Re: [logs] "Temperproof" logfiles?

From: Russell Fulton (r.fultonat_private)
Date: Sun Apr 06 2003 - 22:57:02 PDT

  • Next message: Tina Bird: "[logs] Web site down"

    On Sat, 2003-04-05 at 03:02, Blaise St-Laurent wrote:
    > On Thursday, April 3, 2003, at 11:48  PM, Jason Haar wrote:
    > 
    > >
    > > I may be showing my ignorance here, but can someone explain to me how
    > > checksums *by themselves* actually "prove" the data hasn't been 
    > > tampered
    > > with?
    > You are correct, by themselves, they prove 0. I should have said signed 
    > (through cryptographic means) without being able to prove that the md5 
    > is authentic, and hasn't also been replaced, my suggestion is pretty 
    > much useless.
    
    There are (or were) digital timemstamping services available on the net.  
    You can send them a file and they send it back with a PGP signature (which 
    includes the time).  Essentially they act as a third party notary.
    
    Clearly it is not feasible to do this for every log file unless, perhaps 
    you had a special black box managed by a trusted third party with an
    accurate clock on your local network to which you submit your log files 
    every hour (or day or whatever).   Do any of the managed security services 
    offer this?
    
    What I have thought of is if I were involved in investigating a case that
    was likely to go to court and I had a few MBs of logs that were crucial to
    the case I would get these timestamped, so at least I could say: "these are
    as they were when I found them the morning after..."
    
    
    -- 
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    "It aint necessarily so"  - Gershwin
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 12:52:48 PDT