RFC1244 - Page 38

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


      it was verified to be in an "integral" state.  The value of
      information integrity to a site will vary.  For example, it is
      more important for military and government installations to
      prevent the "disclosure" of classified information, whether it is
      right or wrong.  A bank, on the other hand, is far more concerned
      with whether the account information maintained for its customers
      is complete and accurate.

      Numerous computer system mechanisms, as well as procedural
      controls, have an influence on the integrity of system
      information.  Traditional access control mechanisms maintain
      controls over who can access system information.  These mechanisms
      alone are not sufficient in some cases to provide the degree of
      integrity required.  Some other mechanisms are briefly discussed
      below.

      It should be noted that there are other aspects to maintaining
      system integrity besides these mechanisms, such as two-person
      controls, and integrity validation procedures.  These are beyond
      the scope of this document.

      3.9.4.1  Checksums

         Easily the simplest mechanism, a simple checksum routine can
         compute a value for a system file and compare it with the last
         known value.  If the two are equal, the file is probably
         unchanged.  If not, the file has been changed by some unknown
         means.

         Though it is the easiest to implement, the checksum scheme
         suffers from a serious failing in that it is not very
         sophisticated and a determined attacker could easily add enough
         characters to the file to eventually obtain the correct value.

         A specific type of checksum, called a CRC checksum, is
         considerably more robust than a simple checksum.  It is only
         slightly more difficult to implement and provides a better
         degree of catching errors.  It too, however, suffers from the
         possibility of compromise by an attacker.

         Checksums may be used to detect the altering of information.
         However, they do not actively guard against changes being made.
         For this, other mechanisms such as access controls and
         encryption should be used.







Site Security Policy Handbook Working Group                    [Page 38]