On Sat, 2003-04-05 at 03:02, Blaise St-Laurent wrote: > On Thursday, April 3, 2003, at 11:48 PM, Jason Haar wrote: > > > > > I may be showing my ignorance here, but can someone explain to me how > > checksums *by themselves* actually "prove" the data hasn't been > > tampered > > with? > You are correct, by themselves, they prove 0. I should have said signed > (through cryptographic means) without being able to prove that the md5 > is authentic, and hasn't also been replaced, my suggestion is pretty > much useless. There are (or were) digital timemstamping services available on the net. You can send them a file and they send it back with a PGP signature (which includes the time). Essentially they act as a third party notary. Clearly it is not feasible to do this for every log file unless, perhaps you had a special black box managed by a trusted third party with an accurate clock on your local network to which you submit your log files every hour (or day or whatever). Do any of the managed security services offer this? What I have thought of is if I were involved in investigating a case that was likely to go to court and I had a few MBs of logs that were crucial to the case I would get these timestamped, so at least I could say: "these are as they were when I found them the morning after..." -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 12:52:48 PDT