Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
INSTITUTE OF THEORETICAL COMPUTER SCIENCE
Secure Audit Logswith Verifiable ExcerptsMarch, 2nd 2016Gunnar Hartung
KIT – University of the State of Baden-Wuerttemberg andNational Laboratory of the Helmholtz Association
www.kit.edu
Outline
1 What is Secure Logging?
2 Secure Logging with Crypto
3 Excerpts
4 Security
(Seal Image Source: CC-0 by OpenIcons)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 2/16
Introduction
What is Secure Logging?
Securing Log Files against retroactive modifications
Why care?paramount for system debugging/maintenanceintrusion detectionforensics after an intrusionAttackers cover their traces by editing log files.required/recommended by
DoD Orange Book [Lat85]NIST Handbook on Computer Security [NIS95]Common Criteria [CC12]
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 3/16
Introduction
What is Secure Logging?
Securing Log Files against retroactive modifications
Why care?paramount for system debugging/maintenanceintrusion detectionforensics after an intrusionAttackers cover their traces by editing log files.required/recommended by
DoD Orange Book [Lat85]NIST Handbook on Computer Security [NIS95]Common Criteria [CC12]
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 3/16
Why Excerpts?
$
sues
Bank shows
logfiles
log files contains lots of confidential informationvery large, hard to analyze
Excerpts solve both problems!
Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Why Excerpts?
$
sues
Bank shows
logfiles
log files contains lots of confidential informationvery large, hard to analyze
Excerpts solve both problems!
Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Why Excerpts?
$
sues
Bank shows
logfiles
log files contains lots of confidential informationvery large, hard to analyze
Excerpts solve both problems!
Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Why Excerpts?
$
sues
Bank
showslog
files
log files contains lots of confidential informationvery large, hard to analyze
Excerpts solve both problems!
Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Why Excerpts?
$
sues
Bank shows
logfiles
log files contains lots of confidential informationvery large, hard to analyze
Excerpts solve both problems!
Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Why Excerpts?
$
sues
Bank shows
logfiles
log files contains lots of confidential information
very large, hard to analyzeExcerpts solve both problems!
Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Why Excerpts?
$
sues
Bank shows
logfiles
log files contains lots of confidential informationvery large, hard to analyze
Excerpts solve both problems!
Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Why Excerpts?
$
sues
Bank shows
logfiles
log files contains lots of confidential informationvery large, hard to analyze
Excerpts solve both problems!Images: CC-0 by dagobert83, ClkerFreeVectorImages, mireyaqh, sheikh tuhin
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/16
Standard Approaches
WORM Drives:
Standard drives withcustom firmware
Images: CC-BY-2.0 by Till Dettmering, Public Domain via Wikipedia, Ocrho
Crypto!
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 5/16
Standard Approaches
WORM Drives:
Standard drives withcustom firmware
Images: CC-BY-2.0 by Till Dettmering, Public Domain via Wikipedia, Ocrho
Crypto!
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 5/16
Model
Time
Setuppk
sk
1
Break In
Attacker controls inputto logging system
Old log entries shallremain verifiable
skBsk2 · · ·
Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/16
Model
TimeSetuppk
sk
1
Break In
Attacker controls inputto logging system
Old log entries shallremain verifiable
skBsk2 · · ·
Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/16
Model
TimeSetuppk
sk
1
Break In
Attacker controls inputto logging system
Old log entries shallremain verifiable
skBsk2 · · ·
Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/16
Model
TimeSetuppk
sk
1
Break In
Attacker controls inputto logging system
Old log entries shallremain verifiable
skBsk2 · · ·
Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/16
Model
TimeSetuppk
sk
1
Break In
Attacker controls inputto logging system
Old log entries shallremain verifiable
skBsk2 · · ·
Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/16
Model
TimeSetuppk
sk1
Break In
Attacker controls inputto logging system
Old log entries shallremain verifiable
skBsk2 · · ·
Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/16
Model
TimeSetuppk
sk1
Break In
Attacker controls inputto logging system
Old log entries shallremain verifiable
skB
sk2 · · ·
Images: CC-0 by OpenClipArtVectors, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/16
Secure Logging with Crypto
m1
m2
m3
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]
don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
m3
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]
don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
m3
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]
don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
m3
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]
don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
m3
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]
don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
m3
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
Switching to sk2
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
Switching to sk2
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Secure Logging with Crypto
m1
m2
Switching to sk2
σ1
σ2
σ3
(sk1)
(sk1)
(sk1)
1
2
3
m34 σ4 (sk2)
[BY97], [SK98], [BY03], [Hol06]don’t fully prevent truncation.
