Introducing: cryptopan for Argus
dsp
dsp at 2f30.org
Fri Apr 10 16:00:51 EDT 2015
On Fri, Apr 10, 2015 at 12:45:11PM -0600, Carter Bullard wrote:
> Hey Dsp,
> Most excellent !!! Very cool !!!
>
> Just a few questions regarding integration … would you want this support
> turned on automatically if the cryptopan libraries can be discovered
> during the ./configure run ???
>
> Do you expect cyptopan libraries to be installed system wide, or do you
> expect users to download cryptopan into the local directory, like we
> see with flowtools libraries, etc… ??
>
> It will take me a little time to integrate the changes into the official release.
> With the patch and announcement in the mailing list, many can grab and test
> before we get the next release out.
Hello Carter! :)
I was actually thinking that you could integrate it in the argus-client codebase.
It's just 4 files (rinjdael.{c, h} and cryptopan.{c, h}).
My intention was that it should be self-contained and people that want cryptopan to
avoid linking with openssl.
what you're suggesting probably turning it a libcryptopan that would be installed systemwide
is indeed sweet. i might be able to look into that, but it would mean i would have to get in
touch with some linux distro pkg maintainers for them to incorporate it.
This could take some time. Also the only interested parties for using that library would be
argus, nfdump (which has their own implementation based on the gatech cpp implementation)
and maybe tcpdump? so i don't know if it makes sense to provide a systemwide thing.
I will get in touch with these guys and see how it goes but until then it's your call
and your source. Do as you please :)
Thanks again!!!
cheers,
DsP
>
> If we release 3.0.8.1 in the short term, this may not make it, but it will be
> in argus-clients-3.0.9, the next developers version, which will start officially
> very soon !!!
>
> Thanks for all the hard work, its great to get these types of surprises !!!
> Carter
>
>
> > On Apr 10, 2015, at 1:42 AM, dsp <dsp at 2f30.org> wrote:
> >
> > Hello list :)
> >
> > Thanks for developing Argus, it is a tool that we extensively use in our lab (CSU netsec).
> > This patch introduces cryptopan anonymization for ranonymize.
> > cryptopan[1] is a prefix preserving anonymization scheme for IPs found in traces.
> > The implementation i'm providing is BSD licensed so anyone that wants to use it can do so.
> >
> > some implementation notes:
> > a) now you can run ranonymize -r infile -M cpankey:123456789012345678901234567890ab
> > this will initialize cryptopan. cryptopan requires the key to be 32bytes in length.
> > b) for now i placed the cryptopan code under lib/ . it might not be the right place
> > c) ranonymize (correct me if i'm wrong) was not anonymizing ipv6 addresses. in cryptopan mode
> > it does. (i would appreciate further testing in ipv6 traces)
> > d) if no cpan key is provided then the standard anon logic is used.
> > e) i also plan to provide support for deanonymizing a trace with knoweledge of the correct key.
> > f) cryptopan's repo is: http://git.netsec.colostate.edu/?p=cryptopan.git;a=summary
> > h) i have tested this patch on Linux and OpenBSD. other supported platforms should be tested
> > h1) i'm adding some -lpthread LDFLAGS. they allow cleaner building on OpenBSD and have no effect on linux
> > h2) i really despise autotools so sorry for not conforming to it on cryptopan/.
> > j) in cryptopan mode i'm measuring a 30% speed increase. this is expected since we don't hash.
> >
> > Thanks so much to carter@ for answering all my silly questions and maintaining this great tool :)
> >
> > attaching the patch instead of inlining cause it's quite huge.
> >
> > [1]http://www.cc.gatech.edu/computing/Telecomm/projects/cryptopan/
> > <arguspatch.txt>
>
More information about the argus
mailing list