Secure Audit Logs with Veriﬁable Excerpts › fileadmin › User › Hartung › ... · Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin What is Secure

INSTITUTE OF THEORETICAL COMPUTER SCIENCE

Secure Audit Logswith Verifiable ExcerptsMarch, 2nd 2016Gunnar Hartung

KIT – University of the State of Baden-Wuerttemberg andNational Laboratory of the Helmholtz Association

www.kit.edu

http://www.kit.edu

Outline

1 What is Secure Logging?

2 Secure Logging with Crypto

3 Excerpts

4 Security

(Seal Image Source: CC-0 by OpenIcons)

What is Secure Logging? Secure Logging with Crypto Excerpts Security

Gunnar Hartung – Secure Logging with Verifiable Excerpts 2/16

https://creativecommons.org/publicdomain/zero/1.0/deed.en

https://pixabay.com/en/certificate-badge-award-price-seal-98472/

Introduction

What is Secure Logging?

Securing Log Files against retroactive modifications

Why care?paramount for system debugging/maintenanceintrusion detectionforensics after an intrusionAttackers cover their traces by editing log files.required/recommended by

DoD Orange Book [Lat85]NIST Handbook on Computer Security [NIS95]Common Criteria [CC12]



Introduction

What is Secure Logging?

Securing Log Files against retroactive modifications

Why care?paramount for system debugging/maintenanceintrusion detectionforensics after an intrusionAttackers cover their traces by editing log files.required/recommended by

DoD Orange Book [Lat85]NIST Handbook on Computer Security [NIS95]Common Criteria [CC12]



Why Excerpts?

$

sues

Bank shows

logfiles

log files contains lots of confidential informationvery large, hard to analyze

Excerpts solve both problems!

Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin




https://openclipart.org/detail/1646/female-user-icon

https://pixabay.com/en/scales-justice-balance-law-judge-309078/

https://pixabay.com/en/bank-money-finance-988164/

https://openclipart.org/detail/78169/officenotesline-drawing

Why Excerpts?

$

sues

Bank shows

logfiles











Why Excerpts?

$

sues

Bank shows

logfiles











Why Excerpts?

$

sues

Bank

showslog

files











Why Excerpts?

$

sues

Bank shows

logfiles











Why Excerpts?

$

sues

Bank shows

logfiles

log files contains lots of confidential information

very large, hard to analyzeExcerpts solve both problems!









Why Excerpts?

$

sues

Bank shows

logfiles











Why Excerpts?

$

sues

Bank shows

logfiles


Excerpts solve both problems!Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin








Standard Approaches

WORM Drives:

Standard drives withcustom firmware

Images: CC-BY-2.0 by Till Dettmering, Public Domain via Wikipedia, Ocrho

Crypto!



https://creativecommons.org/licenses/by/2.0/

https://www.flickr.com/photos/sfg/4249980927

https://commons.wikimedia.org/wiki/File:DVD-Video_bottom-side.jpg

Standard Approaches

WORM Drives:

Standard drives withcustom firmware

Images: CC-BY-2.0 by Till Dettmering, Public Domain via Wikipedia, Ocrho

Crypto!



https://creativecommons.org/licenses/by/2.0/

https://www.flickr.com/photos/sfg/4249980927

https://commons.wikimedia.org/wiki/File:DVD-Video_bottom-side.jpg

Model

Time

Setuppk

sk

1

Break In

Attacker controls inputto logging system

Old log entries shallremain verifiable

skBsk2 · · ·

Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de




https://pixabay.com/en/database-cylinder-3d-circular-disc-155892/

https://creativecommons.org/licenses/by-sa/4.0/deed.en

https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg

Model

TimeSetuppk

sk

1

Break In



skBsk2 · · ·








Model

TimeSetuppk

sk

1

Break In



skBsk2 · · ·








Model

TimeSetuppk

sk

1

Break In



skBsk2 · · ·








Model

TimeSetuppk

sk

1

Break In



skBsk2 · · ·








Model

TimeSetuppk

sk1

Break In



skBsk2 · · ·








Model

TimeSetuppk

sk1

Break In



skB

sk2 · · ·








Secure Logging with Crypto

m1

m2

m3

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)

[BY97], [SK98], [BY03], [Hol06]

don’t fully prevent truncation.

