article

Free access

Secure audit logs to support computer forensics

Editor: Ravi Sandhu Authors:

Bruce Schneier,

John KelseyAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 2, Issue 2

Pages 159 - 176

https://doi.org/10.1145/317087.317089

Published: 01 May 1999 Publication History

PDF eReader

Abstract

In many real-world applications, sensitive information must be kept it log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to modify or destroy undetectably.

References

[1]

ANDERSON, R. AND NEEDHAM, R. 1995. Robustness principles for public key protocols. In Proceedings of the Conference on Advances in Cryptology (CRYPTO '95). Springer-Verlag, New York, NY, 236-247.]]

Crossref

Google Scholar

[2]

ANDERSON, R. AND KUHN, M. 1996. Tamper resistance: A cautionary note. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce (Nov.). USENIX Assoc., Berkeley, CA, 1-11.]]

Crossref

Google Scholar

[3]

BELLARE, M., CANETTI, R., AND KRAWCYZK, H. 1996. Keying hash functions for message authentication. In Advances in Cryptology (CRYPTO '96, Santa Barbara, Calif.), N. Koblitz, Ed. Springer-Verlag, New York, 1-15.]]

Crossref

Google Scholar

[4]

DIFFIE, W., VAN OORSCHOT, P. C., AND WIENER, M.J. 1992. Authentication and authenticated key exchanges. Des. Codes Cryptography 2, 2 (June 1992), 107-125.]]

Crossref

Google Scholar

[5]

DOBBERTIN, H., BOSSELAERS, A., AND PRENEEL, B. 1996. RIPEMD-160: A strengthened version of RIPEMD. In Proceedings of the 3rd International Workshop on Fast Software Encryption. Springer-Verlag, New York, NY, 71-82.]]

Crossref

Google Scholar

[6]

ELGAMAL, T. 1985. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. IT-31, 4, 469-472.]]

Google Scholar

[7]

HABER, S. AND STORNETTA, W. S. 1991. How to time stamp a digital document. In Advances in Cryptology (CRYPTO '90). Springer-Verlag, New York, NY, 437-455.]]

Crossref

Google Scholar

[8]

KELSEY, J. AND SCHNEIER, B. 1996. Authenticating outputs of computer software using a cryptographic coprocessor. In Proceedings of the 1996 CARDIS (Sept.). 11-24.]]

Google Scholar

[9]

KELSEY, J., SCHNEIER, B., AND HALL, C. 1996. An authenticated camera. In Proceedings of the 12th Annual Conference on Computer Security Applications. IEEE Computer Society Press, Los Alamitos, CA, 24-30.]]

Crossref

Google Scholar

[10]

KELSEY, J., SCHNEIER, B., AND WAGNER, D. 1998. Protocol interactions and the chosen protocol attack. In Proceedings of the 1997 Workshop on Protocols. Springer-Verlag, New York, NY, 91-104.]]

Crossref

Google Scholar

[11]

LAI, X., MASSEY, J., AND MURPHY, S. 1991. Markov ciphers and differential crytanalysis. In Advances in Cryptology (CRYPTO '91). Springer-Verlag, New York, NY, 17-38.]]

Google Scholar

[12]

MCCORMAC, J. 1996. European Scrambling Systems. Waterford University Press.]]

Google Scholar

[13]

MENEZES, A. J., VAN OORSCHOT, P. C., AND VANSTONE, S.A. 1997. Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton, FL.]]

Crossref

Google Scholar

[14]

NBS, 1977. NBS FIPS PUB 46, Data Encryption Standard. U.S. Department of Commerce.]]

Google Scholar

[15]

NIST, 1993. NIST FIPS PUB 180, Secure Hash Standard. U.S. Department of Commerce.]]

Google Scholar

[16]

NIST, 1994. NIST FIPS PUB 186, Digital Signature Standard. U.S. Department of Commerce.]]

Google Scholar

[17]

REITER, M. 1996. Distributing trust with the Rampart toolkit. Commun. ACM 39, 4, 71-74.]]

Crossref

Google Scholar

[18]

RIORDAN, g. AND SCHNEIER, B. 1998. Environmental key generation towards clueless agents. In Mobile Agents and Security, G. Vigna, Ed. Springer-Verlag, New York, NY, 15-24.]]

