Matt Scarborough wrote: > As to known goods, an "MD5 collection project," and to the original > poster, it may be helpful to know Microsoft provides MD5s for its OS > files, Service Packs, Hotfixes, etc., in the ANSI text file(s) > UPDATE.VER accompanying each. I've been unable to locate an UPDATE.VER for the baseline retail build of any Microsoft product. These files are only provided with service packs and hotfixes (thus the name UPDATE.VER). If you take the time to verify Microsoft's digital signature carefully (i.e. using a trusted box not connected to a network) and you think you know Microsoft's authentic public key for code signing (see the certificate chain below) then the UPDATE.VER files are very useful. Otherwise they are self-verifying. You must verify Microsoft's digital signature on a trusted box in order to know whether or not it is reasonable to trust a given UPDATE.VER file. You can't just execute the hotfix or service pack installer and then trust whatever UPDATE.VER it puts on your hard drive. Microsoft doesn't publish hashes of the code it distributes the way that other vendors do. When asked why, they've told me that they prefer to use digital signatures. Since those signatures can only be verified in practice by using Microsoft's software, this reasoning bothers me but it is what it is and it probably won't change any time soon. To verify authentic MD5 hashes of updated binaries published by Microsoft you must be aware of the existence of the UPDATE.VER files in the first place (they are often placed in a temporary directory during setup and then automatically deleted when setup is complete) and you must have an MD5 hashing utility available, which of course Windows does not ship with by default. You can build your own, and the source code to one written in C# for Microsoft .NET is included below and can also be found in an article I wrote recently: http://www.msdn.microsoft.com/msdnmag/issues/02/09/ASPNETHashAlgorithms/defa ult.aspx using System; using System.Security.Cryptography; using System.IO; namespace MD5Hasher { class Class1 { [STAThread] static void Main(string[] args) { HashAlgorithm md5Hasher = MD5.Create(); FileStream fs; byte[] hash; FileInfo[] fi = new DirectoryInfo( Directory.GetCurrentDirectory()).GetFiles(); foreach(FileInfo f in fi) { try { fs = f.Open(FileMode.Open); hash = md5Hasher.ComputeHash(fs); fs.Close(); System.Console.WriteLine(f.Name + ": " + BitConverter.ToString(hash)); } catch(Exception ex) {} } }} } My copy of the Microsoft Windows 2000 Publisher certificate chain (trust it if you wish) is below. In addition to a database of authentic hashes, we also need a database of authentic public keys -- it is not reasonable to trust arbitrary certificate chains, and every change of public key that occurs must be accompanied by an official notice from the keyholder. This is true of keys used for SSL encryption, too, but it is most critically-important in the case of code signing. Issuer: CN = Microsoft Root Authority OU = Microsoft Corporation OU = Copyright (c) 1997 Microsoft Corp. Subject: CN = Microsoft Root Authority OU = Microsoft Corporation OU = Copyright (c) 1997 Microsoft Corp. Public Key: 3082 010A 0282 0101 00A9 02BD C170 E63B F24E 1B28 9F97 785E 30EA A2A9 8D25 5FF8 FE95 4CA3 B7FE 9DA2 203E 7C51 A29B A28F 6032 6BD1 4264 79EE AC76 C954 DAF2 EB9C 861C 8F9F 8466 B3C5 6B7A 6223 D61D 3CDE 0F01 92E8 96C4 BF2D 669A 9A68 2699 D03A 2CBF 0CB5 5826 C146 E70A 3E38 962C A928 39A8 EC49 8342 E384 0FBB 9A6C 5561 AC82 7CA1 602D 774C E999 B464 3B9A 501C 3108 2414 9FA9 E791 2B18 E63D 9863 1460 5805 659F 1D37 5287 F7A7 EF94 02C6 1BD3 BF55 45B3 8980 BF3A EC54 944E AEFD A77A 6D74 4EAF 18CC 9609 2821 0057 9060 6937 BB4B 1207 3C56 FF5B FBA4 660A 08A6 D281 5657 EFB6 3B5E 1681 7704 DAF6 BEAE 8095 FEB0 CD7F D6A7 1A72 5C3C CABC F008 A322 30B3 0685 C9B3 2077 1385 DF02 0301 0001 -- Issuer: CN = Microsoft Root Authority OU = Microsoft Corporation OU = Copyright (c) 1997 Microsoft Corp. Subject: CN = Microsoft Windows Verification Intermediate PCA OU = Copyright (c) 1999 Microsoft Corp. O = Microsoft Corporation L = Redmond S = WA C = US Public Key: 3082 0108 0282 0101 00BC CD90 6A36 BA7B 3FE8 8A89 E8F4 87AE 6051 5160 6F98 9230 8A00 8BC1 A48C F057 6AE9 06B8 92F2 542D 0B66 9C71 BA3F FE00 AD8E FE4E 7C00 6DEF 520F 9FE4 3007 C235 802D AE09 F0EB 0A89 2300 2E2D 3960 BAA0 6391 852A BBC7 553B E63C 9F13 7959 6D46 10ED B5ED B11A 855C 553D CC93 6111 7E37 13F5 911E 3860 8724 8FBB 4FE1 B828 35E6 B446 4E21 8381 3F37 E146 C2CD D4AC 4FC7 0DCA 9FA0 D93C 14B9 7163 C525 74BD 216D DDC7 086D D949 4AE7 A832 9507 7D94 0CAD DDCC 9F66 D8FE 92A2 2081 2464 A6AA 6274 C0F0 3DAC 2EE3 2F4D B574 0A00 2F33 1161 79FE FCA0 8DE2 FC75 C9BD 0462 6508 74AA D31B B9FC 07E6 6778 2345 7CF6 BFD8 D540 F4F9 8193 1D2B 8D91 FDBF 005D 1FD2 FEDC B702 0103 -- Issuer: CN = Microsoft Windows Verification Intermediate PCA OU = Copyright (c) 1999 Microsoft Corp. O = Microsoft Corporation L = Redmond S = WA C = US Subject: CN = Microsoft Windows 2000 Publisher OU = Copyright (c) 2001 Microsoft Corp. O = Microsoft Corporation L = Redmond S = Washinngton C = US Public Key: 3081 8902 8181 00C5 9049 339C 753E 31C9 DCCF AAB4 43E1 A990 9E60 8A5C 817E B817 3F03 07A6 F3FA BD63 6413 B094 C35E A5EC D322 E4DC 439D 4CDE 75A6 D53E EF48 177E AD2E 6C41 6018 A3C2 942B 82D3 E7E3 63A6 AF24 F5E3 AB76 3787 9D6C ED5C 888A 087E E5B7 CEEB F2F1 4053 7EFB 88D5 4D18 C558 13B9 4250 CE43 8BD8 68A2 1E13 B0AF 6B0E 32DA 8F12 A491 9502 0301 0001 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 26 2003 - 09:29:48 PST