(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])

Goal here: Prevent truncation to epoch before break-in.




m1

m2

m3

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)

[BY97], [SK98], [BY03], [Hol06]







m1

m2

m3

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)

[BY97], [SK98], [BY03], [Hol06]







m1

m2

m3

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)

[BY97], [SK98], [BY03], [Hol06]







m1

m2

m3

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)

[BY97], [SK98], [BY03], [Hol06]







m1

m2

m3

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)

[BY97], [SK98], [BY03], [Hol06]don’t fully prevent truncation.






m1

m2

Switching to sk2

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)







m1

m2

Switching to sk2

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)







m1

m2

Switching to sk2

σ1

σ2

σ3

(sk1)

(sk1)

(sk1)

1

2

3

m34 σ4 (sk2)






Outline



3 Excerpts

4 Security



New Feature: Excerpts

Excerpts should be:correct: all messages unchangedcomplete: all relevant log entries present in excerpt

Which log entries are “relevant”?

Defined by application:assign each log entry to ≥ 1 categories, identified byname νexcerpts for ≥ 1 entire categories“special” categories:

All: contains all log entriesEM: contains all epoch markers

















Logging with Excerpts

All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)

All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0

σ4 (sk1)

ExcerptH( ), Category “A” σE (sk2)




All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)


σ4 (sk1)





All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)


σ4 (sk1)





All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)


σ4 (sk1)





All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)


σ4 (sk1)





All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)


σ4 (sk1)

Excerpt

H( ), Category “A” σE (sk2)




All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)


σ4 (sk1)

ExcerptH( ), Category “A”

σE (sk2)




All: 0 A: 0 m1 σ1 (sk1)

All: 1 A: 1 B: 0 m2 σ2 (sk1)

All: 2 B: 1 m3 σ3 (sk1)


σ4 (sk1)




Outline



3 Excerpts

4 Security



Security Experiment

Oracles

Append

Next Epoch

Excerpt

Break In

Shared State

Challenger

Images: CC-0 by sheikh tuhin, barretr, tiothy, CC-BY-SA-4.0 International by www.elbpresse.de





https://openclipart.org/detail/3330/key

https://openclipart.org/detail/211/shiny-key



Security Experiment

Oracles

Append

Next Epoch

Excerpt

Break In

Shared State

Challenger










Security Experiment

Oracles

Append

Next Epoch

Excerpt

Break In

Shared State

Challenger










Security Experiment

Oracles

Append

Next Epoch

Excerpt

Break In

Shared State

Challenger










Security Experiment

Oracles

Append

Next Epoch

Excerpt

Break In

Shared State

Challenger










Security Experiment

Oracles

Append

Next Epoch

Excerpt

Break In

Shared State

Challenger










Security Definition

Trivial Forgeries:excerpts requested from A’s oracleif A got ski : pure continuations of the log file state from themost recent epoch switch

Definition (Security, informal)A logging scheme is secure if no PPT adversary has anon-negligible chance of outputting a valid and non-trivialforgery in the above experiment.



Proving Security

Theorem (Informal)If the above scheme is based on an EUF-CMA-securesignature scheme with forward-security, then it is secureaccording to the previous definition.

Proof Technique:show that attacker must forge ≥ 1 signature if changingany information before last recent epoch switchcopy that signature and output it as a forgery against thesignature scheme=⇒ tight



Conclusion

Secure logging is important.Secure logging is hard. Mostly because of truncation.Excerpts can be useful.Excerpts can be verified securely.



Thank you.Questions?

