tag:blogger.com,1999:blog-6193377.post3715876475466532191..comments2011-12-13T12:58:26.399+01:00Rainer Gerhardshttps://profiles.google.com/112402185904751517878noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-6193377.post-76474170809224504662011-12-13T12:58:26.399+01:002011-12-13T12:58:26.399+01:00IANAL, but for the purpose of presenting a log as evidence in a court room, there is the question of secure enough. Hand signatures on paper is considered secure enough. DNA sampled by a police officer is considered secure enough. But you can never be completely certain that the police officer hasn&#39;t tampered with the DNA sample. And it is possible to forge a hand signature on paper.<br /><br />With that in mind, if it is very difficult to retrieve the secret private key, then it may be secure enough for the court. If one can point to established procedures and security measures, and they are approved and trusted by the court, then the log can be used as proof.<br /><br />With this in mind, I belive there is sufficient reason for creating a PKI-secured logging system. In my opinion it&#39;s not a waste of time.larstobihttp://www.blogger.com/profile/10980583104626784839noreply@blogger.comtag:blogger.com,1999:blog-6193377.post-85320733821253980402011-12-13T11:10:53.900+01:002011-12-13T11:10:53.900+01:00As I said, you can proof that the signature is correct assuming that the signing key was not compromised. If you assume that keys are compromised then you are of course right: with a compromised key you can not have any security at all. So under this assumption, you can never build any secure system.<br /><br />My reference to https was to talk about the strength of cryptography. It is not a signature protocol.Rainer Gerhardshttp://www.blogger.com/profile/12765720626924376847noreply@blogger.comtag:blogger.com,1999:blog-6193377.post-23800822356568851272011-12-13T10:22:56.170+01:002011-12-13T10:22:56.170+01:00Hi,<br /><br />Rainer wrote:<br />&gt; HOWEVER, you can get such a message store on rewritable media<br />&gt; &quot;sufficiently&quot; secure. By &quot;sufficient&quot; I meant secure in the<br />&gt; same level as HTTPS, online banking, PGP, etc. are secure. Think<br />&gt; about PGP signed mail.<br /><br />Mhh... maybe we have to define the wanted result first.<br /><br />When you are talking about HTTPS, you are talking about a secured connection. This security is based on the fact that you have to trust the remote&#39;s SSL key.<br />I won&#39;t go into the problems PKI is currently suffering, but all you do is trusting that you are talking to the system you want to talk to. The SSL key is your &quot;proof&quot;, but this proof is nothing:<br /><br />- You would need to know the fingerprint of every certificate in the chain to verify<br /><br />- And even you know every fingerprint, you cannot be sure if some bad guy has stolen the key<br /><br />So what does HTTPS do? It just securing the connection between you and the endpoint you are connected, using the known key. But it cannot guarantee that the current key user is the designated key owner. Everyone should keep this in mind.<br /><br /><br />The same applies to PGP:<br />A PGP signature is nothing. It&#39;s just saying, that the person who created the signature had access to the required private key and the passphrase at creation time.<br /><br />As you have to trust the SSL key integrity, you have to trust the PGP&#39;s key integrity.<br /><br /><br />So what do you (and other) want to achieve/proof with that feature?Igorhttp://www.blogger.com/profile/00097946544878384703noreply@blogger.comtag:blogger.com,1999:blog-6193377.post-24043644000561693632011-12-12T12:49:51.941+01:002011-12-12T12:49:51.941+01:00Thanks for the comments. Indeed, the checksum-only thing is broken. But this is meant only as a starter, and maybe to see how much interest there actually is. I, too, was surprised how many people seemed to like the simple checksum chain that was proposed with journald. But in the light of that, I&#39;d say there is some value in feeding this need (and there were some arguments that back this -- guess I need to write yet another blog post ;)).<br /><br />HOWEVER, you can get such a message store on rewritable media &quot;sufficiently&quot; secure. By &quot;sufficient&quot; I meant secure in the same level as HTTPS, online banking, PGP, etc. are secure. Think about PGP signed mail. There is a big difference between a simple hash chain and a digital signature - less in code to do it, but in security. While it is easy to recompute hashes (as long as no record of previous hashes was saved), it is &quot;impossible&quot; to mangle the signature (&quot;impossible&quot;, again, under the same constraints we do all of our crypto stuff - so if someone finds a polynominal time algorithm to factor prime numbers, no security remains for the usual algorithms).<br /><br />The idea is to extend LogStore with signature records. This means at closure (or any n records written), a record is added that contains the latest hash and *that* records is digitally signed (by public/private key cryptography). In that case, you can still recompute the checksums, but then the checksums will not match the signed record (or the signature be broken, if the latter is modified as well).<br /><br />So, yes, it is possible to make a log store &quot;revisionssicher&quot; (audit-gradness). That will also give you benefit when used as evidence in court.Rainerhttp://www.blogger.com/profile/12765720626924376847noreply@blogger.comtag:blogger.com,1999:blog-6193377.post-26075834532017920552011-12-12T10:02:23.940+01:002011-12-12T10:02:23.940+01:00While it may not be possible to make it completely tamper proof, I think a major point is to make it hard to manipulate logs. This can potentially make it very hard as long as the secret key is kept secret. There are Hardware Security Modules (HSM) that can make retrieving the key very hard.larstobihttp://www.blogger.com/profile/10980583104626784839noreply@blogger.comtag:blogger.com,1999:blog-6193377.post-85327392140920489122011-12-08T20:16:55.647+01:002011-12-08T20:16:55.647+01:00Hi,<br /><br />are you really sure you aren&#39;t wasting your time? Don&#39;t get me wrong, but a secure storage on a rewritable medium is fiction.<br /><br />You said it, too:<br />&quot;As such, manipulations inside the log store can be detected, as long as the checksums of all records are not also recomputed.&quot;<br /><br />Isn&#39;t that what an attacker will do? Recompute all records to hide his traces?<br /><br />That&#39;s what will happen everytime: You know there&#39;s one way, then you will find it...<br /><br />I understand the idea, I also like it. But because I don&#39;t see a way how this could work, why do you spend so much time on it?<br /><br />What&#39;s the benefit?<br /><br />I think you have heard about the German Staatstrojaner. It is important for legal usage, that you provide some kind of &quot;revisionssicher&quot; storage.<br /><br />You wrote it, the CCC has proofed it, other have proofed it too - this isn&#39;t possible with rewritable storage mediums.<br /><br />So again: What&#39;s the benefit? Why do you spend so much time on it?<br /><br />Aren&#39;t you creating a imagination of security?<br /><br />Please, don&#39;t get me wrong. I like your work, but I really don&#39;t understand how you could get on that train...<br /><br />Currently I would recommend: Leave it asap.Igorhttp://www.blogger.com/profile/00097946544878384703noreply@blogger.com