[logs] Problems/Questions on PEO

From: Devin Kowatch (devinkat_private)
Date: Fri Mar 29 2002 - 12:24:16 PST

Next message: Sweth Chandramouli: "Re: [logs] Problems/Questions on PEO"

Previous message: Jason Piterak: "RE: [logs] Queuing of remote logging"
Next in thread: Sweth Chandramouli: "Re: [logs] Problems/Questions on PEO"
Reply: Sweth Chandramouli: "Re: [logs] Problems/Questions on PEO"
Reply: Shane Kerr: "Re: [logs] Problems/Questions on PEO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, I just read your paper "VCR and PEO revised".  There are a few
problems that I can see with using this to verify the validity of log
messages.  However, I'm not an expert, so I could be wrong.

I also thought that people on the log-analysis list might be interested.

First problem is that the method you use for keying hashes doesn't
actually protect against forgery.  I'm assuming that H is a chained hash
function (like MD5 and SHA-1).  PEO uses Ki = H(K(i-1), Di), but if an
attacker can get Ki then it is possible calculate a new Ki for a log
message Di,y. Or some extra text y appended to Di[1].  This could pose a
problem because the text of y might change the semantics of the log
entry, or add back spaces to the log entry (thus making it hard to
read).  Of course this is mostly academic because you throw away K(i-1),
however, it does mean that an attacker who breaks in at time i+1 can
alter the log entry of time i with out knowing K(i-1).

The second problem is that it is not possible to determin where the log
was altered.  If an attacker inserts or alters a message at time t then 
all messages after time t will not be verifiable.  But because the
intermediate hash values are not saved it will also be impossible to
verify messages _before_ time t.  

This leads to some obvious problems.
Lets say that an attacker gains access to machine A at time t.  From
that point forward the logs from A cannot be trusted, however, we still
have the logs of the attack (which is good).  Further, lets assume that
A is logging to a central log server L, and uses an authenticated, integrety
checked channel for communication from A to L (i.e. the new syslog reliable
protocol).  In this situation it's basically impossible for the attacker
to insert a message before the attack on A.  So we should get good,
verifiable logs of the attack.  However, because it's impossible to 
determine where the bad messages started, if an attacker inserts a bogus 
message into the channel between A and L _after_ time t then all the log 
entries are invalidated for the entire logging session. This will include
the log entries that show the source and method used to gain accesss.  

[1] "Keying Hash Functions for Messag Authentication"
    http://www-cse.ucsd.edu/users/mihir/papers/hmac.html
    
Thanks,

-- 
Devin Kowatch
devinkat_private

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Sweth Chandramouli: "Re: [logs] Problems/Questions on PEO"
Previous message: Jason Piterak: "RE: [logs] Queuing of remote logging"
Next in thread: Sweth Chandramouli: "Re: [logs] Problems/Questions on PEO"
Reply: Sweth Chandramouli: "Re: [logs] Problems/Questions on PEO"
Reply: Shane Kerr: "Re: [logs] Problems/Questions on PEO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 30 2002 - 17:17:43 PST