[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Microsoft Authenticode key security



William H. Geiger III writes:
> In <[email protected]>, on 03/05/97 at 07:44 PM,
>    [email protected] (Dr.Dimitri Vulis KOTM) said:
> 
> >"Bob Atkinson (Exchange)" <[email protected]> writes:
> 
> >> Actually, and sort of to the point, no, the keys never actually ever the
> >> BBN box, except as part of a backup procedure in which they are
> >> extracted in a doubly-encrypted form for which for security reasons you
> >> need the manufacturer's help in restoring.
> >>
> >> To this day, no human or computer other than the box itself knows the
> 
> >But do we necessarily believe what Microsoft people say?
> 
> If Bill Gates got on national TV and told the world that the sky was blue
> I'd have go outside and look for myself. 

Actually, around Redmond, gray skies are much more common.

Really guys, If you want to attack Authenticode (and I personally 
consider it a bandaid on a dangerous system), then stealing or
buying the key is not the approach to take.

I see two possible approaches to prove it's weakness.

1. If they are using RSA, factor the public key. This depends on it's
length. Considering the amount of cpu people seem to be able to 
muster for distributed cracks, etc, I suspect that 512 bit keys will 
soon be vulnerable (equiv = RSA 155).

2.  Write a Trojan Horse ActiveX control which disables the 
Authenticode checking, then covers it's tracks.

No, I'm not working on either of these.

Peter Trei
[email protected]

Disclaimer: I speak for myself, not my employer.