[pcap-ng-format] Proposal for EPB Hash Option (1 of 4)
Michael Haney
michael-haney at utulsa.edu
Thu Aug 27 16:58:53 UTC 2015
On Thu, Aug 27, 2015 at 8:57 AM, Hadriel Kaplan <the.real.hadriel at gmail.com>
wrote:
> Do you plan to *use* all of those algorithms?
>
> Because if not, I'd say cull them down to only what you plan to use.
> In fact, I'd suggest we get rid of the ones currently defined in the
> draft, but I'll send a separate email about that.
>
> Also, a small nit, but instead of saying "non-mutable fields" and to
> ignore the block type/length and options and all that - just say it
> covers "the Packet Data field only, not including padding".
>
>
It needs to be more than just the packet data. I think we need to be able
to include the timestamp, and at least the snaplen as well to get meta-data
information about the packet. Defense against replay attacks. In the
course of an investigation, it is just as important when a packet was sent
as what was in it.
But I don't want to kill the option of adding comments or changing the
order of options or other reasonable changes to break the hash tests.
"non-mutable" might not be the right language there. But if it's a
required field in the EPB, it should be required to include in the hash to
determine if it's been tampered with or not.
> -hadriel
>
>
> On Thu, Aug 27, 2015 at 2:15 AM, Michael Haney <michael-haney at utulsa.edu>
> wrote:
> > I'd like to propose the following to modify the Hash Option for the EPB:
> >
> > Name: epb_hash
> > Code: 3
> > Length: variable
> > Description:
> >
> > This option contains a hash or message digest of the Enhanced Packet
> Block
> > non-mutable fields. The first two bytes (16 bits) of the option value
> > specify
> > the hashing algorithm. The second two bytes (16 bits) specificy
> algorithm-
> > specific options. At bit offset 32, the actual hash value is contained,
> > whose
> > size depends on the hashing algorithm. Note that the option length is the
> > hash
> > value length + 32. If a hashing algorithm produces a message digest that
> is
> > not
> > 32-bit aligned, the value should be padded with zeros. Hashing algorithm
> > values
> > and options are shown in the table. Unless otherwise noted in an
> algorithm
> > option (i.e. any combination of 32 flags could be set to specify hash
> > options)
> > the message digest will be taken of the body of the Enhanced Packet
> Block,
> > excluding the block header and footer and any options. This will allow
> the
> > hash
> > of the original captured packet, including its timestamp and other fixed
> > values,
> > and still allow for options to be added, removed, or reordered as the
> packet
> > block is processed.
> >
> > TABLE:
> > Algorithm Code Option Digest Size Option Length
> (bytes)
> > 2’s comp. 0x0000 0x0000 packet size pkt size + 4
> > XOR (LRC32) 0x0001 0x0000 4 bytes 0x0008
> > CRC32 0x0002 0x0000 4 bytes 0x0008
> > MD5 0x0003 0x0000 128-bit 0x0014
> > SHA-1 0x0004 0x0000 160-bit 0x0018
> > RIPEMD 0x0005 0x0000 160-bit 0x0018
> > SHA-2 0x0006 0x0001 224-bit 0x0020
> > SHA-2 0x0006 0x0002 256-bit 0x0024
> > SHA-2 0x0006 0x0003 384-bit 0x0034
> > SHA-2 0x0006 0x0004 512-bit 0x0044
> > Whirlpool 0x0007 0x0000 512-bit 0x0044
> > SHA-3 0x0008 0x0001 512-bit 0x0044
> > HMAC-MD5 0x0103 0x0000 128-bit 0x0044
> > HMAC-SHA-1 0x0104 0x0000 160-bit 0x0018
> > HMAC-SHA-2 0x0106 0x0001 224-bit 0x0020
> > HMAC-SHA-2 0x0106 0x0002 256-bit 0x0024
> > HMAC-Whirlpool 0x0107 0x0000 512-bit 0x0044
> > MAC-SHA-3 0x0108 0x0000 512-bit 0x0044
> >
> > <artwork>
> > / /
> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > | epb_hash_code = 0x0003 | option length (var) = 0x0024 |
> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > | Hash Algorithm = 0x0006 (SHA2)| Hash Alg Opts = 0x0002 (256b) |
> > +---------------------------------------------------------------+
> > / /
> > / /
> > / Hash value (variable e.g. 256-bits) /
> > / /
> > / /
> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > / /
> > / Other Options (variable) /
> > / /
> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > | end_of_options = 0x0000 | options_length = 0x0000 |
> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > | Block Total Length |
> > +---------------------------------------------------------------+
> > </artwork>
> >
> > Regards,
> > Michael
> >
> > _______________________________________________
> > pcap-ng-format mailing list
> > pcap-ng-format at winpcap.org
> > https://www.winpcap.org/mailman/listinfo/pcap-ng-format
> _______________________________________________
> pcap-ng-format mailing list
> pcap-ng-format at winpcap.org
> https://www.winpcap.org/mailman/listinfo/pcap-ng-format
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/pcap-ng-format/attachments/20150827/43bd454d/attachment.html>
More information about the pcap-ng-format
mailing list