Thanks for your comment -
You're right, of course; a stronger and more compact authentication hash code
is possible; but the intent was to establish only an authenticated predecessor
for each line, not an authenticated stream. Each message is authenticated
independently by concatenating a shared secret as well as the chain value in
the hash; there is thus both an initial K(0) and the shared secret, known to
source and sink. The explicit chain value makes it possible to resume an
interrupted sequence (and to trace a sequence manually).
This probably should be made clearer in the writeup.
Alex
Balazs Scheidler wrote:
> On Wed, Jul 19, 2000 at 05:04:36AM -0400, Alex Brown wrote:
> > This is not yet in proper RFC form, but it should suffice to restate the
> > case for improved practice within an existing syslog environment. All
> > comments are welcome.
> >
> > http://www.msg.com/~abrown/draft-syslog-auth.html
>
> This is the format you suggest:
>
> Nov 5 14:14:54 zorilla PAM_pwdb[509]: (login) session opened \
> for user abrown by (uid=0) chain=227c40a6cde84f49bfad43c412490110 \
> md5=a6739e57964c9dec7613d663f049c0f7
> Nov 5 14:14:55 zorilla PAM_pwdb[509]: (login) session closed \
> for user abrown chain=a6739e57964c9dec7613d663f049c0f7 \
> md5=cbce1c7ced9cfdc1fb86ba8ef365d8eb
>
> I don't think we need two md5 hash for each log line (chain= and md5=) We
> could simply include the chain value implicitly in the value of md5. Here's
> the formula to use:
>
> M(i) is the ith message, CK(i) is the check value to be appended to the
> message, and K(i) is the chaining value kept private. Given a K(i) you
> derive the values of CK(i) and K(i+1) the following way:
>
> (1) CK(i) = H(K(i) || M(i))
> (2) K(i+1) = H(K(i) || CK(i))
>
> So CK(i) depends on the contents of the message being sent, and the private
> chaining value which depends on all previous messages. K(i) is never sent
> through the wire, but is recalculated on each side when verifying messages.
> The initial value K(0) is the key, which needs to be stored at both sides,
> and which ensures message authenticity.
>
> And also we may also want to seperate the hash values from the logline, for
> instance by sending the hash values in the next line.
>
> --
> Bazsi
> PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
> url: http://www.balabit.hu/pgpkey.txt
--
Alex Brown
http://orbiter.ne.3com.com/abrown.html
POB 341 Hopkinton MA 01748-0341 Two 3Com Drive - Marlborough MA
+1 617 504 8761 +1 508 323 2283 voice 1111 fax
