Appendix: Calculating Image Message Digests


Several Attribute Certificates are expected to be used to verify the integrity of the images. That is, they will be used to ensure that a particular image file, or part of that image file, has not been altered in any way from its original form. To accomplish this task, these certificates will typically include something called a Message Digest.

Message digests are similar to a file checksum in that they produce a small value that relates to the integrity of a file. A checksum is produced by a simple algorithm and its use is primarily to detect memory failures. That is, it is used to detect whether or not a block of memory on disk has gone bad and the values stored there have become corrupted. A message digest is similar to a checksum in that it will also detect file corruption. However, unlike most checksum algorithms, a message digest also has the property that it is very difficult to modify a file such that it will have the same message digest as its original (unmodified) form. That is, a checksum is intended to detect simple memory failures leading to corruption, but a message digest may be used to detect intentional, and even crafty modifications to a file, such as those introduced by viruses, hackers, or Trojan Horse programs.

It is not desirable to include all image file data in the calculation of a message digest. In some cases it simply presents undesirable characteristics (like the file is no longer localizable without regenerating certificates) and in other cases it is simply impossible. For example, It is not possible to include all information within an image file in a message digest, then insert a certificate containing that message digest in the file, and later be able to generate an identical message digest by including all image file data in the calculation again (since the file now contains a certificate that wasn't originally there).

This specification does not attempt to architect what each Attribute Certificate may be used for, or which fields or sections of an image file must be included in a message digest.

However, this section does identify which fields you may not want to or may not include in a message digest.

In addition to knowing which fields are and are not included in the calculation of a message digest, it is important to know the order in which the contents of the image are presented to the digest algorithm. This section specifies that order.

Fields Not to Include in Digests

There are some parts of an image that you may not want to include in any message digest. This section identifies those parts, and describes why you might not want to include them in a message digest.

  • Information related to Attribute Certificates It is not possible to include a certificate in the calculation of a message digest that resides within the certificate. Since certificates can be added to or removed from an image without affecting the overall integrity of the image, this is not a problem. Therefore, it is best to leave all attribute certificates out of the image even if there are certificates already in the image at the time you are calculating your message digest. There is no guarantee those certificates will still be there later, or that other certificates won't have been added. To exclude attribute certificate information from the message digest calculation, you must exclude the following information from that calculation:

    • The Certificate Table field of the Optional Header Data Directories.

    • The Certificate Table and corresponding certificates pointed to by the Certificate Table field listed immediately above.

  • Debug information Debug information may generally be considered advisory (to debuggers) and does not affect the actual integrity of the executable program. It is quite literally possible to remove debug information from an image after a product has been delivered and not affect the functionality of the program. This is, in fact, a disk saving measure that is sometimes utilized. If you do not want to include debug information in your message digest, then you should not include the following information in your message digest calculation:

    • The Debug entry of the Data Directory in with optional header

    • The .debug section

  • File Checksum field of the Windows-Specific Fields of the Optional Header This checksum includes the entire file (including any attribute certificates included in the file) and will, in all likelihood, be different after inserting your certificate than when you were originally calculating a message digest to include in your certificate.

  • Unused, or obsolete fields There are several fields that are either unused or obsolete. The value of these fields is undefined and may change after you calculate your message digest. These fields include:

    • Reserved field of the Optional Header Windows-Specific Fields (offset 52).

    • The DLL Flags field of the Optional Header Windows-Specific Fields. This field is obsolete.

    • Loader Flags field of the Optional Header Windows-Specific Fields. This field is obsolete.

    • Reserved entries of the Data Directory in the object header.

  • Resources (makes localization easier) Depending upon the specific Attribute Certificate, it may be desirable or undesirable to include resources in the message digest. If you want to allow localization without the generation of new certificates, then you do not want to include resources in your message digest. If the values of the resources are critical to your application, then you probably do want them included in your message digest, and you will accept the overhead of generating a certificate for each localized copy of the image. If you do not want to include resources in your message digest, then you should not include the following information in the message digest calculation:

    • Resource Table entry of the Optional Header Data Directory

    • The .rsrc section



The Common Language Infrastructure Annotated Standard (Microsoft. NET Development Series)
The Common Language Infrastructure Annotated Standard (Microsoft. NET Development Series)
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 121

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net