Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
only used for encrypting small amounts <strong>of</strong> information, this is due to <strong>the</strong> large<br />
calculations that are involved.<br />
Two prototype systems will be developed, one that uses asymmetric encryption to<br />
secure all communications between <strong>the</strong> client <strong>and</strong> server. The o<strong>the</strong>r will use<br />
symmetric encryption to encrypt <strong>the</strong> bulk <strong>of</strong> <strong>the</strong> communications, but will transfer <strong>the</strong><br />
shared key using asymmetric encryption, this system will be faster but it should be<br />
interesting to see if it makes any detrimental impact on <strong>the</strong> system.<br />
To au<strong>the</strong>nticate <strong>the</strong> messages HMAC will be used. RFC2104 (1997) describes HMAC<br />
as a mechanism for message au<strong>the</strong>ntication using cryptographic hash functions. When<br />
<strong>the</strong> original event is generated <strong>and</strong> had its timestamp <strong>and</strong> user tags added, it will <strong>the</strong>n<br />
go through a process <strong>of</strong> having a unique HMAC checksum generated for each event.<br />
This will <strong>the</strong>n be tagged onto <strong>the</strong> end <strong>of</strong> <strong>the</strong> event before it gets sent to <strong>the</strong> Server.<br />
Figure 9 shows this.<br />
………………<br />
……………………<br />
………………<br />
……………………<br />
Figure 9: Client generated XML string<br />
The previous diagram illustrated <strong>the</strong> event information before it has been passed<br />
through <strong>the</strong> HMAC checking process, Figure 10 below shows <strong>the</strong> same event that has<br />
been checked <strong>and</strong> had its HMAC tags added.<br />
………………<br />
……………………<br />
………………<br />
……………………<br />
…………………<br />
Figure 10: Client XML string with HMAC<br />
Figure 11 shows <strong>the</strong> event information that has been received by <strong>the</strong> Data Archiving<br />
System where it has also been time stamped. This is how it will look when it is stored<br />
in <strong>the</strong> event log on <strong>the</strong> Data Archiving System.<br />
34