On Thu, Jul 19, 2001 at 02:57:11PM -0400, David Douthitt wrote: > Now it occurs to me that someone could say, "Gee, how do we know that > these logs haven't been altered?" > > What about a digital signature for each log? How would you go about > this? I was thinking of using gpg (GNU Privacy Guard) but haven't > gotten far enough to know how - and my reference book is the PGP book > from O'Reilly and Associates. gpg (and pgp) are overkill for this application. The ubiquitous 'md5sum' program will be sufficient for this task, as long as you have written the md5sum of the files down in a tamper-resistant place. For our Immunix OS updates, bugtraq and its mirrors are sufficient. For forensics work, I would imagine a singed and dated piece of paper with the md5sum printed on it (printed just to save you the trouble and inaccuracies of hand writing the md5sum) would be sufficient. Many people will suggest you need a MAC (message authentication code) for this purpose; there may be something to this theory, but because a MAC depends upon a hidden password, you really don't gain much because you must publish the password for the MAC to be useful to convince anyone else that the logs are legitimate. Public key crypto doesn't really help in this case, unless a hand-written signature on a printed md5sum is *not* sufficient. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 12:56:12 PDT