LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

making the logs temper evident through git like hash chains

making the logs temper evident through git like hash chains

Posted Nov 19, 2011 4:40 UTC (Sat) by nevyn (subscriber, #33129)
In reply to: making the logs temper evident through git like hash chains by Cyberax
Parent article: The Journal - a proposed syslog replacement

From: blog.valerieaurora.org talking about CAS and compare by hash...

Finally, in a vain attempt to forestall the inevitable flame wars, I will point out that my objections do not apply to systems in which the hash address space is shared only with trusted users. In other words, hash-based source control is for the most part fine sticking with SHA-1 and could indeed use a cheaper hash like MD5 without any practical trouble
From: kernel trap git archive on the first discussion about git only using sha1, Linus explains:
As I explained early on [...], the _security_ of git actually depends on not cryptographic hashes, but simply on everybody being able to secure their own _private_ repository.
Then there was another discussion, where other people said the same things. Git's use of hashes as a CAS doesn't make it secure, doing the same thing for log file lines will not make them secure/trustable/whatever either.

(Log in to post comments)

making the logs temper evident through git like hash chains

Posted Nov 20, 2011 3:12 UTC (Sun) by cmccabe (guest, #60281) [Link]

SHA1 has been weakened, but many other hash functions have not. Given that security is the whole point, I'm sure that Lennart will use a newer hash.

making the logs temper evident through git like hash chains

Posted Nov 20, 2011 19:19 UTC (Sun) by nevyn (subscriber, #33129) [Link]

I think you missed the point ... git and journald can happily use SHA-1 because it adds no security at all. git gets a bunch of other useful features out of using hashes, AFAICS it's just a waste for journald.

making the logs temper evident through git like hash chains

Posted Nov 21, 2011 23:52 UTC (Mon) by cmccabe (guest, #60281) [Link]

> I think you missed the point ... git and journald can happily use SHA-1
> because it adds no security at all

Er, I think perhaps it is you who is missing the point. TFA says:

> Each entry authenticates all previous ones. If the top-most hash is
> regularly saved to a secure write-only location, the full chain is
> authenticated by it. Manipulations by the attacker can hence easily be
> detected.

The point is to get security, not to "happily use SHA-1."

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds