From owner-freebsd-security@FreeBSD.ORG  Tue Jul 11 20:52:33 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8A21716A4E6;
	Tue, 11 Jul 2006 20:52:33 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1568C43D58;
	Tue, 11 Jul 2006 20:51:56 +0000 (GMT) (envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id k6BKpptv000477;
	Tue, 11 Jul 2006 16:51:51 -0400 (EDT) (envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.13.3P/8.13.3) with ESMTP id k6BKptkk059706
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 11 Jul 2006 16:51:55 -0400 (EDT) (envelope-from mike@sentex.net)
Message-Id: <6.2.3.4.0.20060711164431.04bd00f8@64.7.153.2>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
Date: Tue, 11 Jul 2006 16:52:11 -0400
To: Ruslan Ermilov <ru@freebsd.org>
From: Mike Tancsa <mike@sentex.net>
In-Reply-To: <20060711203417.GJ56190@ip.net.ua>
References: <44B4010E.7010809@mac.com> <77121.1152648353@critter.freebsd.dk>
	<6.2.3.4.0.20060711161049.04bd37a0@64.7.153.2>
	<20060711203417.GJ56190@ip.net.ua>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: ClamAV version 0.88.3,
	clamav-milter version 0.88.3 on clamscanner3
X-Virus-Status: Clean
Cc: freebsd-security@freebsd.org, Poul-Henning Kamp <phk@phk.freebsd.dk>
Subject: Re: Integrity checking NANOBSD images
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2006 20:52:33 -0000

At 04:34 PM 11/07/2006, Ruslan Ermilov wrote:
> > >
> > With respect to prepending a random salt to the image, can you expand
> > what you mean ?
> >
>It means that every time you want to checksum it, you send some
>random bits to be prepended to the image, then compute the
>checksum(s).  You then do the same (with the same salt) on a
>trusted host and compare the results.

OK, but that implies I have a copy of the image locally.  We do on 
occasion make modifications to the config in the field, and sending 
back a 512MB image over dialup would be difficult for this deployment.

         ---Mike