Using crypto to sign auto update patch files?

This is a discussion on Using crypto to sign auto update patch files? within the Tech Board forums, part of the Community Boards category; Greetings! I just found this excellent resource (as well as a very similar site which seems to be equally informative ...

  1. #1
    Registered User
    Join Date
    Jul 2007
    Posts
    5

    Using crypto to sign auto update patch files?

    Greetings! I just found this excellent resource (as well as a very similar site which seems to be equally informative in case any of you browse both ) and I am looking forwarding to continued browsing and hopefully some contributing. However, I am having some difficulty myself with the idea of cryptographically signing patch files to be used in conjunction with an auto updating application. The software is for Windows only.

    Currently, I just have the program download a text file that further instructs it on what to download, but this text file could be overwritten by a hacker or anyone else who might have access.

    Ultimately, my goal is to be able to run some sort of cryptography program on my computer and somehow sign the text file (and probably the files to be patched too) and have my software only proceed with the patch if it can verify it was signed by my computer.

    Ideally, I would be able to sign it from a Linux LiveCD (maybe in conjunction with wine if its a typically Windows program?) so as to better secure against insecurity from my own computer. I realize this extra step complicates matters so if you don't know of a solution that can sign on Linux and yet verify that signature on Windows I'd still appreciate your suggestions very much.

    Can anyone offer suggestions as to how to do this (or something similar that would accomplish the same thing)? I'm only somewhat competent with C++, so if you know of any solutions in the form of already made programs that I could just execute from the updater program, that would be preferred. Thank you very much for reading!

    edit: A friend told me I should look at GPG and it does seem like that might be what I need, but I'm really confused with how I could implement what I need with them and the friend never used it in that way. If any of you have familiar with GPG could you offer some advice (even if its simply that I am confused as to the purpose of GPG and it cannot in fact be used for in the way I think it can)? Thanks again!

    Laura Jennings
    Last edited by Laura Jennings; 07-31-2007 at 03:08 PM.

  2. #2
    </3 Segfaults
    Join Date
    Jul 2007
    Posts
    27
    Just use a md5 checksum. When it starts downloading things from other sites, have the program connect to your computer and verify the checksum.

  3. #3
    Registered User
    Join Date
    Jul 2007
    Posts
    5
    I actually thought of something similar, but the problem is my computer won't be on 24/7.

  4. #4
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    I still think differst suggestion is a valid one, just make "your computer" into some server somewhere that you think you can trust.

    --
    Mats

  5. #5
    </3 Segfaults
    Join Date
    Jul 2007
    Posts
    27
    Put the checksums on a hosting service. Have the program check that website.

    Anyways, if they can change the text file, they can change anything. So they can simply alter the md5 sum and insert their own. It'll never be totally secure.

  6. #6
    Cat
    Cat is offline
    Registered User
    Join Date
    May 2003
    Posts
    1,571
    Quote Originally Posted by Differ View Post
    Put the checksums on a hosting service. Have the program check that website.

    Anyways, if they can change the text file, they can change anything. So they can simply alter the md5 sum and insert their own. It'll never be totally secure.
    Which is why the original idea is a good one -- to sign it.

    You generate a key pair using any public key cryptography algorithm -- e.g. Diffie-Hellman, DSS, RSA, etc -- and when you generate that text file, you sign it with your private key. The program has, embedded within it, your public key, which it uses to decrypt the patch. You likewise encrypt the patch itself with your private key, and the program decrypts it.

    Now, the only way the hacker can modify what gets patched (without having the private key) would be to compromise BOTH the web host and the end user's machine, alter the client itself to replace the public key with one the hacker made, and replace the patch files with ones the hacker made.

    However, if the hacker has already compromised the user's machine, it's simply not possible to stop them (and really, if they've already compromised the server and client both, trying to stop them is like closing the barn door after the horse gets away).

    This signature method, as long as the machine storing the private key is not compromised, means that compromising the web server cannot compromise your clients. It's therefore of vital importance to keep that key secure and private.