(Fully preventing truncation is surprisingly hard.Solutions: [MT08], [YP09], [YPR12])
Goal here: Prevent truncation to epoch before break-in.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/16
Outline
1 What is Secure Logging?
2 Secure Logging with Crypto
3 Excerpts
4 Security
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 8/16
New Feature: Excerpts
Excerpts should be:correct: all messages unchangedcomplete: all relevant log entries present in excerpt
Which log entries are “relevant”?
Defined by application:assign each log entry to ≥ 1 categories, identified byname νexcerpts for ≥ 1 entire categories“special” categories:
All: contains all log entriesEM: contains all epoch markers
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 9/16
New Feature: Excerpts
Excerpts should be:correct: all messages unchangedcomplete: all relevant log entries present in excerpt
Which log entries are “relevant”?
Defined by application:assign each log entry to ≥ 1 categories, identified byname νexcerpts for ≥ 1 entire categories“special” categories:
All: contains all log entriesEM: contains all epoch markers
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 9/16
New Feature: Excerpts
Excerpts should be:correct: all messages unchangedcomplete: all relevant log entries present in excerpt
Which log entries are “relevant”?
Defined by application:assign each log entry to ≥ 1 categories, identified byname νexcerpts for ≥ 1 entire categories“special” categories:
All: contains all log entriesEM: contains all epoch markers
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 9/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
ExcerptH( ), Category “A” σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
ExcerptH( ), Category “A” σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
ExcerptH( ), Category “A” σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
ExcerptH( ), Category “A” σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
ExcerptH( ), Category “A” σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
Excerpt
H( ), Category “A” σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
ExcerptH( ), Category “A”
σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Logging with Excerpts
All: 0 A: 0 m1 σ1 (sk1)
All: 1 A: 1 B: 0 m2 σ2 (sk1)
All: 2 B: 1 m3 σ3 (sk1)
All: 3 EM: 0Switching to sk2. Counters:All: 3, A: 2, B: 2, EM: 0
σ4 (sk1)
ExcerptH( ), Category “A” σE (sk2)
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/16
Outline
1 What is Secure Logging?
2 Secure Logging with Crypto
3 Excerpts
4 Security
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 11/16
Security Experiment
Oracles
Append
Next Epoch
Excerpt
Break In
Shared State
Challenger
Images: CC-0 by sheikh tuhin, barretr, tiothy, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 12/16
Security Experiment
Oracles
Append
Next Epoch
Excerpt
Break In
Shared State
Challenger
Images: CC-0 by sheikh tuhin, barretr, tiothy, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 12/16
Security Experiment
Oracles
Append
Next Epoch
Excerpt
Break In
Shared State
Challenger
Images: CC-0 by sheikh tuhin, barretr, tiothy, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 12/16
Security Experiment
Oracles
Append
Next Epoch
Excerpt
Break In
Shared State
Challenger
Images: CC-0 by sheikh tuhin, barretr, tiothy, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 12/16
Security Experiment
Oracles
Append
Next Epoch
Excerpt
Break In
Shared State
Challenger
Images: CC-0 by sheikh tuhin, barretr, tiothy, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 12/16
Security Experiment
Oracles
Append
Next Epoch
Excerpt
Break In
Shared State
Challenger
Images: CC-0 by sheikh tuhin, barretr, tiothy, CC-BY-SA-4.0 International by www.elbpresse.de
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 12/16
Security Definition
Trivial Forgeries:excerpts requested from A’s oracleif A got ski : pure continuations of the log file state from themost recent epoch switch
Definition (Security, informal)A logging scheme is secure if no PPT adversary has anon-negligible chance of outputting a valid and non-trivialforgery in the above experiment.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 13/16
Proving Security
Theorem (Informal)If the above scheme is based on an EUF-CMA-securesignature scheme with forward-security, then it is secureaccording to the previous definition.
Proof Technique:show that attacker must forge ≥ 1 signature if changingany information before last recent epoch switchcopy that signature and output it as a forgery against thesignature scheme=⇒ tight
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 14/16
Conclusion
Secure logging is important.Secure logging is hard. Mostly because of truncation.Excerpts can be useful.Excerpts can be verified securely.
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 15/16
Thank you.Questions?
