Re: [OT] Firefox 3.0

Slower Than You wrote:

Simian wrote:

Slower Than You wrote:

Again, FWIW, signcode uses MD5 or SHA1, both of which are public
algorithms, I have no idea what Wise Install uses (or indeed, what
it actually is), but I'd bet a fair amount that it's from the same
set of knowns aRC4/MD5/SHA1.

You are conveying your lack of experience. Sure, authenticode process
does use MD5 or, optionally SHA1 as a hashing algorithm but that's a
vanishingly small part of the process; a mere hash of an executable or
archive is hardly very useful on its own in this context is it? You
neglected to mention anything at all about the much more significant
PKC side of the equation, timestamping, and certification.

Yers, but all of that is available in off the shelf libraries for just
about any language it's worth writing them in, and several it probably
wasn't.


Wise Installer uses the CryptoAPI to generate it's authenticode
signatures,

Freely available versions of what MS calls the CryptoAPI are in easy to
use libraries for just about any language you care to use, and on just
about any operating system I've used.


I could email some source code
straight from my dev machine if you're having problems believing me.

No no, I believe you, I just think your suggestion that signing a
application gives you security against malware is incorrect. It gives
you no more security than downloading it over an authenticated https
session.


Unlike you, I know enough to that downloading a huge int library and
"knocking up" a public key crypto implementation might not actually be
the wisest, or most trivial, thing to do.

*shrug* I've spent the last 12 years involved in the creation of
operating systems, virtual machines, and standard libraries - including
things like infinite precision maths and crypto algorithms.

Your 'deep within the CryptoAPI' is merely a Microsoft specific
viewpoint, and even that is easily subvertable by anyone who knows how
to install an external interrupt handler for an app running on XP.


.

Relevant Pages

  • Re: [OT] Firefox 3.0
    ... Again, FWIW, signcode uses MD5 or SHA1, both of which are public ... algorithms, I have no idea what Wise Install uses (or indeed, what it ...
    (uk.rec.motorcycles)
  • Re: CSP with foreign algorithm
    ... Unfortunately, the Microsoft CA, like most applications based on CryptoAPI, ... The GOST algorithms may not be used with a Microsoft CA ... Now we are finishing the CSP development in accordance to the CSP ...
    (microsoft.public.platformsdk.security)
  • Re: How good an encryption algorithm is this?
    ... They've designed plenty of crypto algorithms ... But surely there are enough CryptoAPI examples to help you out, ... Using "I think I'll design my own crypto algorithm" is a bad starting ... > those higher up crackers are probably more into breaking standard algorithms ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: How good an encryption algorithm is this?
    ... They've designed plenty of crypto algorithms ... But surely there are enough CryptoAPI examples to help you out, ... Using "I think I'll design my own crypto algorithm" is a bad starting ... > those higher up crackers are probably more into breaking standard algorithms ...
    (microsoft.public.vc.language)
  • Re: 2.6.0-test2+Util-linux/cryptoapi
    ... there is no point unless the kernel API is ... But I assume this didn't sneak in since the testing cryptoAPI ... Or have the algorithms been redone? ... >> former a lot nicer from the userspace programmer's point of view? ...
    (Linux-Kernel)