Internet Engineering Task Force Syslog
Internet Draft John Kelsey
draft-ietf-syslog-sign-00.txt Expires: June 2001
Syslog-Sign Protocol
STATUS OF THIS MEMO
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
ABSTRACT
This document describes syslog-sign, a mechanism for adding
origin authenticaiton, message integrity, replay-resistance,
message sequencing, and detection of missing messages to
syslog. The goal of syslog-sign is to provide all these
security features in a way that has minimal requirements and
minimal impact on an existing setup of syslog devices,
relays, and collectors. In particular, it is possible to
support syslog-sign by changing only the behavior of the
syslog devices, and some software run either online or
offline on the collector's stored logs.
1. Introduction
Syslog-sign is intended to be an in-band protocol for
signing messages within syslog, making no assumptions about
any delivery mechanisms. This means that all messages sent
along are valid syslog-syslog messages. The messages will
be received and stored normally by any syslog collector.
However, offline review of the stored logs by a
syslog-sign-aware program will allow verification of the
logs' origin, integrity, freshness, and completeness.
The basic design goals are thus:
a. The goal of syslog-sign is offline detection of
alterations of the logs. The signatures provide both
storage security and transmission security, but we provide
no support for any kind of online detection of alterations.
(There's nothing saying a collector can't implement such
detection online, assuming it can keep up with the workload.
But we add nothing to support such online detection.)
b. Over the course of a reasonably long session,
syslog-sign will transmit the certificate, public key, or
key ID on which its signatures are based several times.
Expires June 2001 [Page 1]
Draft Syslog Sign December 2000
c. Syslog-sign will provide data integrity, data origin
authentication, replay detection, and gap detection. It is
the responsibility of the users of syslog-sign to ensure
that all the logs in a ``signature group'' are sent to the
same receiver. (A ``signature group'' is a set of messages
signed in the same sequence of signature blocks.) How the
administrator sets things up to support this is outside the
scope of this document, but if messages from the same
signature group are somehow separated during transmission or
forwarding, we will generally be unable to authenticate the
messages stored by any one collector.
d. Because syslog-sign must operate in-band over unreliable
delivery mechanisms, there is always some chance that
critical information will not make it to the receiver.
However, syslog-sign can be configured on the sender side to
add redundancy to its messages, to decrease the likelihood
that any messages will be impossible to verify.
e. Syslog-sign supports multiple signature and hash sizes
and schemes. These are encoded in its version field. Larger
signatures lead to more bandwidth required by syslog-sign.
Syslog-sign even supports symmetric cryptosystems.
f. The only awareness of forwarding in syslog-sign is the
requirement that a syslog-sign relay (as well as a device)
signal some kind of an error if it is required by its
forwarding rules to send messages in the same signature
group to different recipients.
2. Syslog-Sign Message Formats
Syslog-sign uses syslog to transmit its messages. That
means that all of its messages have to fit inside legal
syslog-syslog messages. This determines most of the design.
Syslog-sign processes all syslog messages, but it generates
only two kinds of messages of its own: signature blocks and
certificate blocks. A signature block contains some header
information, a sequence of hashes from recently-sent
messages, and a signature of some kind, and a new signature
block is sent each time there have been N new messages whose
hashes need to be signed and sent out. A certificate block
contains some or all of the information needed to uniquely
identify the key being used in these signatures.
2.1. Signature Blocks
A signature block contains a signature for a sequence of
messages sent by syslog-sign. There are several key points
that must be understood before the format of the signature
block makes any sense:
a. In this document, we refer to the normal syslog messages
that aren't generated by syslog-sign as ``messages.'' When
we discuss processing messages, we never include signature
blocks or certificate blocks in this processing.
Expires June 2001 [Page 2]
Draft Syslog Sign December 2000
b. The sending device divides the set of messages it will
ever send into one or more ``signature groups.'' The
maximum number of signature groups allowed is 4095. The
only requirement for a signature group is that all messages
from that signature group must be routed to the same
collector.
c. Each time the device starts a new logging ``session,''
e.g. because it has rebooted, it must generate a unique
reboot session ID.
d. Because we must deal with unreliable delivery, we can't
assume that all the messages in this sequence arrived.
Therefore, we include the hash of each message sent in this
sequence in this signature block. When the logs are
reviewed, the messages are hashed and their hashes are found
in the appropriate signature block.
e. Messages are sent along unaltered. However, each
message is assigned a unique identifying number within its
reboot session and signature group. Each signature block
specifies the number of the first message whose hash is
included; the numbers of the succeeding messages are defined
by their position in the hash block.
f. The signature block is sent in-band, and may
legitimately be forwarded through old-style syslog machines.
