atom feed200 messages in org.freebsd.freebsd-securityRe: secure logging (was: Re: security...
FromSent OnAttachments
Vincent PoyJul 28, 1997 3:19 am 
Nicole H.Jul 28, 1997 3:22 am 
Vincent PoyJul 28, 1997 4:39 am 
Robert WatsonJul 28, 1997 5:36 am 
Nicole H.Jul 28, 1997 5:40 am 
Eric FeillantJul 28, 1997 5:41 am 
David HollandJul 28, 1997 6:12 am 
Nicole H.Jul 28, 1997 6:15 am 
Jonathan A. ZdziarskiJul 28, 1997 6:22 am 
Tomasz DudziakJul 28, 1997 6:29 am 
Adam ShostackJul 28, 1997 6:39 am 
Guido van RooijJul 28, 1997 6:52 am 
Garrett WollmanJul 28, 1997 7:04 am 
Robert WatsonJul 28, 1997 7:56 am 
Robert WatsonJul 28, 1997 7:59 am 
Ollivier RobertJul 28, 1997 8:16 am 
Robert WatsonJul 28, 1997 8:48 am 
Jonathan A. ZdziarskiJul 28, 1997 8:50 am 
Jonathan A. ZdziarskiJul 28, 1997 8:54 am 
Rodney W. GrimesJul 28, 1997 8:55 am 
Adam ShostackJul 28, 1997 9:04 am 
Robert WatsonJul 28, 1997 10:08 am 
Rodney W. GrimesJul 28, 1997 10:26 am 
Vincent PoyJul 28, 1997 10:59 am 
Vincent PoyJul 28, 1997 11:23 am 
Vincent PoyJul 28, 1997 11:27 am 
David LangfordJul 28, 1997 11:30 am 
Vincent PoyJul 28, 1997 11:31 am 
Robert WatsonJul 28, 1997 11:33 am 
Robert WatsonJul 28, 1997 11:44 am 
Jonathan A. ZdziarskiJul 28, 1997 11:46 am 
Jonathan A. ZdziarskiJul 28, 1997 11:48 am 
Jonathan A. ZdziarskiJul 28, 1997 11:49 am 
Robert WatsonJul 28, 1997 12:29 pm 
Vincent PoyJul 28, 1997 12:29 pm 
Vincent PoyJul 28, 1997 12:38 pm 
Vincent PoyJul 28, 1997 12:48 pm 
Vincent PoyJul 28, 1997 12:54 pm 
Vincent PoyJul 28, 1997 12:56 pm 
Adam ShostackJul 28, 1997 1:04 pm 
Jonathan A. ZdziarskiJul 28, 1997 1:15 pm 
Jonathan A. ZdziarskiJul 28, 1997 1:16 pm 
Robert WatsonJul 28, 1997 1:45 pm 
Jonathan A. ZdziarskiJul 28, 1997 1:47 pm 
Jonathan A. ZdziarskiJul 28, 1997 1:51 pm 
Robert WatsonJul 28, 1997 1:54 pm 
Nate WilliamsJul 28, 1997 2:00 pm 
Ollivier RobertJul 28, 1997 2:07 pm 
Matthew N. DoddJul 28, 1997 2:14 pm 
Karl DenningerJul 28, 1997 2:42 pm 
Vincent PoyJul 28, 1997 2:43 pm 
Vincent PoyJul 28, 1997 3:01 pm 
Vincent PoyJul 28, 1997 3:06 pm 
Jordan K. HubbardJul 28, 1997 3:10 pm 
Vincent PoyJul 28, 1997 3:25 pm 
Vincent PoyJul 28, 1997 3:28 pm 
Matthew N. DoddJul 28, 1997 3:30 pm 
Vincent PoyJul 28, 1997 3:30 pm 
Vincent PoyJul 28, 1997 3:44 pm 
Brian BuchananJul 28, 1997 4:06 pm 
Gary Clark IIJul 28, 1997 4:06 pm 
Vincent PoyJul 28, 1997 4:14 pm 
Vincent PoyJul 28, 1997 4:16 pm 
Vincent PoyJul 28, 1997 4:18 pm 
Matthew N. DoddJul 28, 1997 4:18 pm 
Vincent PoyJul 28, 1997 4:19 pm 
Vincent PoyJul 28, 1997 4:25 pm 
Vincent PoyJul 28, 1997 4:30 pm 
Brian BuchananJul 28, 1997 4:48 pm 
Jordan K. HubbardJul 28, 1997 4:59 pm 
Jordan K. HubbardJul 28, 1997 5:00 pm 
Vincent PoyJul 28, 1997 5:02 pm 
Brian BuchananJul 28, 1997 5:09 pm 
Vincent PoyJul 28, 1997 5:19 pm 
Vincent PoyJul 28, 1997 5:20 pm 
Gary PalmerJul 28, 1997 5:22 pm 
Vincent PoyJul 28, 1997 5:26 pm 
Vincent PoyJul 28, 1997 5:30 pm 
Gary PalmerJul 28, 1997 5:30 pm 
Brian BuchananJul 28, 1997 5:32 pm 
Gary PalmerJul 28, 1997 5:33 pm 
Vincent PoyJul 28, 1997 5:34 pm 
Gary PalmerJul 28, 1997 5:36 pm 
Vincent PoyJul 28, 1997 5:40 pm 
Gary PalmerJul 28, 1997 5:44 pm 
115 later messages
Subject:Re: secure logging (was: Re: security hole in FreeBSD)
From:Robert Watson (rob@cyrus.watson.org)
Date:Jul 28, 1997 12:29:22 pm
List:org.freebsd.freebsd-security

