> From: [email protected] [mailto:discuss- > [email protected]] On Behalf Of Ryan Frantz > > 1. Does Backup Exec store the data checksums independent of the media > (i.e. on the media host)?
I know that if you format a system, and reinstall BE, you can still catalog and verify media. I therefore conclude the checksums are stored on the media. I cannot personally testify that BE is well implemented, but I can say there are two known good ways to checksum the encrypted data. Either (a) your checksums are also encrypted, or (b) the checksum is not encrypted, but it is a checksum of the decrypted data, which an attacker couldn't meaningfully manipulate. In both situations (a) and (b) the attacker doesn't have any way to modify the data undetected, unless they know your key. There is still one more possible attack... Since the attacker can read your cipertext, and they can delay or reorder or duplicate other packets (in this case tape blocks) they could replace some blocks with other blocks, including matching checksums. The countermeasure to this type of attack is to include something like a serial number in each decrypted packet, so the receiver will be able to detect, and possibly correct, packet reordering, repetition, and/or deletion. It would be insane of Symantec to checksum the encrypted data and store the unencrypted checksum next to the encrypted data, making it brainlessly trivial to corrupt the data and pass the checksum. It would also be border-line insane to use a decrypted checksum, while neglecting a serializer in the decrypted data blocks. That being said, I cannot personally attest to symantec being sane. They're probably sane. But who knows for sure? _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
