I have an application that talks to a home sever once in a while and may download updates which can be .EXEs or .DLLs. It has been brought up that a Man in the Middle attack (MitM) can allow someone to download bogus files. IE: My app tries and downloads App.exe from our server, but the download is hijacked and ends up downloading the file from another source.

The first idea was to simply use MD5 sums (which we already use to validate the files), but that is only a minor obstacle. A would-be hacker just needs to get a copy of the updated file, make his Trojan file and tweak it until the MD5 sum of the Trojan matched the actual file. I am not sure how hard or easy this is to do. Maybe it is good enough, maybe not.

If it is not good enough, what are some other ways you can authenticate a file actually came from where you thought it did? Another idea I had was using Certs. We already sign our application and DLLs. It would seem that if I could look at a downloaded file and see if it was signed AND if it was the same cert as the current application had (or perhaps a newer version). I was looking at the Crypto-Cert API and nothing jumped out at me as a clear way to do this. The other issue is how do you validate a file you didn't make? IE: a MFC.DLL or something that isn't signed.

Anyway, any comments or suggestions on how to authenticate a downloaded file would be welcome.