
Newsgroups: comp.sys.ibm.pc
Subject: Re: PKZIP version 1.10 and data encryption
Message-ID: <^KG#L#_@rpi.edu>
Date: 29 Mar 90 08:56:55 GMT
References: <KPETERSEN.12577135477.BABYL@WSMR-SIMTEL20.ARMY.MIL> <1990Mar28.035417.6496@eng.umd.edu> <2170@darkstar.ucsc.edu> <3930@plains.UUCP>
Organization: Rensselaer Polytechnic Institute, Troy NY
Lines: 41

In article <3930@plains.UUCP> bakke@plains.UUCP (Jeffrey P. Bakke) writes:
>I just got a copy of Pkzip 1.10 from the signetics BBS, its a 800 number.
>I can't believe that they would worry about having it on the network.
>
>As far as I can tell, the so called "security" problem that is caused is
>because of a data verification algorithm which you means you can zip up
>a program and include your company and name and a special serial number
>which becomes encoded inside the zip file.  When you unzip, it then
>checks to make sure that your files haven't been modified.  Basically
>it protects against unauthorized modifications and possible trojan
>modifications.
>Also, not just anyone can use this feature, you must register your copy
>in order to receive a serial number that will function correctly with
>the authorization function.  And, you can only get this version in
>the U.S and Cananda.
>Jeff Bakke
>bakke@plains.NoDak.edu

No, I don't think you've got it quite right.  The DES algorithm, as I
understand it, is used by the password feature of PKZip, which allows you
to enter a password with which to encrypt your ZipFile.  It's purely
coincidental (perhaps?) that the reduced exportable version does not offer
the serial number feature, although I'll admit it is possible that such a
feature would also employ the same DES code.  What you say about the data
verification algorithm is correct, but that is typically done through a
32-bit (in this case) CRC, not the DES algorithm.

Once again, I'm offering a uuencoded copy of PKZ110.EXE (with instructions
on uudecoding and downloading) to anyone who I can verify as a North American
(non-Mexican?  do they cover that?) mail address.  Offer expires Wed 4/4/90.

A few e-mail comments (accompanied by whole-hearted requests, I might add)
have made me uneasy about this situation, absurd as that might seem.  Could
we discuss the legalities?  Considering how recent Secret Service busts seem
to hold BBS operators entirely responsible for anything their users may do,
I wonder if, along the same lines, I could be responsible for not accounting
for the possibility of, say, the "Russkies" tapping an Ethernet wire in rural
Ohio and intercepting my mail?!  It's all so ludicrous anyway, so why not?

Kevin Martin
sigma@pawl.rpi.edu