Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!sdd.hp.com!news.cs.indiana.edu!rutgers!bagate!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: USERQS88@SFU.BITNET (Charles) Newsgroups: comp.virus Subject: PKZIP Auto-Verification feature.. (PC) Message-ID: <0009.9012051525.AA15332@ubu.cert.sei.cmu.edu> Date: 4 Dec 90 23:09:26 GMT Sender: Virus Discussion List Lines: 38 Approved: krvw@sei.cmu.edu There seems to be a common misconception floating around that just anybody can use the auto-verification feature of PkZip. This just isn't so! In the documentation that comes with PkZip, it states that you have to get in touch with Phil Katz, and give him some information about your company's name; he will then send you a corresponding verification key that you apply to the programs you are pkzipping.. This key is kept private, so in effect, the whole system is a public-key cryptography system. Someone mentioned earlier that a trojan version of PkZip was released by someone. This trojan version reported that the auto-verification key was correct, and the software was intact. There are two ways this could have happened: 1) The correct verification key was discovered, allowing any zip file to be stamped with Phil Katz's own signature, in which case, I'd be worried about the security, or... 2) The self-extracting archive was modified to ignore the signature, and report "All's well!". The second method can be tested by using PkZip 1.1 to test the signature, instead of 'PkZip 1.2' (the trojan version). Does anybody know the workings of the AV system, or more importantly, how big the signature is, and whether two different signatures produce the same result? And as an aside, does anybody know how secure the PkZip encryption method is; since the US Government insisted on the encrypting version of PkZip staying within the boundaries of the US, one would suspect that it is pretty good. >From the desk of: Charles Howes USERQS88@SFU.BITNET - USERQS88@cc.sfu.ca (Expires soon) c275387@csil.cs.sfu.ca (ditto) In Canada, 1-604-531-5623 (Will never expire!) Note: Students don't have opinions. :-) Simon Fraser University, Burnaby, BC, Canada Brought to you by Super Global Mega Corp .com