OK, I need to be more explicit. I assert that nobody can describe to me a system that I cannot subvert for providing "signed" logs for use as evidence _without_ using a trusted third party in some manner.
All of the in-house PKI solutions seem to be trivially subverted by obtaining the private key from whatever piece of hardware is holding it. It is impossible to provide onsite hardware/software packages that cannot have the private keys extracted.[1] Protocols that use a third party seem to involve hideous back-channel connections which make them pretty much impractical. No offense, Marc, but I think you read a few too many brochures. UniCERT and SelectAccess seem to be unrelated to generic record signing/timestamping (according to the Baltimore brochureware). As usual, I'd love actual technical detail. Phrases like "has capabilities" don't do much for me - vendors assert all sorts of things. Yes, I'm sticking my neck out, as usual. Bring it on. ;) Cheers, [1] Some may find this contentious, and start talking about "tamper-proof" hardware tokens, etc. I claim that history is on my side, but I'm open to debate. -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Marc E. Mandel > Sent: Tuesday, June 11, 2002 6:12 PM > To: [EMAIL PROTECTED] > Subject: RE: firewall logging > > > In response to Ben Nagy's 06/08/2002 message that asked: > "I see the need for evidence quality data, but I can't see > how incorporating signatures in that way would go any way > towards making data more courtworthy. To cheat, I just fake > the logs on my firewall, sign them (because I have the > private keys on the firewall) and send them to my collector. > I might be missing something profound here, but I > can't think of a way to solve that problem without a trusted > third party > acting in some manner. Is there one?" > > My response: > Baltimore Technologies plc has capabilities in both its > SelectAccess and > UniCERT products that will cryptographically time stamp and > digitally sign > each audit/log record as it is generated so that fake entries > could not be > added later. [...] > Marc Mandel _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
