Sha256 executable

[univmalik]

Hello... I just wanted to ask you about verifiable downloads or signature files like we see in gpg4win or truecrypt. Also i wanted to ask you that the file size of encrypted file is significantly larger by about 150 bytes (excluding AES CREATED_BY (windows) 3.06 etc) ! What is the extra data? Thankyou!

[paulej]

We've been asked about including a verifiable hash before, but we do not do it because it provides a false sense of security. If you get AES Crypt directly from http://www.aescrypt.com, then you would be getting the genuine software. If we posted an SHA-1 or MD5 hash of the file, it might make you feel better to know it matches. However, if somebody was able to compromise the server and replace the AES Crypt executable code, then somebody would have the ability to also change the hash values. Thus, it provides a false sense of security. For that reason, we do not produce hash values. If you need absolute guarantees that the code has not been tampered with, it's best to build the software from the source code and to inspect the source code.

An encrypted file is larger, but the size is fixed. We allocate about 128 octets for non-encrypted extensions, like the CREATED_BY field. This is not required in the file format (it could be zero-length, just consuming two or three bytes). We also have encryption keys, IVs, HMACs, and other small pieces of data in each file. All of the details are documented in the .aes file format (http://www.aescrypt.com/aes_file_format.html)