In the case of the Flame malware, Microsoft was using a code-signing security certificate that was well known.
The way a code-signing certificate works is that it creates a hash value from a computer program. Then it encrypts this hash using the private encryption key of a private key/public key encryption system. The public key and the method for creating the hash are distributed along with the program.
When you run the program, the computer uses the public key to decrypt the encrypted hash. Then it creates its own hash of the program. Then it compares the two, the hash it created with the hash that was included with the program. If they are not the same, that means the program has been tampered with, and the computer refuses to run it.
The hash is encrypted to prevent bad guys from modifying the program and then just attaching a new hash to it. You can't attach a new hash unless you know Microsoft's private encryption key. (In private key/public key encryption, you use one password to encrypt something. A different password is used to decrypt it. You can tell the whole world what the decryption password is; it can only be used to decrypt something, it can not be used to encrypt it.)
The Flame malware writers used some extremely clever and complex math to analyze Microsoft's hashing routine and find weaknesses in it. Using that analysis, they were able to figure out how to create hash collisions. So they could tamper with a program, then add stuff at the end to make a hash collision, so that the hash of the maliciously modified program was the same as the hash for the unmodified program. They could not create a new hash, but they could perform modifications and then engineer a hash collision so that the modified program had the same hash.
Wow!!!
You may hate hackers, but you've got to give them some respect.
I've read at least one post, probably yours, that discussed the public/private key system, but I don't remember it being a real object lesson.
Your recent post puts the whole thing into perspective.
Thanks.
