So instead of one-way-hashing just the IP, hash the IP and a temporary throw-away secret that gets cycled at some regular interval (daily, weekly, monthly). Yes, this means that the logged IPs are still decypherable by anyone with access to that secret, but anyone with access to the machine in question, the software, etc. already has the ability to create a covert unhashed log. Just be sure you safely cycle the secret (i.e. generate it from a secure random source, store it only in memory or securely on the file system, don't back it up or copy it anywhere else, and the when you discard it, make sure the memory is overwritten and/or the file system safely overwritten so that it cannot be recovered).

One of the problems is that cycling the secret means you can't do the blind log statitistics gathering across secret changes that you were keeping the logs around for in the first place. So you'd have to choose a cycling interval to balance your statistical or other log analysis needs against IP blinding requirements.

This does defeat some of the usefulness of the idea in the first place, but hey, as has been shown, just hashing the IP isn't such a good idea.

Aaron out.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to