Contact: [email protected] ID: B1A7 C146Fingerprint: 4C39 AC36 6FAD 9E52 3144

8352 9E37 381F B1A7 C146S/MIME Cert: athttps://crypto.iti.kit.edu/?id=hartung&L=2



mailto:[email protected]

https://crypto.iti.kit.edu/?id=hartung&L=2

Backup Slides

Quotes on Secure Logging Go

Forward-Secure Signatures Go

Logging Schemes Go

Security Proof Sketch Go

References Go

End Go

Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References


Quotes on Secure Logging

“Audit data must be protected from modification andunauthorized destruction to permit detection and after-the-factinvestigations of security violations.”— [Lat85]

“It is particularly important to ensure the integrity of audit traildata against modification. [...] The audit trail files needs to beprotected since, for example, intruders may try to ‘cover theirtracks’ by modifying audit trail records. ”— [NIS95, Section 18.3.1]

“[A product] shall protect the stored audit records in the audittrail from unauthorised deletion.[A product] shall be able to prevent/detect unauthorisedmodifications to the stored audit records in the audit trail.”— [CC12, Section 8.6].



Syntax of Forward-Secure Signatures

KeyGen(T ): Create a key pair (sk0,pk), where sk0 is the initialsecret key. (pk is constant for all epochs.) T is anupper bound on the number of epochs.

Update(ski): Compute ski+1 from ski . (If i < T − 1. ski isexpected to be erased securely.)

Sign(ski ,m): Create a signature σ for m with key ski .Verify(pk , i ,m, σ): Check if m was signed in epoch i .

1κ is implicit.



Security Experiment

for a scheme ΣFS, an attacker A, and T ∈ poly(κ)

Setup obtain (sk0,pk)← KeyGen(T ), give pk ,T to A.Queries A interacts with the challenger:

may request signature σ for arbitrarymessages mmay force the challenger to update the secretkeymay obtain one secret key ski

afterwards: no more queries allowed

Forgery A outputs a message m∗, signature σ∗ and epochnumber i∗.



Security Definition

Definition (Trivial Forgeries)A forgery is trivial iff:

A requested a signature for m∗ during epoch i∗ orA obtained the secret key for an epoch i ≤ i∗

Definition (Winning)A wins an instance of the experiment if it outputs a valid andnon-trivial forgery.

Definition (Security)ΣFS is secure if no PPT attacker A has non-negligible (in κ)chance to win.

Back



Logging Schemes with Excerpts

KeyGen(T ): creates key pair sk0,pk .Update(ski ,M, σ): compute ski+1 from ski . (If i < T − 1. ski is

expected to be erased securely.) M is the currentoverall logfile, and σ is the correspondingsignature for it.

AppendAndSign(ski , (m,N),M, σ): Creates a signature for themessage m, which is inserted into thecategories N.

Extract(ski ,M, σ,N): Creates a signature for the excerpt forcategories N of M.

Verify(pk ,N,E , σ): Checks an excerpt E for completeness andcorrectness.




Definition (Category)Let M (the log file) be a sequence of log entries (mi ,Ni). Thecategory named ν is the subsequence C(ν,M) of M thatcontains all entries with ν ∈ Ni .

Definition (Excerpt)Let M (the log file) be a sequence of log entries. An excerpt forcategories N = {ν1, . . . , νn} is the subsequence

E =⋃ν∈N

C(ν,M) ,

where C(ν,M) is the category named ν.(For a proper adaptation of ∪ to sequences.)



Proving Security

Theorem (Informal)If the above scheme is based on an EUF-CMA-securesignature scheme with forward-security, then it is secureaccording to the previous definition.

Proof Technique:show that attacker must forge ≥ 1 signature if changingany information before last recent epoch switchcopy that signature and output it as a forgery against thesignature scheme=⇒ tight



Proof (Sketch)

Reduction:assume successful attacker A against logging schemeconstruct attacker B against ΣFS

show that B has non-negligible success probability

Emulation of the Experiment:B must emulate the logging security experiment for A.B plays the forward-secure unforgeability game againstΣFS.