Crossref

Google Scholar

[19]

RIVEST, R., SHAMIR, A., AND ADELMAN, L. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (Feb.), 120-126.]]

Crossref

Google Scholar

[20]

SCHNEIER, B. 1994. Description of a new variable-length key, 64-bit block cipher (blowfish): Fast software encryption. In Proceedings of the Cambridge Security Workshop. Springer-Verlag, New York, NY, 191-204.]]

Crossref

Google Scholar

[21]

SCHNEIER, B. 1995. Applied cryptography (2nd ed.): protocols, algorithms, and source code in C. 2ND John Wiley & Sons, Inc., New York, NY.]]

Crossref

Google Scholar

[22]

SCHNEIER, B. AND KELSEY, J. 1997. Automatic event-stream notarization using digital signatures. In Proceedings of the International Workshop on Security Protocols (Cambridge, U.K., Apr.). Springer-Verlag, New York, NY, 155-169.]]

Crossref

Google Scholar

[23]

SCHNEIER, B. AND KELSEY, J. 1997. Remote auditing of software outputs using a trusted coprocessor. Future Gener. Comput. Syst. 13, 1, 9-18.]]

Crossref

Google Scholar

[24]

SCHNEIER, B. AND KELSEY, J. 1998. Cryptographic support for secure logs on untrusted machines. In Proceedings of the 7th on USENIX Security Symposium (Jan.). USENIX Assoc., Berkeley, CA, 53-62.]]

Crossref

Google Scholar

[25]

SCHNEIER, B. AND KELSEY, J. 1999. Tamperproof audit logs as a forensics tool for intrusion detection systems. Comput. Networks ISDN Syst. 31.]]

Google Scholar

[26]

STINSON, D. R. 1995. Cryptography: Theory and Practice. 1st CRC Press, Inc., Boca Raton, FL.]]

Crossref

Google Scholar

[27]

STOLL, C. 1989. The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage. Doubleday, New York, NY.]]

Crossref

Google Scholar

[28]

WILDING, E. 1997. Computer forensics: Trends and concerns. Inf. Sec. Bull. 2, 6 (Dec.), 15-18.]]

Google Scholar

Cited By

View all

Li WFeng YLiu NLi YFu XYu Y(2024)A secure and efficient log storage and query framework based on blockchainComputer Networks10.1016/j.comnet.2024.110683252(110683)Online publication date: Oct-2024
https://doi.org/10.1016/j.comnet.2024.110683
Boumediene SBoumediene S(2023)Electronic Evidence: A Framework for Applying Digital Forensics to Data BaseJournal of Forensic Accounting Research10.2308/JFAR-2022-0068:1(266-286)Online publication date: 20-Nov-2023
https://doi.org/10.2308/JFAR-2022-006
Blass ENoubir G(2023)Forward Security with Crash Recovery for Secure LogsACM Transactions on Privacy and Security10.1145/363152427:1(1-28)Online publication date: 3-Nov-2023
https://dl.acm.org/doi/10.1145/3631524
Show More Cited By

Index Terms

Secure audit logs to support computer forensics
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks
  1. Network protocols

Recommendations

On the Forensic Validity of Approximated Audit Logs
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Auditing is an increasingly essential tool for the defense of computing systems, but the unwieldy nature of log data imposes significant burdens on administrators and analysts. To address this issue, a variety of techniques have been proposed for ...
Malicious Behavior Detection using Windows Audit Logs
AISec '15: Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security

As antivirus and network intrusion detection systems have increasingly proven insufficient to detect advanced threats, large security operations centers have moved to deploy endpoint-based sensors that provide deeper visibility into low-level events ...
Towards Blockchain-Driven, Secure and Transparent Audit Logs
MobiQuitous '18: Proceedings of the 15th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services

Audit logs serve as a critical component in the enterprise business systems that are used for auditing, storing, and tracking changes made to the data. However, audit logs are vulnerable to a series of attacks, which enable adversaries to tamper data ...

