Date: Tue, 11 Jul 2006 15:50:38 -0400 From: Chuck Swiger <cswiger@mac.com> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: Re: Integrity checking NANOBSD images Message-ID: <44B4010E.7010809@mac.com> In-Reply-To: <6.2.3.4.0.20060711142809.04a6f8e0@64.7.153.2> References: <6.2.3.4.0.20060711142809.04a6f8e0@64.7.153.2>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: [ ... ] > # ssh remote1.example.com "/tmp/rand-directory/dd if=/dev/ad2s1a > bs=4096k | /tmp/rand-directory/sha256" > 120+1 records in > 120+1 records out > 505389056 bytes transferred in 169.727727 secs (2977646 bytes/sec) > 955ebad583bfc0718eb28ac89563941407294d5c61a0c0f35e3773f029cc0685 > > Can I be reasonably certain the image has not been tampered with ? Or > are there trivial ways to defeat this check ? Checksumming the device image is a fine way of checking the integrity of it, assuming it is read-only. The only thing you might want to do is use two or three checksum algorithms (ie, use sha256 and md5 and something else), so that someone can't create a new image which matches the sha256 checksum of the original. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44B4010E.7010809>