On Fri, Mar 29, 2002 at 12:24:16PM -0800, Devin Kowatch wrote: > protocol). In this situation it's basically impossible for the attacker > to insert a message before the attack on A. So we should get good, > verifiable logs of the attack. However, because it's impossible to > determine where the bad messages started, if an attacker inserts a bogus > message into the channel between A and L _after_ time t then all the log > entries are invalidated for the entire logging session. This will include > the log entries that show the source and method used to gain accesss. Let's say that at some time "r", A is assumed to be safe (i.e. uncompromised). At some subsequent time "s", a hacker gains privilege on A and logs of this event are (we hope) generated. One copy of those log entries should be going to the local logfile, and the hash should be updated; another copy of those log entries is sent to L, where another PEO hash is updated as well. (K-Ai, the hash on A at any time i, is used to determine the integrity of logs GENERATED ON A; K-Li, the hash on L at any time i, is used to determine the integrity of logs RECEIVED ON L.) It seems that you are claiming that, if at some still further subsequent time time "t" (r<s<t) the hacker sends a message to L from A, then that invalidates the entire log session in question. Since K-Li, however, is a hash of all messages RECEIVED ON L, then K-Li is still valid--all of the messages in the current log session L are messages that L did, in fact, receive from A (assuming the reliable network log infrastructure you specified). Even at time "t", the record of compromise at time "s" is still on L, is known to have come from A, and is known to have not been modified since being sent; the only way that that record of compromise could be invalid is if the actual compromise occurred at some time between "r" and "s", but did not generate any logged record, and then the record generated at time "s" was actually the "bogus" message. That is technically possible, but a hacker who could compromise a machine without leaving any traces at all would probably not then want to call attention to their actions by falsifying evidence of that compromise (unless they were trying to cast blame on someone else, of course). Or am I misunderstanding what you're saying? -- Sweth. -- Sweth Chandramouli Idiopathic Systems Consulting svcat_private http://www.idiopathic.net/ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 08:25:24 PST