1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from April
2016</title>
5 <description>Entries from April
2016</description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
10 <title>syslog-trusted-timestamp - chain of trusted timestamps for your syslog
</title>
11 <link>http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html
</guid>
13 <pubDate>Sat,
2 Apr
2016 09:
50:
00 +
0200</pubDate>
14 <description><p
>Two years ago, I had
15 <a href=
"http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html
">a
16 look at trusted timestamping options available
</a
>, and among
17 other things noted a still open
18 <a href=
"https://bugs.debian.org/
742553">bug in the tsget script
</a
>
19 included in openssl that made it harder than necessary to use openssl
20 as a trusted timestamping client. A few days ago I was told
21 <a href=
"https:/www.difi.no/
">the Norwegian government office DIFI
</a
> is
22 close to releasing their own trusted timestamp service, and in the
23 process I was happy to learn about a replacement for the tsget script
24 using only curl:
</p
>
27 openssl ts -query -data
"/etc/shells
" -cert -sha256 -no_nonce \
28 | curl -s -H
"Content-Type: application/timestamp-query
" \
29 --data-binary
"@-
" http://zeitstempel.dfn.de
> etc-shells.tsr
30 openssl ts -reply -text -in etc-shells.tsr
31 </pre
></p
>
33 <p
>This produces a binary timestamp file (etc-shells.tsr) which can be
34 used to verify that the content of the file /etc/shell with the
35 calculated sha256 hash existed at the point in time when the request
36 was made. The last command extract the content of the etc-shells.tsr
37 in human readable form. The idea behind such timestamp is to be able
38 to prove using cryptography that the content of a file have not
39 changed since the file was stamped.
</p
>
41 <p
>To verify that the file on disk match the public key signature in
42 the timestamp file, run the following commands. It make sure you have
43 the required certificate for the trusted timestamp service available
44 and use it to compare the file content with the timestamp. In
45 production, one should of course use a better method to verify the
46 service certificate.
</p
>
49 wget -O ca-cert.txt https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
50 openssl ts -verify -data /etc/shells -in etc-shells.tsr -CAfile ca-cert.txt -text
51 </pre
></p
>
53 <p
>Wikipedia have a lot more information about
54 <a href=
"https://en.wikipedia.org/wiki/Trusted_timestamping
">trusted
55 Timestamping
</a
> and
56 <a href=
"https://en.wikipedia.org/wiki/Linked_timestamping
">linked
57 timestamping
</a
>, and there are several trusted timestamping services
58 around, both as commercial services and as free and public services.
60 <a href=
"https://www.pki.dfn.de/zeitstempeldienst/
">the
61 zeitstempel.dfn.de service
</a
> mentioned above and
62 <a href=
"https://freetsa.org/
">freetsa.org service
</a
> linked to from the
63 wikipedia web site. I believe the DIFI service should show up on
64 https://tsa.difi.no, but it is not available to the public at the
65 moment. I hope this will change when it is into production. The
66 <a href=
"https://tools.ietf.org/html/rfc3161
">RFC
3161</a
> trusted
67 timestamping protocol standard is even implemented in LibreOffice,
68 Microsoft Office and Adobe Acrobat, making it possible to verify when
69 a document was created.
</p
>
71 <p
>I would find it useful to be able to use such trusted timestamp
72 service to make it possible to verify that my stored syslog files have
73 not been tampered with. This is not a new idea. I found one example
74 implemented on the Endian network appliances where
75 <a href=
"http://help.endian.com/entries/
21518508-Enabling-Timestamping-on-log-files-
">the
76 configuration of such feature was described in
2012</a
>.
</p
>
78 <p
>But I could not find any free implementation of such feature when I
79 searched, so I decided to try to
80 <a href=
"https://github.com/petterreinholdtsen/syslog-trusted-timestamp
">build
81 a prototype named syslog-trusted-timestamp
</a
>. My idea is to
82 generate a timestamp of the old log files after they are rotated, and
83 store the timestamp in the new log file just after rotation. This
84 will form a chain that would make it possible to see if any old log
85 files are tampered with. But syslog is bad at handling kilobytes of
86 binary data, so I decided to base64 encode the timestamp and add an ID
87 and line sequence numbers to the base64 data to make it possible to
88 reassemble the timestamp file again. To use it, simply run it like
92 syslog-trusted-timestamp /path/to/list-of-log-files
93 </pre
></p
>
95 <p
>This will send a timestamp from one or more timestamp services (not
96 yet decided nor implemented) for each listed file to the syslog using
97 logger(
1). To verify the timestamp, the same program is used with the
98 --verify option:
</p
>
101 syslog-trusted-timestamp --verify /path/to/log-file /path/to/log-with-timestamp
102 </pre
></p
>
104 <p
>The verification step is not yet well designed. The current
105 implementation depend on the file path being unique and unchanging,
106 and this is not a solid assumption. It also uses process number as
107 timestamp ID, and this is bound to create ID collisions. I hope to
108 have time to come up with a better way to handle timestamp IDs and
109 verification later.
</p
>
111 <p
>Please check out
112 <a href=
"https://github.com/petterreinholdtsen/syslog-trusted-timestamp
">the
113 prototype for syslog-trusted-timestamp on github
</a
> and send
114 suggestions and improvement, or let me know if there already exist a
115 similar system for timestamping logs already to allow me to join
116 forces with others with the same interest.
</p
>
118 <p
>As usual, if you use Bitcoin and want to show your support of my
119 activities, please send Bitcoin donations to my address
120 <b
><a href=
"bitcoin:
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b
</a
></b
>.
</p
>
projects / homepage.git / blob