Information Technology Reference
In-Depth Information
provides a further level of secrecy to the message and prevents unauthorized publi-
cation of the logs.
The DNS server publishes the public key for write access via specific records
(KEY and SIG), thus allowing the clients to download it and control its authenticity
by verifying the signature. The DNS server may periodically adopt a new key, so it
is helpful to implement a mechanism to synchronize the key updating event with the
downloading by the clients.
Once the
syslog
message is encrypted, the results of the three most widely used
hashing algorithms—MD5, SHA1 and RIPE-160—are added, in specific order, be-
low the message. The encrypted message and the three hash values thus constitute
the effective payload which is sent to the DNS.
5 . 1 0 H o w C o m m u n i c a t i o n W o r k s
Figure 11
illustrates the communication algorithm for publication of the
syslog
message and downloading by the server. Each passage is described in detail below.
These are the steps taken by the SecSyslog client to publish the messages.
1. The client encrypts the message to be sent and calculates the three hashes,
adding them at the bottom to complete the payload.
2. The client updates the message header inserting the timestamp of the previous
packet, the length of the encrypted message, the number of parts contained
within it, the current part number and the message ID.
3. The client updates the DNS zone publishing the header and payload in a TXT
field for the host by the name of <HOSTID><timestamp>, where the timestamp
is the current time (calculated at the moment the packet is composed) in tai64
format. This value must be stored for inclusion in the header of the packet to
be sent later, so as to recreate the full list of packets transmitted.
4. When the last packet containing the last part of the
syslog
message has been
published to the DNS, the client must update its own CNAME field, the
<HOSTID>LW. This record is used as a list 'index,' i.e., a starting point for
reading the messages to be downloaded by the server. In other words the
timestamp of the header represents the 'marker' for the previous item.
The tasks performed by the SecSyslog server to download the messages are as
follows.
1. For the controller host, the server asks the DNS for the alias corresponding to
the last published message, sending a query to <HOSTID>LW.
2. The server now knows the last message published by that client and can
thus query the TXT record to download the last packet sent, requesting the
<HOSTID><timestamp> corresponding to the alias.
