1 Title: syslog-trusted-timestamp - chain of trusted timestamps for your syslog
2 Tags: english, sikkerhet
5 <p>Two years ago, I had
6 <a href="http://www.hungry.com/~pere/blog/Public_Trusted_Timestamping_services_for_everyone.html">a
7 look at trusted timestamping options available</a>, and among
8 other things noted a still open
9 <a href="https://bugs.debian.org/742553">bug in the tsget script</a>
10 included in openssl that made it harder than necessary to use openssl
11 as a trusted timestamping client. A few days ago I was told
12 <a href="https:/www.difi.no/">the Norwegian government office DIFI</a> is
13 close to releasing their own trusted timestamp service, and in the
14 process I was happy to learn about a replacement for the tsget script
18 openssl ts -query -data "/etc/shells" -cert -sha256 -no_nonce \
19 | curl -s -H "Content-Type: application/timestamp-query" \
20 --data-binary "@-" http://zeitstempel.dfn.de > etc-shells.tsr
21 openssl ts -reply -text -in etc-shells.tsr
24 <p>This produces a binary timestamp file (etc-shells.tsr) which can be
25 used to verify that the content of the file /etc/shell with the
26 calculated sha256 hash existed at the point in time when the request
27 was made. The last command extract the content of the etc-shells.tsr
28 in human readable form. The idea behind such timestamp is to be able
29 to prove using cryptography that the content of a file have not
30 changed since the file was stamped.</p>
32 <p>To verify that the file on disk match the public key signature in
33 the timestamp file, run the following commands. It make sure you have
34 the required certificate for the trusted timestamp service available
35 and use it to compare the file content with the timestamp. In
36 production, one should of course use a better method to verify the
37 service certificate.</p>
40 wget -O ca-cert.txt https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
41 openssl ts -verify -data /etc/shells -in etc-shells.tsr -CAfile ca-cert.txt -text
44 <p>Wikipedia have a lot more information about
45 <a href="https://en.wikipedia.org/wiki/Trusted_timestamping">trusted
47 <a href="https://en.wikipedia.org/wiki/Linked_timestamping">linked
48 timestamping</a>, and there are several trusted timestamping services
49 around, both as commercial services and as free and public services.
51 <a href="https://www.pki.dfn.de/zeitstempeldienst/">the
52 zeitstempel.dfn.de service</a> mentioned above and
53 <a href="https://freetsa.org/">freetsa.org service</a> linked to from the
54 wikipedia web site. I believe the DIFI service should show up on
55 https://tsa.difi.no, but it is not available to the public at the
56 moment. I hope this will change when it is into production. The
57 <a href="https://tools.ietf.org/html/rfc3161">RFC 3161</a> trusted
58 timestamping protocol standard is even implemented in LibreOffice,
59 Microsoft Office and Adobe Acrobat, making it possible to verify when
60 a document was created.</p>
62 <p>I would find it useful to be able to use such trusted timestamp
63 service to make it possible to verify that my stored syslog files have
64 not been tampered with. This is not a new idea. I found one example
65 implemented on the Endian network appliances where
66 <a href="http://help.endian.com/entries/21518508-Enabling-Timestamping-on-log-files-">the
67 configuration of such feature was described in 2012</a>.</p>
69 <p>But I could not find any free implementation of such feature when I
70 searched, so I decided to try to
71 <a href="https://github.com/petterreinholdtsen/syslog-trusted-timestamp">build
72 a prototype named syslog-trusted-timestamp</a>. My idea is to
73 generate a timestamp of the old log files after they are rotated, and
74 store the timestamp in the new log file just after rotation. This
75 will form a chain that would make it possible to see if any old log
76 files are tampered with. But syslog is bad at handling kilobytes of
77 binary data, so I decided to base64 encode the timestamp and add an ID
78 and line sequence numbers to the base64 data to make it possible to
79 reassemble the timestamp file again. To use it, simply run it like
83 syslog-trusted-timestamp /path/to/list-of-log-files
86 <p>This will send a timestamp from one or more timestamp services (not
87 yet decided nor implemented) for each listed file to the syslog using
88 logger(1). To verify the timestamp, the same program is used with the
92 syslog-trusted-timestamp --verify /path/to/log-file /path/to/log-with-timestamp
95 <p>The verification step is not yet well designed. The current
96 implementation depend on the file path being unique and unchanging,
97 and this is not a solid assumption. It also uses process number as
98 timestamp ID, and this is bound to create ID collisions. I hope to
99 have time to come up with a better way to handle timestamp IDs and
100 verification later.</p>
103 <a href="https://github.com/petterreinholdtsen/syslog-trusted-timestamp">the
104 prototype for syslog-trusted-timestamp on github</a> and send
105 suggestions and improvement, or let me know if there already exist a
106 similar system for timestamping logs already to allow me to join
107 forces with others with the same interest.</p>
109 <p>As usual, if you use Bitcoin and want to show your support of my
110 activities, please send Bitcoin donations to my address
111 <b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
projects / homepage.git / blob