Contact: [email protected] ID: B1A7 C146Fingerprint: 4C39 AC36 6FAD 9E52 3144
8352 9E37 381F B1A7 C146S/MIME Cert: athttps://crypto.iti.kit.edu/?id=hartung&L=2
What is Secure Logging? Secure Logging with Crypto Excerpts Security
Gunnar Hartung – Secure Logging with Verifiable Excerpts 16/16
Backup Slides
Quotes on Secure Logging Go
Forward-Secure Signatures Go
Logging Schemes Go
Security Proof Sketch Go
References Go
End Go
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 1/17
Quotes on Secure Logging
“Audit data must be protected from modification andunauthorized destruction to permit detection and after-the-factinvestigations of security violations.”— [Lat85]
“It is particularly important to ensure the integrity of audit traildata against modification. [...] The audit trail files needs to beprotected since, for example, intruders may try to ‘cover theirtracks’ by modifying audit trail records. ”— [NIS95, Section 18.3.1]
“[A product] shall protect the stored audit records in the audittrail from unauthorised deletion.[A product] shall be able to prevent/detect unauthorisedmodifications to the stored audit records in the audit trail.”— [CC12, Section 8.6].
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 2/17
Syntax of Forward-Secure Signatures
KeyGen(T ): Create a key pair (sk0,pk), where sk0 is the initialsecret key. (pk is constant for all epochs.) T is anupper bound on the number of epochs.
Update(ski): Compute ski+1 from ski . (If i < T − 1. ski isexpected to be erased securely.)
Sign(ski ,m): Create a signature σ for m with key ski .Verify(pk , i ,m, σ): Check if m was signed in epoch i .
1κ is implicit.
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 3/17
Security Experiment
for a scheme ΣFS, an attacker A, and T ∈ poly(κ)
Setup obtain (sk0,pk)← KeyGen(T ), give pk ,T to A.Queries A interacts with the challenger:
may request signature σ for arbitrarymessages mmay force the challenger to update the secretkeymay obtain one secret key ski
afterwards: no more queries allowed
Forgery A outputs a message m∗, signature σ∗ and epochnumber i∗.
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 4/17
Security Definition
Definition (Trivial Forgeries)A forgery is trivial iff:
A requested a signature for m∗ during epoch i∗ orA obtained the secret key for an epoch i ≤ i∗
Definition (Winning)A wins an instance of the experiment if it outputs a valid andnon-trivial forgery.
Definition (Security)ΣFS is secure if no PPT attacker A has non-negligible (in κ)chance to win.
Back
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 5/17
Logging Schemes with Excerpts
KeyGen(T ): creates key pair sk0,pk .Update(ski ,M, σ): compute ski+1 from ski . (If i < T − 1. ski is
expected to be erased securely.) M is the currentoverall logfile, and σ is the correspondingsignature for it.
AppendAndSign(ski , (m,N),M, σ): Creates a signature for themessage m, which is inserted into thecategories N.
Extract(ski ,M, σ,N): Creates a signature for the excerpt forcategories N of M.
Verify(pk ,N,E , σ): Checks an excerpt E for completeness andcorrectness.
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 6/17
New Feature: Excerpts
Definition (Category)Let M (the log file) be a sequence of log entries (mi ,Ni). Thecategory named ν is the subsequence C(ν,M) of M thatcontains all entries with ν ∈ Ni .
Definition (Excerpt)Let M (the log file) be a sequence of log entries. An excerpt forcategories N = {ν1, . . . , νn} is the subsequence
E =⋃ν∈N
C(ν,M) ,
where C(ν,M) is the category named ν.(For a proper adaptation of ∪ to sequences.)
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 7/17
Proving Security
Theorem (Informal)If the above scheme is based on an EUF-CMA-securesignature scheme with forward-security, then it is secureaccording to the previous definition.
Proof Technique:show that attacker must forge ≥ 1 signature if changingany information before last recent epoch switchcopy that signature and output it as a forgery against thesignature scheme=⇒ tight
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 9/17
Proof (Sketch)
Reduction:assume successful attacker A against logging schemeconstruct attacker B against ΣFS
show that B has non-negligible success probability
Emulation of the Experiment:B must emulate the logging security experiment for A.B plays the forward-secure unforgeability game againstΣFS.
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 10/17
Reduction
A’s information: emulated by B through:input: pk ,T input: pk ,T
signature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-
tries + signature oracle
Left to Show:Any valid and non-trivial excerpt forgery contains a valid andnon-trivial signature forgery.
Image: CC-BY-SA-3.0 Unported by Steschke, via Wikipedia
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 11/17
Reduction
A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracle
epoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-
tries + signature oracle
Left to Show:Any valid and non-trivial excerpt forgery contains a valid andnon-trivial signature forgery.
Image: CC-BY-SA-3.0 Unported by Steschke, via Wikipedia
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 11/17
Reduction
A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switching
breaking in breaking inexcerpt oracle signatures for individual log en-
tries + signature oracle
Left to Show:Any valid and non-trivial excerpt forgery contains a valid andnon-trivial signature forgery.
