<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 27, 2015 at 8:57 AM, Hadriel Kaplan <span dir="ltr"><<a href="mailto:the.real.hadriel@gmail.com" target="_blank">the.real.hadriel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Do you plan to *use* all of those algorithms?<br>
<br>
Because if not, I'd say cull them down to only what you plan to use.<br>
In fact, I'd suggest we get rid of the ones currently defined in the<br>
draft, but I'll send a separate email about that.<br>
<br>
Also, a small nit, but instead of saying "non-mutable fields" and to<br>
ignore the block type/length and options and all that - just say it<br>
covers "the Packet Data field only, not including padding".<br>
<br></blockquote><div><br></div><div>It needs to be more than just the packet data. I think we need to be able to include the timestamp, and at least the snaplen as well to get meta-data information about the packet. Defense against replay attacks. In the course of an investigation, it is just as important when a packet was sent as what was in it.<br><br></div><div>But I don't want to kill the option of adding comments or changing the order of options or other reasonable changes to break the hash tests. "non-mutable" might not be the right language there. But if it's a required field in the EPB, it should be required to include in the hash to determine if it's been tampered with or not.<br><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-hadriel<br>
<div><div class="h5"><br>
<br>
On Thu, Aug 27, 2015 at 2:15 AM, Michael Haney <<a href="mailto:michael-haney@utulsa.edu">michael-haney@utulsa.edu</a>> wrote:<br>
> I'd like to propose the following to modify the Hash Option for the EPB:<br>
><br>
> Name: epb_hash<br>
> Code: 3<br>
> Length: variable<br>
> Description:<br>
><br>
> This option contains a hash or message digest of the Enhanced Packet Block<br>
> non-mutable fields. The first two bytes (16 bits) of the option value<br>
> specify<br>
> the hashing algorithm. The second two bytes (16 bits) specificy algorithm-<br>
> specific options. At bit offset 32, the actual hash value is contained,<br>
> whose<br>
> size depends on the hashing algorithm. Note that the option length is the<br>
> hash<br>
> value length + 32. If a hashing algorithm produces a message digest that is<br>
> not<br>
> 32-bit aligned, the value should be padded with zeros. Hashing algorithm<br>
> values<br>
> and options are shown in the table. Unless otherwise noted in an algorithm<br>
> option (i.e. any combination of 32 flags could be set to specify hash<br>
> options)<br>
> the message digest will be taken of the body of the Enhanced Packet Block,<br>
> excluding the block header and footer and any options. This will allow the<br>
> hash<br>
> of the original captured packet, including its timestamp and other fixed<br>
> values,<br>
> and still allow for options to be added, removed, or reordered as the packet<br>
> block is processed.<br>
><br>
> TABLE:<br>
> Algorithm Code Option Digest Size Option Length (bytes)<br>
> 2’s comp. 0x0000 0x0000 packet size pkt size + 4<br>
> XOR (LRC32) 0x0001 0x0000 4 bytes 0x0008<br>
> CRC32 0x0002 0x0000 4 bytes 0x0008<br>
> MD5 0x0003 0x0000 128-bit 0x0014<br>
> SHA-1 0x0004 0x0000 160-bit 0x0018<br>
> RIPEMD 0x0005 0x0000 160-bit 0x0018<br>
> SHA-2 0x0006 0x0001 224-bit 0x0020<br>
> SHA-2 0x0006 0x0002 256-bit 0x0024<br>
> SHA-2 0x0006 0x0003 384-bit 0x0034<br>
> SHA-2 0x0006 0x0004 512-bit 0x0044<br>
> Whirlpool 0x0007 0x0000 512-bit 0x0044<br>
> SHA-3 0x0008 0x0001 512-bit 0x0044<br>
> HMAC-MD5 0x0103 0x0000 128-bit 0x0044<br>
> HMAC-SHA-1 0x0104 0x0000 160-bit 0x0018<br>
> HMAC-SHA-2 0x0106 0x0001 224-bit 0x0020<br>
> HMAC-SHA-2 0x0106 0x0002 256-bit 0x0024<br>
> HMAC-Whirlpool 0x0107 0x0000 512-bit 0x0044<br>
> MAC-SHA-3 0x0108 0x0000 512-bit 0x0044<br>
><br>
> <artwork><br>
> / /<br>
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br>
> | epb_hash_code = 0x0003 | option length (var) = 0x0024 |<br>
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br>
> | Hash Algorithm = 0x0006 (SHA2)| Hash Alg Opts = 0x0002 (256b) |<br>
> +---------------------------------------------------------------+<br>
> / /<br>
> / /<br>
> / Hash value (variable e.g. 256-bits) /<br>
> / /<br>
> / /<br>
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br>
> / /<br>
> / Other Options (variable) /<br>
> / /<br>
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br>
> | end_of_options = 0x0000 | options_length = 0x0000 |<br>
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br>
> | Block Total Length |<br>
> +---------------------------------------------------------------+<br>
> </artwork><br>
><br>
> Regards,<br>
> Michael<br>
><br>
</div></div>> _______________________________________________<br>
> pcap-ng-format mailing list<br>
> <a href="mailto:pcap-ng-format@winpcap.org">pcap-ng-format@winpcap.org</a><br>
> <a href="https://www.winpcap.org/mailman/listinfo/pcap-ng-format" rel="noreferrer" target="_blank">https://www.winpcap.org/mailman/listinfo/pcap-ng-format</a><br>
_______________________________________________<br>
pcap-ng-format mailing list<br>
<a href="mailto:pcap-ng-format@winpcap.org">pcap-ng-format@winpcap.org</a><br>
<a href="https://www.winpcap.org/mailman/listinfo/pcap-ng-format" rel="noreferrer" target="_blank">https://www.winpcap.org/mailman/listinfo/pcap-ng-format</a></blockquote></div><br></div></div>