syslog-trusted-timestamp - chain of trusted timestamps for your syslog

Fri, 1 Apr 2016 09:50:00 +0200

Two years ago, I had +a +look at trusted timestamping options available, and among +other things noted a still open +bug in the tsget script +included in openssl that made it harder than necessary to use openssl +as a trusted timestamping client. A few days ago I was told +the Norwegian government office DIFI is +close to releasing their own trusted timestamp service, and in the +process I was happy to learn about a replacement for the tsget script +using only curl:

+ +

+openssl ts -query -data "/etc/shells" -cert -sha256 -no_nonce \
+  | curl -s -H "Content-Type: application/timestamp-query" \
+         --data-binary "@-" http://zeitstempel.dfn.de > etc-shells.tsr
+openssl ts -reply -text -in etc-shells.tsr
+

+ +

This produces a binary timestamp file (etc-shells.tsr) which can be +used to verify that the content of the file /etc/shell with the +calculated sha256 hash existed at the point in time when the request +was made. The last command extract the content of the etc-shells.tsr +in human readable form. The idea behind such timestamp is to be able +to prove using cryptography that the content of a file have not +changed since the file was stamped.

+ +

To verify that the file on disk match the public key signature in +the timestamp file, run the following commands. It make sure you have +the required certificate for the trusted timestamp service available +and use it to compare the file content with the timestamp. In +production, one should of course use a better method to verify the +service certificate.

+ +

+wget -O ca-cert.txt https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
+openssl ts -verify -data /etc/shells -in etc-shells.tsr -CAfile ca-cert.txt -text
+

+ +

Wikipedia have a lot more information about +trusted +Timestamping and +linked +timestamping, and there are several trusted timestamping services +around, both as commercial services and as free and public services. +Among the latter is +the +zeitstempel.dfn.de service mentioned above and +freetsa.org service linked to from the +wikipedia web site. I believe the DIFI service should show up on +https://tsa.difi.no, but it is not available to the public at the +moment. I hope this will change when it is into production. The +RFC 3161 trusted +timestamping protocol standard is even implemented in LibreOffice, +Microsoft Office and Adobe Acrobat, making it possible to verify when +a document was created.

+ +

I would find it useful to be able to use such trusted timestamp +service to make it possible to verify that my stored syslog files have +not been tampered with. This is not a new idea. I found one example +implemented on the Endian network appliances where +the +configuration of such feature was described in 2012.

+ +

But I could not find any free implementation of such feature when I +searched, so I decided to try to +build +a prototype named syslog-trusted-timestamp. My idea is to +generate a timestamp of the old log files after they are rotated, and +store the timestamp in the new log file just after rotation. This +will form a chain that would make it possible to see if any old log +files are tampered with. But syslog is bad at handling kilobytes of +binary data, so I decided to base64 encode the timestamp and add an ID +and line sequence numbers to the base64 data to make it possible to +reassemble the timestamp file again. To use it, simply run it like +this: + +

+syslog-trusted-timestamp /path/to/list-of-log-files
+

+ +

This will send a timestamp from one or more timestamp services (not +yet decided nor implemented) for each listed file to the syslog using +logger(1). To verify the timestamp, the same program is used with the +--verify option:

+ +

+syslog-trusted-timestamp --verify /path/to/log-file /path/to/log-with-timestamp
+

+ +

The verification step is not yet well designed. The current +implementation depend on the file path being unique and unchanging, +and this is not a solid assumption. It also uses process number as +timestamp ID, and this is bound to create ID collisions. I hope to +have time to come up with a better way to handle timestamp IDs and +verification later.

+ +

Please check out +the +prototype for syslog-trusted-timestamp on github and send +suggestions and improvement, or let me know if there already exist a +similar system for timestamping logs already to allow me to join +forces with others with the same interest.

+ +

As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

Petter Reinholdtsen - Entries from April 2016

syslog-trusted-timestamp - chain of trusted timestamps for your syslog