Re: [syslog-sec] embedding hashes in messages

Mon, 10 Apr 2000 10:50:26 -0700 





Sorry, I did mean to agree that the tagging of the algorithm is needed.
There also must be a "nonce" or pseudorandom field to make sure that rapid
successive event records with the same timestamp have different content,
for example:

<md5:abc719d0efb184c;asdf1234fdsa4321>
                                                          ^^^^^^nonce^^^^^^^

If chained MACs are used, this "nonce" would be the value of the last MAC
field from this log client.

The syntax used for tagging probably does not matter much, but in
consideration of the ULM draft it might be good to use something like

MD5=abc719d0efb184c NON=asdf1234fdsa4321

I still would like to know how likely it is that this pair of MAC values in
this encoding might overrun the 1024 byte buffer limit of syslog.   Any
experience here?  Most UNIX system messages seem to be under 256 bytes.

Alex Brown <[EMAIL PROTECTED]> +1 508 323 2283







[EMAIL PROTECTED] on 11/02/99 05:21:13 PM

Please respond to [EMAIL PROTECTED]

Sent by:  [EMAIL PROTECTED]


To:   [EMAIL PROTECTED]
cc:    (Alex Brown/US/3Com)
Subject:  Re: [syslog-sec] embedding hashes in messages








 > What do you think?
For these purposes, MD5 is fine;  the main reason to prefer it, from my
perspective, is that many other protocols in the embedded management
systems of small network devices will have to have MD5 in their libraries
so no additional crypto code is necessary.  I don't think the same is true
of SHA-1.
Alex Brown <[EMAIL PROTECTED], [EMAIL PROTECTED]>
+1 508 323 2283, +1 617 504 8761






antirez <[EMAIL PROTECTED]> on 11/02/99 04:57:53 PM
Please respond to [EMAIL PROTECTED]
Sent by:  antirez <[EMAIL PROTECTED]>

To:   [EMAIL PROTECTED]
cc:    (Alex Brown/US/3Com)
Subject:  Re: [syslog-sec] embedding hashes in messages



On Wed, Nov 03, 1999 at 07:31:26AM +1100, Darren Reed wrote:
 > Make sure the hash function is mentioned in the message somewhere!
 > i.e. <md5:abc719d0efb184c>
Seems a good idea, about md5: after a "light" analisys seems that md5
possible weakness (compression function problem [see birthday attack] and
length) aren't a problem with syslog messages. What do you think?
(I want not start an md5 against sha1 thread ;)
Also an issue against UDP: It's impossible to handle fragmentation problems
with UDP since it's impossible to use path mtu discovery.
antirez

Reply via email to