On Sun, Mar 31, 2002 at 05:16:06PM +0200, Shane Kerr wrote: > On 2002-03-29 12:24:16 -0800, Devin Kowatch wrote: > > > > The second problem is that it is not possible to determin where the > > log was altered. If an attacker inserts or alters a message at time t > > then all messages after time t will not be verifiable. But because > > the intermediate hash values are not saved it will also be impossible > > to verify messages _before_ time t. > > My understanding is that we save the original key, meaning that the > entire chain of hash values and keys can be generated, given the log > entries. Using this information you can verify all logs made before the > compromise are unaltered. This is true, but with a bogus message (i.e. not part of the hash chain) anywhere in the log file, it is impossible (or at least difficult) to figure out which message is bad. All you have is a starting key, and the final hash value. So if we have a starting key, K, generated at time t=0, and the last hash value, Kt, generated at time t. With these we can tell if a message was inserted, altered, or deleted, but not which message. When it comes to post compramise verification, the compramise is likely to have occured at time s, where 0<s<t. So it would be possible to figure out that the attacker changed a log entry, but not which one or when. With a some careful deletions the records of the attack can be removed, and new records of a fake attack (from another host) can be inserted. The fake records would get inserted to throw the investigation off, because it's known that someone altered the logs. That is assuming of course that there is no central log server. This is a, hopefully, invalid assumption. Does that make a little more sense? thanks, -- Devin Kowatch devinkat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 14:11:37 PST