Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: OPERTHH@ROSEVC.Rose-Hulman.Edu (Tom Hopson) Newsgroups: comp.virus Subject: Re: ZIPping with -AV (PC) Message-ID: <0012.9012071952.AA18950@ubu.cert.sei.cmu.edu> Date: 7 Dec 90 07:02:00 GMT Sender: Virus Discussion List Lines: 48 Approved: krvw@sei.cmu.edu Regarding PKZIP authenticity verification... >[Ed. Sounds (to me) to be at least a rudimentary public key system of >sorts. Does anyone know how cryptographically sound this option is? When you receive the registration notice, you are given the name you chose to register under as well as (for me at least) a 9-digit number that seems to be based on the string in some way. The string and the number are then entered into the PUTAV program that verifys them and encrypts them into the PKZIP.EXE program. If either the name or the 9-digit serial number are mis-entered, PUTAV flags an error. When the AV is verified during an UNZIP, your name and a 3-character/3-digit code appear. Presumably, PKWARE maintains a listing of names, serial numbers, and result codes. I would guess that people could (additionally) verify programs by calling PKWARE and seeing that the name matched the result code. However, I doubt that PKWARE is going to flaunt the code around just to prove that it's secure. >Also, I assume that PK is maintaining the database of developers' >signatures; could someone please post info on how a developer goes >about getting registered? You either register for AV when you register the program, or you can get one afterwards. All you provide them with is the name you want to appear when the AV is verified. >Making the (rather broad) assumption that the system is >cryptographically secure and that it's not prohibitive for vendors >(big and small) to register, One particularly attractive feature is that the AV registration does not cost the registrant anything--PKWARE isn't charging to provide this service, at least not above what they charge for the program. >this seems (in my opinion) to be a great service that PK is providing >- at least to users in the U.S. For what that's worth...] I would agree... - ------------------------------------------------------------------------------- Thomas H. Hopson /\ All statements are my own, but I'm Hopson@RoseVC.Rose-Hulman.Edu (or) /\ really not as crazy as I seem, never OperTHH@RoseVC.Rose-Hulman.Edu /\ mind what everybody else keeps saying. - -------------------------------------------------------------------------------