Image: CC-BY-SA-3.0 Unported by Steschke, via Wikipedia
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 11/17
Reduction
A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking in
excerpt oracle signatures for individual log en-tries + signature oracle
Left to Show:Any valid and non-trivial excerpt forgery contains a valid andnon-trivial signature forgery.
Image: CC-BY-SA-3.0 Unported by Steschke, via Wikipedia
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 11/17
Reduction
A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-
tries + signature oracle
Left to Show:Any valid and non-trivial excerpt forgery contains a valid andnon-trivial signature forgery.
Image: CC-BY-SA-3.0 Unported by Steschke, via Wikipedia
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 11/17
Reduction
A’s information: emulated by B through:input: pk ,T input: pk ,Tsignature (logging) oracle signature oracleepoch switching epoch switchingbreaking in breaking inexcerpt oracle signatures for individual log en-
tries + signature oracle
Left to Show:Any valid and non-trivial excerpt forgery contains a valid andnon-trivial signature forgery.
Image: CC-BY-SA-3.0 Unported by Steschke, via Wikipedia
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 11/17
Forgeries
Case 1: i∗ < iBreakIn epoch markers in excerpt E:signature on (N,E) valid for epoch i∗ < iBreakIn.A never queried for a signature for E=⇒ B never queried for (N,E)(assuming proper encoding)=⇒ valid and non-trivial forgery on (N,E)
Case 2: ≥ iBreakIn epoch markers in excerpt E:⇒ changed the excerpt wrt. a previous epoch i∗ < iBreakIn
restrict the discussion to epochs before break-in
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 12/17
Forgeries
Assume for contradiction:All messages (including counters!) in forged excerpt werequeried at signature oracle before.
Ensured by Verification:no messages from other categoriesno duplicatesmessage order
=⇒ forged excerpt is subsequence of “real” excerpt.non-trivial =⇒ strict subsequence (()
Verification checks for completeness =⇒ excerpt invalid=⇒ contradiction =⇒ A forged a signature
Back
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 13/17
References I
Mihir Bellare and Bennet S. Yee, Forward integrity forsecure audit logs, Tech. report, University of California atSan Diego, 1997.
Mihir Bellare and Bennet Yee, Forward-security inprivate-key cryptography, Topics in Cryptology — CT-RSA2003 (Marc Joye, ed.), Lecture Notes in Computer Science,vol. 2612, Springer Berlin Heidelberg, 2003, pp. 1–18(English).
Common Criteria for Information Technology SecurityEvaluation, version 3.1 r4, part 2, September 2012,https://www.commoncriteriaportal.org/cc/.
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 14/17
References II
Jason E. Holt, Logcrypt: Forward security and publicverification for secure audit logs, Proceedings of the 2006Australasian Workshops on Grid Computing ande-Research – Volume 54 (Darlinghurst, Australia,Australia), ACSW Frontiers ’06, Australian ComputerSociety, Inc., 2006, pp. 203–211.
Donald C. Latham (ed.), Department of defense trustedcomputer system evaluation criteria, US Department ofDefense, December 1985, http://csrc.nist.gov/publications/history/dod85.pdf.
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 15/17
References III
Di Ma and Gene Tsudik, A new approach to securelogging, Data and Applications Security XXII (Vijay Atluri,ed.), Lecture Notes in Computer Science, vol. 5094,Springer Berlin Heidelberg, 2008, pp. 48–63 (English).
An Introduction to Computer Security: The NIST handbook,October 1995, NIST Special Publication 800-12.
Bruce Schneier and John Kelsey, Cryptographic support forsecure logs on untrusted machines, The Seventh USENIXSecurity Symposium Proceedings, 1998.
Attila A. Yavuz and Ning Peng, BAF: An efficient publiclyverifiable secure audit logging scheme for distributedsystems, Computer Security Applications Conference,2009. ACSAC ’09. Annual, Dec 2009, pp. 219–228.
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 16/17
References IV
Attila A. Yavuz, Ning Peng, and Michael K. Reiter, Efficient,compromise resilient and append-only cryptographicschemes for secure audit logging, Financial Cryptographyand Data Security (Angelos D. Keromytis, ed.), LectureNotes in Computer Science, vol. 7397, Springer BerlinHeidelberg, 2012, pp. 148–163 (English).
Quotes on Secure Logging Forward-Secure Signatures Logging Schemes Security Proof Sketch References
Gunnar Hartung – Secure Logging with Verifiable Excerpts 17/17