Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!rutgers!ames!ucbcad!ucbvax!YALE.ARPA!LEICHTER-JERRY From: LEICHTER-JERRY@YALE.ARPA Newsgroups: comp.os.vms Subject: Re: Image checksums Message-ID: <8708092108.AA19612@ucbvax.Berkeley.EDU> Date: Sun, 9-Aug-87 17:08:09 EDT Article-I.D.: ucbvax.8708092108.AA19612 Posted: Sun Aug 9 17:08:09 1987 Date-Received: Sun, 9-Aug-87 22:52:48 EDT Sender: daemon@ucbvax.BERKELEY.EDU Reply-To: Distribution: world Organization: The ARPA Internet Lines: 39 The LOGINOUT.EXE checksums likely differ from machine-to-machine because this image was patched as part of an upgrade. PATCH writes the date and time of the patch into the image, so you would expect no two patches of the same image to end up with the same two checksums. This problem can be avoided by using CHECKSUM/IMAGE rather than just plain CHECKSUM. CHECKSUM/IMAGE, even less well-known than CHECKSUM: - Looks only at the relevant parts of the image, ignoring things like patch dates; - Types out its results, rather than setting CHECKSUM$CHECKSUM; - Accepts wild-card file specs, with default file type .EXE. HOWEVER, LOGINOUT.EXE actually varies a bit from system to system: It's different on VMS and MicroVMS systems because of the multi-user-license restrictions on MicroVMS, and applying different "number of users" licenses also produces different images. So even CHECKSUM/IMAGE will show variations on LOGINOUT from system to system - though it should probably produce the same result on all VMS (as opposed to MicroVMS) systems. I M P O R T A N T C A U T I O N DON'T PUT YOUR FAITH IN CHECKSUM!!! CHECKSUM was NOT intended to be used in security applications. Its algorithm is very simple - basically it just considers the file to consist of a bunch of 4-byte integers and adds them up. It is very easy to ensure that the checksum on a file remains unchanged even as you replace it completely. There do exist "cryptographic checksums" with the property that it is very difficult to make the checksum come out to some pre-specified value. One, based on DES, is approved for this kind of use in banking applications. A PD DES encryption package, with a user interface that supports this checksum mode, has been distributed through Usenet. (The copy I picked up is "Programmed by R.W. Outerbridge; uses Jim Gillogly's DES".) It needs work for effective use on VMS, and, of course, comes with no guarantees. -- Jerry -------