    Ideally your development machine wouldn't even have internet access -- the patch would be developed and encrypted there, burned onto CD, and then taken to a computer with internet access. You could also use something like a removable flash drive, but you'd want to be sure autorun is disabled for that drive, and wipe the contents of the drive before copying data onto it. With that, it's highly unlikely they could compromise the machine holding the key.

    Without using dual key cryptography to sign the patch files, someone who compromised the web server could compromise the clients.
    Last edited by Cat; 07-31-2007 at 06:59 PM.
    You ever try a pink golf ball, Wally? Why, the wind shear on a pink ball alone can take the head clean off a 90 pound midget at 300 yards.

  7. #7
    </3 Segfaults
    Join Date
    Jul 2007
    Posts
    27
    I mean, a hacker can use SoftIce to actually go into the program and change the locations it's downloading from, after everything has been processed. A relatively simple task.

  8. #8
    Cat
    Cat is offline
    Registered User
    Join Date
    May 2003
    Posts
    1,571
    Quote Originally Posted by Differ View Post
    I mean, a hacker can use SoftIce to actually go into the program and change the locations it's downloading from, after everything has been processed. A relatively simple task.
    Of course, but that means the hacker has already compromised the end-user's machine.

    What this protects against is the hacker compromising the web server hosting the patch files, and modifying the patch files in order to compromise all the end users.
    Last edited by Cat; 07-31-2007 at 07:51 PM.
    You ever try a pink golf ball, Wally? Why, the wind shear on a pink ball alone can take the head clean off a 90 pound midget at 300 yards.

  9. #9
    </3 Segfaults
    Join Date
    Jul 2007
    Posts
    27
    Quote Originally Posted by Cat View Post
    Of course, but that means the hacker has already compromised the end-user's machine.

    What this protects against is the hacker compromising the web server hosting the patch files, and modifying the patch files in order to compromise all the end users.
    That was really stupid of me. I didn't think of that.

  10. #10
    Cat
    Cat is offline
    Registered User
    Join Date
    May 2003
    Posts
    1,571
    Quote Originally Posted by Differ View Post
    That was really stupid of me. I didn't think of that.
    You are correct, though, in that there's nothing you can ever truly do about the end-user modifying the program, at best you make it harder, or get into an arms race of countermeasures.
    You ever try a pink golf ball, Wally? Why, the wind shear on a pink ball alone can take the head clean off a 90 pound midget at 300 yards.

  11. #11
    Registered User
    Join Date
    Jul 2007
    Posts
    5
    Thank you all very much for your ideas. Cat, you are a genius . GPG definitely has a learning curve (more so than I thought it would) but I really appreciate the suggestions. I do have one quick question, is there any reason to both sign and encrypt the patch files (instead of just signing them)? Thanks again!

    Laura

  12. #12
    Malum in se abachler's Avatar
    Join Date
    Apr 2007
    Posts
    3,189
    As long as you are using a liveCD, try makign the web page on a static disk, like a CD or DVD, then you can just remove the harddrive entirely. We are looking at doing this for the website at work. Makes it practically impossible for a hacker to rewrite your site. If you need to change the website fo course, you have to burn a new CD or DVD, but thats a small price to pay for security.
    Until you can build a working general purpose reprogrammable computer out of basic components from radio shack, you are not fit to call yourself a programmer in my presence. This is cwhizard, signing off.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. My own itoa()
    By maxorator in forum C++ Programming
    Replies: 18
    Last Post: 10-15-2006, 12:49 PM
  2. Batch file programming
    By year2038bug in forum Tech Board
    Replies: 10
    Last Post: 09-05-2005, 04:30 PM
  3. Converting Sign Magnitude Integer Binary Files
    By Arthur Dent in forum C Programming
    Replies: 7
    Last Post: 09-13-2004, 11:07 AM
  4. I Need To Know Some Things That I Can Put Into A Batch File
    By TheRealNapster in forum A Brief History of Cprogramming.com
    Replies: 1
    Last Post: 10-20-2003, 09:12 PM
  5. Dos commands hehe
    By Carp in forum A Brief History of Cprogramming.com
    Replies: 2
    Last Post: 01-17-2003, 02:51 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21