Efficient Data Structures For Tamper-Evident Logging

Many real-world applications wish to collect tamperevident logs for forensic purposes. This paper considers the case of an untrusted logger, serving a number of clients who wish to store their events in the log, and kept honest by a number of auditors who will challenge the logger to prove its correct behavior. We propose semantics of tamper-evident logs in terms of this auditing process. The logger must be able to prove that individual logged events are still present, and that the log, as seen now, is consistent with how it was seen in the past. To accomplish this efficiently, we describe a tree-based data structure that can generate such proofs with logarithmic size and space, improving over previous linear constructions. Where a classic hash chain might require an 800 MB trace to prove that a randomly chosen event is in a log with 80 million events, our prototype returns a 3 KB proof with the same semantics. We also present a flexible mechanism for the log server to present authenticated and tamper-evident search results for all events matching a predicate. This can allow large-scale log servers to selectively delete old events, in an agreed-upon fashion, while generating efficient proofs that no inappropriate events were deleted. We describe a prototype implementation and measure its performance on an 80 million event syslog trace at 1,750 events per second using a single CPU core. Performance improves to 10,500 events per second if cryptographic signatures are offloaded, corresponding to 1.1 TB of logging throughput per week.

[1]  Gene Itkis,et al.  Cryptographic tamper evidence , 2003, CCS '03.

[2]  Scott Shenker,et al.  Attested append-only memory: making adversaries stick to their word , 2007, SOSP.

[3]  Christian S. Collberg,et al.  Tamper Detection in Audit Logs , 2004, VLDB.

[4]  Gene Tsudik,et al.  Extended Abstract: Forward-Secure Sequential Aggregate Authentication , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  Adolf Hohl,et al.  Delegating Secure Logging in Pervasive Computing Systems , 2006, SPC.

[6]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[7]  Rosario Gennaro,et al.  How to Sign Digital Streams , 1997, Inf. Comput..

[8]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[9]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[10]  Radu Sion,et al.  Strong WORM , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[11]  Dawn Xiaodong Song,et al.  Secure hierarchical in-network aggregation in sensor networks , 2006, CCS '06.

[12]  Peter Deutsch,et al.  GZIP file format specification version 4.3 , 1996, RFC.

[13]  Michael T. Goodrich,et al.  Persistent Authenticated Dictionaries and Their Applications , 2001, ISC.

[14]  Richard T. Snodgrass,et al.  Forensic analysis of database tampering , 2008, TODS.

[15]  Helger Lipmaa,et al.  On Optimal Hash Tree Traversal for Interval Time-Stamping , 2002, ISC.

[16]  Alley Stoughton,et al.  Detection of Mutual Inconsistency in Distributed Systems , 1983, IEEE Transactions on Software Engineering.

[17]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[18]  Moni Naor,et al.  Certificate revocation and certificate update , 1998, IEEE Journal on Selected Areas in Communications.

[19]  Mary Baker,et al.  Secure History Preservation Through Timeline Entanglement , 2002, USENIX Security Symposium.

[20]  Rafail Ostrovsky,et al.  Attribute-based encryption with non-monotonic access structures , 2007, CCS '07.

[21]  Eu-Jin Goh,et al.  Secure Indexes , 2003, IACR Cryptol. ePrint Arch..

[22]  Lingxuan Hu,et al.  Secure aggregation for wireless networks , 2003, 2003 Symposium on Applications and the Internet Workshops, 2003. Proceedings..

[23]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[24]  Michael K. Reiter,et al.  Time-Scoped Searching of Encrypted Audit Logs , 2004, ICICS.

[25]  Jörg Schwenk,et al.  Provably Secure Framework for Information Aggregation in Sensor Networks , 2007, ICCSA.

[26]  Mary Baker,et al.  The LOCKSS peer-to-peer digital preservation system , 2005, TOCS.

[27]  Jeffrey S. Chase,et al.  Strong accountability for network storage , 2007, TOS.

[28]  Dan S. Wallach,et al.  Casting Votes in the Auditorium , 2007, EVT.

[29]  Windsor W. Hsu,et al.  Fossilized index: the linchpin of trustworthy non-alterable electronic records , 2005, SIGMOD '05.

[30]  Michael T. Goodrich,et al.  Authenticated Data Structures for Graph and Geometric Searching , 2003, CT-RSA.

[31]  Marianne Winslett,et al.  Trustworthy keyword search for regulatory-compliant records retention , 2006, VLDB.

[32]  Bruce Schneier,et al.  Automatic Event-Stream Notarization Using Digital Signatures , 1996, Security Protocols Workshop.

[33]  Eike Kiltz,et al.  Append-Only Signatures , 2005, ICALP.

[34]  John Kelsey,et al.  Signed Syslog Messages , 2010, RFC.

[35]  Mihir Bellare,et al.  Forward Integrity For Secure Audit Logs , 1997 .

[36]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[37]  Chris Lonvick,et al.  The BSD Syslog Protocol , 2001, RFC.

[38]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[39]  Gene Tsudik,et al.  Forward-Secure Sequential Aggregate Authentication , 2007, IACR Cryptol. ePrint Arch..

[40]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[41]  Gene Tsudik,et al.  A new approach to secure logging , 2008, TOS.

[42]  Stuart Haber,et al.  How to time-stamp a digital document , 1990, Journal of Cryptology.

[43]  H BloomBurton Space/time trade-offs in hash coding with allowable errors , 1970 .

[44]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[45]  Jan Willemson,et al.  Time-Stamping with Binary Linking Schemes , 1998, CRYPTO.

[46]  Mary Baker,et al.  Enabling the Archival Storage of Signed Documents , 2002, FAST.

[47]  Brent Waters,et al.  Building an Encrypted and Searchable Audit Log , 2004, NDSS.

[48]  Kent E. Seamons,et al.  Logcrypt: Forward Security and Public Verification for Secure Audit Logs , 2005, IACR Cryptol. ePrint Arch..

[49]  Ahto Buldas,et al.  Optimally Efficient Accountable Time-Stamping , 2000, Public Key Cryptography.

[50]  Michael T. Goodrich,et al.  Implementation of an authenticated dictionary with skip lists and commutative hashing , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[51]  Alban Gabillon,et al.  CHRONOS: an authenticated dictionary based on skip lists for timestamping systems , 2005, SWS '05.

[52]  Josh Benaloh,et al.  One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[53]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[54]  John Kubiatowicz,et al.  Naming and Integrity: Self-verifying Data in Peer-to-Peer Systems , 2003, Future Directions in Distributed Computing.

[55]  Brent Waters,et al.  Cryptographic Methods for Storing Ballots on a Voting Machine , 2007, NDSS.

[56]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[57]  Dawn Xiaodong Song,et al.  SIA: secure information aggregation in sensor networks , 2003, SenSys '03.

[58]  Andreas Haeberlen,et al.  Practical accountability for distributed systems , 2007 .

[59]  Michael Gertz,et al.  Authentic Data Publication Over the Internet , 2003, J. Comput. Secur..

[60]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[61]  Giuseppe Ateniese,et al.  Verifiable audit trails for a versioning file system , 2005, StorageSS '05.

[62]  Michael Gertz,et al.  Flexible authentication of XML documents , 2001, CCS '01.

[63]  Di Ma,et al.  Practical forward secure sequential aggregate signatures , 2008, ASIACCS '08.

[64]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[65]  William Pugh,et al.  Skip Lists: A Probabilistic Alternative to Balanced Trees , 1989, WADS.

[66]  Robert F. Erbacher,et al.  Exemplifying Attack Identification and Analysis in a Novel Forensically Viable Syslog Model , 2008, 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering.