Re: self authentication for sensors in ids ?

[Michal Melewski <mike () pn66 poznan sdi tpnet pl>]

On Fri, Jan 30, 2004 at 12:59:46PM +0100, Stefano Zanero wrote:
> Michal Melewski wrote:
>
> > 2. If IDS administrator is sure, that sensor hasn't been compromised he 
> > gives
> > the sensor a password for his gpg key and activate it.
>
> How ? A password of which key ?
I meant a passphrase to activate a private gpg key.
Private gpg key is used to sign a packet.

> > 3. When sensor is active he can send alarms and each packet should be 
> > signed
> > and encrypted, and of course supplied with a md5 sum (or better sha1) of
> > currently running code.
>
> And what is there to prevent an abuser to send packets with the known 
> good md5sum ?
A sign made by a private gpg key.

> > If attacker managed to replace a sensor, the gpg sign wouldn't be valid 
>
> Again: how is that possible ? Where do you store the password ? If it's 
> in the running code on a compromised machine, it's not secure.
Yes, i know it's the weak point, but still it's more secure then just accepting
all packets coming from sensor.
Reading a proces memmory is of course possible, but it's not so trivial.

If anyone have a better idea how to make good authentication mechanism between
sensor and a manager I would be glad to hear it.

> Stefano

-- 
Michael "carstein" Melewski      |  "Humanistą był Kepler, był Liebnitz.
carstein () poznan linux org pl          |   Człowiek definiujący humanizm jako
mobile: 502 545 913              |   brak umiejętności całkowania
gpg: carstein.c.pl/carstein.txt  |   humanistą nie jest."

---------------------------------------------------------------------------
---------------------------------------------------------------------------