Reviews

Reviewer: Jonathan K. Millen

The scheme in this paper protects the integrity of an audit log against attempts by a dishonest user or intruder to read it or to delete or change it undetectably. The basic idea is to encrypt each entry with a different key chained to the previous one by a one-way hash. An attacker may find the last key, but will not be able to reconstruct earlier ones. A separate trusted system is needed to record the starting key and the logfile opening and closing events, and a partially trusted verifier can check periodically for evidence of tampering. The advantages over periodically writing out the new entries to a safe location are that log storage is local, and the verifier can be given selective access to log entries. The scheme is complicated, with timestamps and several layered encryption and signature fields, and it takes secure communication with the trusted system as a given. The log entries have only a type field and two hashes in addition to the encrypted data; the complication is in the establishment and verification protocols and in the construction of the hashed fields. The authors explain most of the details in a way that bolsters confidence that they have thought of everything, if anyone can. Some extensions are suggested to handle abnormal shutdowns and distribution of trust.

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

ACM Transactions on Information and System Security Volume 2, Issue 2

May 1999

91 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/317087

Editor:
Ravi Sandhu
George Mason Univ., Fairfax, VA

Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 1999

Published in TISSEC Volume 2, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

283
Total Citations
View Citations
4,970
Total Downloads

Downloads (Last 12 months)208
Downloads (Last 6 weeks)25

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Li WFeng YLiu NLi YFu XYu Y(2024)A secure and efficient log storage and query framework based on blockchainComputer Networks10.1016/j.comnet.2024.110683252(110683)Online publication date: Oct-2024
https://doi.org/10.1016/j.comnet.2024.110683
Boumediene SBoumediene S(2023)Electronic Evidence: A Framework for Applying Digital Forensics to Data BaseJournal of Forensic Accounting Research10.2308/JFAR-2022-0068:1(266-286)Online publication date: 20-Nov-2023
https://doi.org/10.2308/JFAR-2022-006
Blass ENoubir G(2023)Forward Security with Crash Recovery for Secure LogsACM Transactions on Privacy and Security10.1145/363152427:1(1-28)Online publication date: 3-Nov-2023
https://dl.acm.org/doi/10.1145/3631524
Bajramovic EFein CFrinken MRösler PFreiling F(2023)LAVA: Log Authentication and Verification AlgorithmDigital Threats: Research and Practice10.1145/36092334:3(1-17)Online publication date: 6-Oct-2023
https://dl.acm.org/doi/10.1145/3609233
Nouma SYavuz A(2023)Practical Cryptographic Forensic Tools for Lightweight Internet of Things and Cold Storage SystemsProceedings of the 8th ACM/IEEE Conference on Internet of Things Design and Implementation10.1145/3576842.3582376(340-353)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3576842.3582376
Rafi SKumar R(2023)Optimization of Data Memory and Safety in Clouds with Hashing Algorithm2023 2nd International Conference on Vision Towards Emerging Trends in Communication and Networking Technologies (ViTECoN)10.1109/ViTECoN58111.2023.10157301(1-6)Online publication date: 5-May-2023
https://doi.org/10.1109/ViTECoN58111.2023.10157301
Xu SWang FWang LMihaljević MZhang SShao WHuang Q(2023)Trusted Auditing of Data Operation Behaviors in Cloud based on Blockchain and TEE2023 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00091(447-455)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00091
Chan TKamsin IAmin SZainal N(2023)A Complete Log Files Security Solution Using Anomaly Detection and Blockchain Technology2023 15th International Conference on Developments in eSystems Engineering (DeSE)10.1109/DeSE58274.2023.10100200(112-117)Online publication date: 9-Jan-2023
https://doi.org/10.1109/DeSE58274.2023.10100200
Tian HWang JChang CQuan H(2023)Public Auditing of Log Integrity for Shared Cloud Storage Systems via BlockchainMobile Networks and Applications10.1007/s11036-023-02148-0Online publication date: 6-Jul-2023
https://doi.org/10.1007/s11036-023-02148-0
Trivedi DTriandopoulos N(2023)VaultBox: Enhancing the Security and Effectiveness of Security AnalyticsScience of Cyber Security 10.1007/978-3-031-45933-7_24(401-422)Online publication date: 11-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-45933-7_24
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

On the Forensic Validity of Approximated Audit Logs

Malicious Behavior Detection using Windows Audit Logs

Towards Blockchain-Driven, Secure and Transparent Audit Logs

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations