LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

making the logs temper evident through git like hash chains

making the logs temper evident through git like hash chains

Posted Nov 18, 2011 22:37 UTC (Fri) by nmav (subscriber, #34036)
In reply to: making the logs temper evident through git like hash chains by scottt
Parent article: The Journal - a proposed syslog replacement

Monotone, Mercurial and Git and not designed to protect against malicious attacks and as I said their method is not secure (that's why e.g. git allows digital signatures on tags).

(Log in to post comments)

making the logs temper evident through git like hash chains

Posted Nov 19, 2011 0:27 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

Wrong. Git has been specifically designed to be secure from the start. That was one of its original design goals.

And it IS secure, signatures are used not to authenticate integrity, but to authenticate the author of changes.

making the logs temper evident through git like hash chains

Posted Nov 19, 2011 4:40 UTC (Sat) by nevyn (subscriber, #33129) [Link]

From: blog.valerieaurora.org talking about CAS and compare by hash...
Finally, in a vain attempt to forestall the inevitable flame wars, I will point out that my objections do not apply to systems in which the hash address space is shared only with trusted users. In other words, hash-based source control is for the most part fine sticking with SHA-1 and could indeed use a cheaper hash like MD5 without any practical trouble
From: kernel trap git archive on the first discussion about git only using sha1, Linus explains:
As I explained early on [...], the _security_ of git actually depends on not cryptographic hashes, but simply on everybody being able to secure their own _private_ repository.
Then there was another discussion, where other people said the same things. Git's use of hashes as a CAS doesn't make it secure, doing the same thing for log file lines will not make them secure/trustable/whatever either.

making the logs temper evident through git like hash chains

Posted Nov 20, 2011 3:12 UTC (Sun) by cmccabe (guest, #60281) [Link]

SHA1 has been weakened, but many other hash functions have not. Given that security is the whole point, I'm sure that Lennart will use a newer hash.

making the logs temper evident through git like hash chains

Posted Nov 20, 2011 19:19 UTC (Sun) by nevyn (subscriber, #33129) [Link]

I think you missed the point ... git and journald can happily use SHA-1 because it adds no security at all. git gets a bunch of other useful features out of using hashes, AFAICS it's just a waste for journald.

making the logs temper evident through git like hash chains

Posted Nov 21, 2011 23:52 UTC (Mon) by cmccabe (guest, #60281) [Link]

> I think you missed the point ... git and journald can happily use SHA-1
> because it adds no security at all

Er, I think perhaps it is you who is missing the point. TFA says:

> Each entry authenticates all previous ones. If the top-most hash is
> regularly saved to a secure write-only location, the full chain is
> authenticated by it. Manipulations by the attacker can hence easily be
> detected.

The point is to get security, not to "happily use SHA-1."

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds