Introducing: cryptopan for Argus

Carter Bullard carter at qosient.com
Fri Apr 10 16:06:30 EDT 2015 

Hey DsP,
All is good.  I was just suggesting that if people wanted to
test before I distributed a release with your patch installed,
they can just grab your patch and give it a whirl.

I do not suggest another library, as that makes it complicated.

I’ll have to change a few things to conform to our way of things,
but I suspect that I won’t have to do much.

Thanks again !!!

Carter

> On Apr 10, 2015, at 4:00 PM, dsp <dsp at 2f30.org> wrote:
> 
> On Fri, Apr 10, 2015 at 12:45:11PM -0600, Carter Bullard wrote:
>> Hey Dsp,
>> Most excellent !!!  Very cool !!!
>> 
>> Just a few questions regarding integration … would you want this support
>> turned on automatically if the cryptopan libraries can be discovered
>> during the ./configure run ???
>> 
>> Do you expect cyptopan libraries to be installed system wide, or do you
>> expect users to download cryptopan into the local directory, like we 
>> see with flowtools libraries, etc… ??
>> 
>> It will take me a little time to integrate the changes into the official release.
>> With the patch and announcement in the mailing list, many can grab and test
>> before we get the next release out.
> Hello Carter! :) 
> I was actually thinking that you could integrate it in the argus-client codebase.
> It's just 4 files (rinjdael.{c, h} and cryptopan.{c, h}).
> 
> My intention was that it should be self-contained and people that want cryptopan to 
> avoid linking with openssl.
> 
> what you're suggesting probably turning it a libcryptopan that would be installed systemwide
> is indeed sweet. i might be able to look into that, but it would mean i would have to get in
> touch with some linux distro pkg maintainers for them to incorporate it.
> This could take some time. Also the only interested parties for using that library would be
> argus, nfdump (which has their own implementation based on the gatech cpp implementation)
> and maybe tcpdump? so i don't know if it makes sense to provide a systemwide thing.
> 
> I will get in touch with these guys and see how it goes but until then it's your call 
> and your source. Do as you please :)
> 
> Thanks again!!!
> 
> cheers,
> DsP
>> 
>> If we release 3.0.8.1 in the short term, this may not make it, but it will be
>> in argus-clients-3.0.9, the next developers version, which will start officially
>> very soon !!!
>> 
>> Thanks for all the hard work, its great to get these types of surprises !!!
>> Carter
>> 
>> 
>>> On Apr 10, 2015, at 1:42 AM, dsp <dsp at 2f30.org> wrote:
>>> 
>>> Hello list :)
>>> 
>>> Thanks for developing Argus, it is a tool that we extensively use in our lab (CSU netsec).
>>> This patch introduces cryptopan anonymization for ranonymize.
>>> cryptopan[1] is a prefix preserving anonymization scheme for IPs found in traces.
>>> The implementation i'm providing is BSD licensed so anyone that wants to use it can do so.
>>> 
>>> some implementation notes:
>>> a) now you can run ranonymize -r infile -M cpankey:123456789012345678901234567890ab 
>>>    this will initialize cryptopan. cryptopan requires the key to be 32bytes in length.
>>> b) for now i placed the cryptopan code under lib/ . it might not be the right place
>>> c) ranonymize (correct me if i'm wrong) was not anonymizing ipv6 addresses. in cryptopan mode
>>>    it does. (i would appreciate further testing in ipv6 traces)
>>> d) if no cpan key is provided then the standard anon logic is used.
>>> e) i also plan to provide support for deanonymizing a trace with knoweledge of the correct key.
>>> f) cryptopan's repo is: http://git.netsec.colostate.edu/?p=cryptopan.git;a=summary
>>> h) i have tested this patch on Linux and OpenBSD. other supported platforms should be tested
>>> h1) i'm adding some -lpthread LDFLAGS. they allow cleaner building on OpenBSD and have no effect on linux
>>> h2) i really despise autotools so sorry for not conforming to it on cryptopan/.
>>> j) in cryptopan mode i'm measuring a 30% speed increase. this is expected since we don't hash.
>>> 
>>> Thanks so much to carter@ for answering all my silly questions and maintaining this great tool :)
>>> 
>>> attaching the patch instead of inlining cause it's quite huge.
>>> 
>>> [1]http://www.cc.gatech.edu/computing/Telecomm/projects/cryptopan/
>>> <arguspatch.txt>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150410/4c1fad52/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3563 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150410/4c1fad52/attachment.bin>

More information about the argus mailing list