Re: Interesting bit of a quote
On Fri, 14 Jul 2006, Travis H. wrote: Absent other protections, one could simply write a new WORM media with falsified information. I can see two ways of dealing with this: 1) Some kind of physical authenticity, such as signing one's name on the media as they are produced (this assumes the signer is not corruptible), or applying a frangible difficult-to-duplicate seal of some kind (this assumes access controls on the seals). 2) Some kind of hash chain covering the contents, combined with publication of the hashes somewhere where they cannot be altered (e.g. publish hash periodically in a classified ad in a newspaper). My MS Thesis was on this topic: http://lunkwill.org/cv/logcrypt_update.pdf If you store a value with a TTP (say, an auditor), and follow the protocol honestly, it's impossible to go back later and falsify records. The symmetric version uses hash chains, and was invented several times before I came along. -J - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
From: Travis H. [EMAIL PROTECTED] Sent: Jul 14, 2006 11:22 PM To: David Mercer [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Interesting bit of a quote ... The problem with this is determining if the media has been replaced. Absent other protections, one could simply write a new WORM media with falsified information. I can see two ways of dealing with this: 1) Some kind of physical authenticity, such as signing one's name on the media as they are produced (this assumes the signer is not corruptible), or applying a frangible difficult-to-duplicate seal of some kind (this assumes access controls on the seals). I think this is going to resolve to chain-of-custody rules of some kind. One problem is that so long as the company making the records is storing them onsite, it's hard for an outside auditor to be sure they aren't being tampered with. (Can the CEO really not work out a way to get one of his guys access to the tape storage vault?) 2) Some kind of hash chain covering the contents, combined with publication of the hashes somewhere where they cannot be altered (e.g. publish hash periodically in a classified ad in a newspaper). You could do the whole digital timestamping thing here. You could also just submit hashes of this week's backup tape to your auditor and the SEC or something. Another solution is to use cryptographic audit logs. Bruce Schneier and I did some work on this several years ago, using a MAC to authenticate the current record as it's written, and a one-way function to derive the next key. (This idea was apparently developed by at least two other people independently.) Jason Holt has extended this idea to use digital signatures, which makes them far more practical. One caveat is that cryptographic audit logs only work if the logging machine is honest when the logs are written. --John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
On 7/15/06, John Kelsey [EMAIL PROTECTED] wrote: Another solution is to use cryptographic audit logs. Bruce Schneier and I did some work on this several years ago, using a MAC to authenticate the current record as it's written, and a one-way function to derive the next key. (This idea was apparently developed by at least two other people independently.) Jason Holt has extended this idea to use digital signatures, which makes them far more practical. One caveat is that cryptographic audit logs only work if the logging machine is honest when the logs are written. Yeah, I love that idea, saw it at the 7th Usenix Security Symposium. For everyone else, there's an implementation here: http://isrl.cs.byu.edu/logcrypt/index.html I have been looking for something like this for a while. Note to Jason Holt: The subscribe links for the mailing lists are broken. I like the idea of encrypting the entries, but I thought that having to classify them into a finite number of classes, and restricting disclosure to be along class lines is restrictive, but I don't know offhand how to allow the logger to disclose arbitrary subsets efficiently. -- Resolve is what distinguishes a person who has failed from a failure. Unix guru for sale or rent - http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Interesting bit of a quote
Travis H. wrote: 1) Some kind of physical authenticity, such as signing one's name on the media as they are produced (this assumes the signer is not corruptible), or applying a frangible difficult-to-duplicate seal of some kind (this assumes access controls on the seals). 2) Some kind of hash chain covering the contents, combined with publication of the hashes somewhere where they cannot be altered (e.g. publish hash periodically in a classified ad in a newspaper). a lot of that has to do with whether you have an original and/or whether an original has been modified. my view of audits for sox type stuff is whether the original is correct. that is where multiple independent sources of original information came in for purposes of cross checking (and possibility of any inconsistency is indication of something amiss) ... and where subsequently you have to start worrying about countermeasure to collusion. however, if you have collapsed the originals to single source, you loose the ability to cross-check multiple independent originals for validity of the information. so you ask for a lot more detailed information in the originals ... hoping the level of detail is harder to make consistent (since you may have some sense that you have lost the capability of cross checking multiple independent sources for inconsistency). the counterargument is that with IT technology ... that any level of detail can be programmed to be consistent (if you are going to create incorrect information in an original ... you could make it incorrectly consistent to any level of detail). So now you create significant threats and penalties for anybody (in charge) allowing incorrect information to appear in an audit (since you somehow realize that that with only a single source, it isn't likely that an audit is going to turn up inconsistent information as an indication that something is incorrect). So now you are potentially in a situation that audits are no longer an effective countermeasure to serious inconsistent or incorrect information ... its the threats and the penalties that are the countermeasure to serious inconsistent or incorrect information. At the same time there is some sense if audits previously had turned up inconsistency (from multiple independent sources) ... then possibly just increasing the level of audit detail might still provide some benefit. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]