Therefore, it must fit within the requirements of a syslog
message. That means it is always less than 1024 bytes, and
it contains only printable ASCII characters, and in fact,
only the 64 characters used in base 64 encoding.
2.1.1. Signature Block Format
The signature block consists of the following fields:
a. Cookie -- an eight byte sequence to signal to the
verifier that this is a signature block. This sequence is
''@#sigSIG''.
b. Version -- a 12-bit quantity encoded in base 64 as two
bytes, which effectively specifies the hash function,
signature mechanism, and other details of the processing of
this signature block.
c. Session ID -- a 48-bit quantity encoded in base 64 as
eight bytes, which is required to never repeat or decrease
over multiple reboots of the sender.
Expires June 2001 [Page 3]
Draft Syslog Sign December 2000
d. Signature Group -- a 12-bit quantity encoded in base 64
as two bytes, which indicates which signature group this
message belongs to. (Each raw message belongs to exactly
one signature group, and each signature block includes
hashes from only one signature group. Messages from the
same signature group MUST ultimately be routed to the same
collector, and MUST NOT ever be separated in transmission by
any device or relay.
e. Global Block Counter -- a 48-bit quantity encoded in
base 64 as eight bytes, which is the number of signature
blocks sent out by syslog-sign in this reboot session.
f. First Message Number -- a 48-bit quantity encoded in
base 64 as eight bytes, which is the unique message number
within this signature group of the first message whose hash
appears in this block. (That is, if this signature group
has processed 1000 messages so far, and the 1001st message
from this signature group is the first one whose hash
appears in this signature block, then this field is 1001.
g. Count -- a 6-bit quantity encoded in base 64 as one
byte, which is the number of message hashes to follow.
h. Message Hashes -- a block of hashes, each separately
encoded in base-64. The size of each hash is determined by
the hashing algorithm used, effectively specified by the
Version field, but the size MUST NOT be shorter than 160
bits.
i. Signature -- a digital signature, encoded in base-64.
The original encoding of the signature is effectively
specified by the Version field.
2.1.2. Variability of Format
The format has a certain amount of flexibility. Some of
this is determined by the version, and some, by the device
generating the messages based on requested level of
redundancy in transmission.
2.1.2.1. Versions and Field Sizes
The format has some variability, because different signature
schemes and hash functions will alter the size of the
fields. The following versions are defined right now:
1 = SHA1 and DSA/320
2 = SHA1 and RSA/1024
3 = SHA1 and RSA/2048
[[ I need to reference some specs for all this. --JMK ]]
Expires June 2001 [Page 4]
Draft Syslog Sign December 2000
2.1.2.2. Redundancy
The sending device has a tunable level of redundancy for the
signature blocks. If no redundancy is used, then if a
signature block is lost, no messages that were signed by
that block can be verified. The more redundancy is used,
the more signature blocks must be lost before a message
cannot be verified.
Redundancy is implemented in a simple way: Each message's
hash can be included in more than one signature block. If
each message's hash is included in two signature blocks,
then only when two successive signature blocks from the same
signature groups are lost in transit do we end up with
messages we can't verify. If each message's hash is
included in three signature blocks, then this can happen
only when three successive signature blocks from the same
signature group are lost in transit.
The signature block specifies the message number of the
first message whose hash is included in the block. If each
signature block contains 40 hashes, and each successive
signature block's first message is 20 messages higher than
the previous block's, then each message is signed by two
blocks.
Note that this is totally decided by the sending device, and
that any level of redundancy is supported. Similarly, the
only requirement about the number of hashes included in each
signature block is that it never be less than one, and that
it will never be large enough to cause the signature block
to go over 1024 bytes in length. (The field cannot support
more than 63 message hashes, but in practice, no more than
37 could appear in a 1024-byte message, ignoring the other
header fields and the signature block.)
In particular, note that it is legal for the sending device
to simply include one signature block per message.
2.2. Certificate Blocks
The purpose of a certificate block is provide some support
for key management in syslog-sign, by allowing the
transmission of a certificate and other identifying
information from the sending device. The sending device has
a certain initial key management blob to send, which may be
a PKIX certificate, or a raw public key, or a key
fingerprint. In fact, a syslog-sign device doesn't know
anything about this payload except what it's told to report
about it during device setup.