Reduction

A’s information: emulated by B through:input: pk ,T input: pk ,T

signature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-

tries + signature oracle

Left to Show:Any valid and non-trivial excerpt forgery contains a valid andnon-trivial signature forgery.

Image: CC-BY-SA-3.0 Unported by Steschke, via Wikipedia




https://commons.wikimedia.org/wiki/File:Symbol_OK.svg

Reduction

A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracle

epoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-








Reduction

A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switching

breaking in breaking inexcerpt oracle signatures for individual log en-








Reduction

A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking in

excerpt oracle signatures for individual log en-tries + signature oracle







Reduction

A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-








Reduction

A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-








Forgeries

Case 1: i∗ < iBreakIn epoch markers in excerpt E:signature on (N,E) valid for epoch i∗ < iBreakIn.A never queried for a signature for E=⇒ B never queried for (N,E)(assuming proper encoding)=⇒ valid and non-trivial forgery on (N,E)

Case 2: ≥ iBreakIn epoch markers in excerpt E:⇒ changed the excerpt wrt. a previous epoch i∗ < iBreakIn

restrict the discussion to epochs before break-in



Forgeries

Assume for contradiction:All messages (including counters!) in forged excerpt werequeried at signature oracle before.

Ensured by Verification:no messages from other categoriesno duplicatesmessage order

=⇒ forged excerpt is subsequence of “real” excerpt.non-trivial =⇒ strict subsequence (()

Verification checks for completeness =⇒ excerpt invalid=⇒ contradiction =⇒ A forged a signature

Back



References I

Mihir Bellare and Bennet S. Yee, Forward integrity forsecure audit logs, Tech. report, University of California atSan Diego, 1997.

Mihir Bellare and Bennet Yee, Forward-security inprivate-key cryptography, Topics in Cryptology — CT-RSA2003 (Marc Joye, ed.), Lecture Notes in Computer Science,vol. 2612, Springer Berlin Heidelberg, 2003, pp. 1–18(English).

Common Criteria for Information Technology SecurityEvaluation, version 3.1 r4, part 2, September 2012,https://www.commoncriteriaportal.org/cc/.



https://www.commoncriteriaportal.org/cc/

References II

Jason E. Holt, Logcrypt: Forward security and publicverification for secure audit logs, Proceedings of the 2006Australasian Workshops on Grid Computing ande-Research – Volume 54 (Darlinghurst, Australia,Australia), ACSW Frontiers ’06, Australian ComputerSociety, Inc., 2006, pp. 203–211.

Donald C. Latham (ed.), Department of defense trustedcomputer system evaluation criteria, US Department ofDefense, December 1985, http://csrc.nist.gov/publications/history/dod85.pdf.



http://csrc.nist.gov/publications/history/dod85.pdf

http://csrc.nist.gov/publications/history/dod85.pdf

References III

Di Ma and Gene Tsudik, A new approach to securelogging, Data and Applications Security XXII (Vijay Atluri,ed.), Lecture Notes in Computer Science, vol. 5094,Springer Berlin Heidelberg, 2008, pp. 48–63 (English).

An Introduction to Computer Security: The NIST handbook,October 1995, NIST Special Publication 800-12.

Bruce Schneier and John Kelsey, Cryptographic support forsecure logs on untrusted machines, The Seventh USENIXSecurity Symposium Proceedings, 1998.

Attila A. Yavuz and Ning Peng, BAF: An efficient publiclyverifiable secure audit logging scheme for distributedsystems, Computer Security Applications Conference,2009. ACSAC ’09. Annual, Dec 2009, pp. 219–228.



References IV

Attila A. Yavuz, Ning Peng, and Michael K. Reiter, Efficient,compromise resilient and append-only cryptographicschemes for secure audit logging, Financial Cryptographyand Data Security (Angelos D. Keromytis, ed.), LectureNotes in Computer Science, vol. 7397, Springer BerlinHeidelberg, 2012, pp. 148–163 (English).



Documents

Secure Audit Logs with Veriﬁable Excerpts › fileadmin › User › Hartung › ... · Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin What is Secure