On Mon, 28 Jul 1997, Robert Watson wrote:

Perhaps we should add another field that has bits to define the requirement that a given log message be transmitted using authenticity, confidentiality, and whether it is worth being stored. In any situation where there was significant doubt, the message would be discarded for security reasons, or logged locally and a message passed later to indicate the problem. Also, should authenticity by against a global name space (DNSsec), and then permission to store messages from a given identity by defined against that name space, or should it be for transaction-level only? I'd almost be tempted to define a wrapper packaging for syslog messages like so:

u_int16_t sl_flags u_int8_t sl_prot_type u_int8_t sl_entity_len u_int8_t sl_entity[] u_int32_t sl_timesigned u_int16_t sl_type u_int16_t sl_priority u_int16_t sl_msglen u_int8_t sl_message[] u_int8_t sl_signature_len u_int8_t sl_signature[]

Where the signature is over all values present except for the signature+length itself. Type of protection used would be in the protection type field. This would allow storage of complete log entry entities, including the signing identity, signature that proves it signed the data, priority, etc. This would not provide for guarunteed delivery- -- that would be the responsibility of the transport mechanism used by syslog. This could actually by the stored log entry used on syslog servers. To prevent replay (if not provided by the transport), perhaps a sl_log_id (u_int16_t?) could be provided, which would also indicate jumps in the sequence, etc.

Having thought about this a little more, I'd be tempted to go for a more variable data section to this. Probably in the form of a u_int8_t num_records variable, and then a number of strings representing those records, each with variable length. Also, possibly priority. Clustering similar log messages for the sakes of reducing transmissions and number of signing operations is probably a good idea, but retaining order is important too. Has anyone looked statistically at the distribution of log messages on a standard web server or user server (whatever that means?) to see whether messages cluster by source, priority, type, etc?

Is there any concensus on the use of DNSsec in the network community, as it has not yet been made widely available (or at least, it is available, but not largely used.) The key namespace here could be used however one desired, nor necessarily in a DNS-style way. The entity-name, whatever that is, simply suggests which key/algorithm should be used, a server could be configured to pull that information from DNSsec, or from an internal key-file (or both.)

Also, if we make a move to TCP, how should connection-management be worked? Presumably, one must make a connection fairly quickly on receiving to send, assuming that it passes any local authenticity requirements (e.g., a log-message must come from a key in *.my.domain to be forwarded), and then put in a queue for delivery when the transport is available. If the TCP connection is already open, and a new message doesn't arrive quickly, it should be delivered. If the TCP connection is not open, then the forwarder (or source) should wait for a certain time-out (something short) for more messages, or until the queue reaches a threshhold before opening the connection. Some delay is acceptable in log delivery, I think, but not too much. Opening the connection will involve a delay -- a T/TCP startup is probably a good idea, as data is immediately ready to send when the connection is opened, or it would not be opening.

An ACK message has already been stated as desirable -- would a simple signature over the last packet (or header + signature) using the shared secret, entity public key, or whatever, back on the TCP connection suffice? Maybe something lighter-weight?

Robert N Watson

Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ rob@fledge.watson.org rwat@tis.com http://www.watson.org/~robert/