Expires June 2001 [Page 5]
Draft Syslog Sign December 2000
There are three key points to understand about certificate blocks:
a. The handle a variable-sized payload, by fragmenting it
if necessary, and transmitting the fragments as legal
syslog-syslog messages. This payload is expected to be a
certificate, but the syslog-sign device does no checking of
its format or contents. Its goal is simply to make sure
that the payload gets sent along with a log of any
reasonable length.
b. There is an adjustable parameter for required
redundancy, just as in the signature blocks. However, the
redundancy functions a little differently.
c. Each signature group gets sent its own certificate blocks.
2.2.1. Building the Payload Block
Note that we build a payload at the time the reboot
session starts, and that payload includes a digital
signature. The payload block for this reboot session
includes:
a. Version -- specifying the hash function and signature
used; this is the same version identifier as is used in the
signature blocks.
b. Reboot Session ID -- the same reboot session ID which
will be used in the signature blocks
c. IP Address of Sender -- the sender's IP address, a
128-bit number base-64 encoded as 22 bytes.
d. Key Blob Type -- this one-byte field holds one of four values:
(i) 'C' -- a PKIX certificate
(ii) 'F' -- a key fingerprint (the hash of the public key
using the specified hash algorithm)
(iii)'K' -- the public key whose corresponding
private key is being used to sign these
messages.
(iv) 'U' -- user-specific field with no defined
meaning in the standard.
e. Key Blob -- the raw data, base-64 encoded.
f. Signature -- a digital signature on fields a-e, encoded
in base-64.
2.2.2. Building the Certificate Block
The certificate block must get the payload block to the
collector. Since certificates can legitimately be much
longer than 1024 bytes, each certificate block carries a
piece of the payload block.
Expires June 2001 [Page 6]
Draft Syslog Sign December 2000
The certificate block is built as follows:
a. Cookie -- an eight byte string, ``@#sigCer''.
b. Version -- a 12-bit field encoded in base-64 as two bytes.
c. Signature Group -- a 12-bit field encoded in base-64 as
two bytes.
d. Total Payload Length -- a 32-bit field encoded in
base-64 as six bytes.
e. Index into Payload -- a 32-bit field encoded in base-64
as six bytes.
f. Fragment Length -- a 12-bit field encoded in base-64 as
two bytes.
g. Payload Fragment -- a fragment of the payload, as
specified by the above fields.
2.2.3. Redundancy
Given the 1024-byte limit on syslog messages, a given
payload block can be efficiently divided up into some
number, P, of certificate blocks. (It is possible that
P==1.) The collector must end up with all P of these blocks
to be able to verify that this key was in use at the time of
this reboot session.
The certificate blocks are sent as follows:
a. At reboot, we send all P certificate blocks once for
each signature group. These are sent as syslog messages,
and they are sent before any other syslog messages are sent
in this session.
b. After this, we resend the certificate blocks
occasionally, based on the redundancy parameter R. For each
signature group, each time another R messages are sent for
that signature group, we send along the next certificate
block. Note that this requires that we keep track of which
certificate block we're on, for each signature group. If
R==0, then we never resend the certificate block. (This
would make sense if we were using syslog-sign over
syslog-reliable.)
3.0. Offline Review
Reviewing the stored logs offline now becomes straightforward.
a. Verify that the next reboot session ID is valid, e.g.,
is larger than the previously seen reboot session IDs.
Expires June 2001 [Page 7]
Draft Syslog Sign December 2000
b. Go through the log entries with this session ID, and
pull out each of the certificate blocks. Reassemble the
payload block, and make whatever use of it is desired.
c. If more than one signature group appears in the logs,
process each group separately as follows.
d. For each signature block:
(i) Verify the signature at the end of the block.
If the signature verifies successfully, then
continue processing.
(ii) Determine what message numbers we're receiving
based on the appropriate fields in the signature
block.
(iii)For each hash in the hash block, look in the
nearby messages for a message with the same hash. If
a message is found, then add that message, along
with its message number, to the list of verified
messages for this session ID and signature group.
e. When the processing is done, sort the list of verified
messages for this session ID and signature group on the
message numbers. Eliminate duplicate message numbers, and
the result is a verified log file, complete with gaps in the
message numbers where there are gaps in the received
messages.
4 Acknowledgements
The author wishes to thank Alex Brown, Chris Calabrese, Jon
Callas, Carson Gaspar, Drew Gross, Chris Lonvick, Darrin
New, Marshall Rose, Holt Sorenson, and the whole bunch of
Counterpane engineering and operations people who commented
on early or late versions of this proposal.
5 Bibliography
A Author's Address
John Kelsey
Counterpane Internet Security
kelsey.j@ix.netcom.com
Expires June 2001 [Page 8]
Draft Syslog Sign December 2000
B Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into
languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS
IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Expires June 2001 [Page 9]