Secure Audit Logs to Secure Audit Logs to Support Computer Support Computer ForensicsForensics

Bruce Schneier & John KelseyBruce Schneier & John Kelsey

Presented by: Meredith Presented by: Meredith WhibleyWhibley

April 10, 2000April 10, 2000

Discussion LayoutDiscussion Layout

Introduction to problemIntroduction to problem Notation & ToolsNotation & Tools Overview of MethodOverview of Method Additional ApplicationsAdditional Applications How to use the audit log as a forensic How to use the audit log as a forensic

tooltool Summary Summary Further RecommendationsFurther Recommendations

The problemThe problem

With the least amount of interaction with a With the least amount of interaction with a trusted machine, trusted machine, TT, we want to make the , we want to make the strongest security guarantees possible onstrongest security guarantees possible on UU, an untrusted machine., an untrusted machine.

An attacker that takes over An attacker that takes over UU at time at time tt, , should not be able to alter or delete any log should not be able to alter or delete any log entry before entry before tt without without TT knowing about the knowing about the manipulation.manipulation.

The system is intended to only detect The system is intended to only detect break-ins, not to prevent them.break-ins, not to prevent them.

Possible ApplicationsPossible Applications

If If UU is: is:• An electronic walletAn electronic wallet• A computer that logs network activityA computer that logs network activity• An intrusion-detection system, An intrusion-detection system,

logging the entry and exit of people logging the entry and exit of people onto a system.onto a system.

• A computer under the control of a A computer under the control of a marginally trusted personmarginally trusted person

Limits to the ProtocolLimits to the Protocol We can only be assured of the We can only be assured of the

security of log entries made before security of log entries made before the compromise of the systemthe compromise of the system• After that the attacker can write After that the attacker can write

whatever he wants to the audit log.whatever he wants to the audit log. Protocol not needed if there is a Protocol not needed if there is a

secure, high-bandwidth channel secure, high-bandwidth channel between between TT and and UU..

Can not prevent the deletion of Can not prevent the deletion of entries, can only detect this deletion.entries, can only detect this deletion.

Notation for ProtocolNotation for Protocol

IDIDxx

PKEPKEPKPKXX (K) (K)

SIGNSIGNSKSKxx (Z) (Z)

EEKK00 (X) (X)

MACMACKK00 (X) (X)

hash (X)hash (X)

X, YX, Y

Notation cont.Notation cont.

p, nounce : identifies application, p, nounce : identifies application, protocol, version, and step, limits protocol, version, and step, limits damaging protocol interaction.damaging protocol interaction.

TT, trusted server, trusted server UU, untrusted machine, where log is , untrusted machine, where log is

keptkept VV, verifier machine, can review some , verifier machine, can review some

of the logs, but can not changeof the logs, but can not change

Assumptions About Assumptions About SystemSystem

Two parties set up a secure connectionTwo parties set up a secure connection• using a protocol such as Diffie-Hellmanusing a protocol such as Diffie-Hellman• Verifies identity to one anotherVerifies identity to one another

UU has long-term and short-term storage has long-term and short-term storage• Long-term stores the audit log, any size.Long-term stores the audit log, any size.• Can permanently delete info from short-termCan permanently delete info from short-term

UU is able to generate strong is able to generate strong pseudorandom values.pseudorandom values.

Initially, Initially, UU shares a secret key with shares a secret key with TT

Security of SystemSecurity of System

Comes from four facts:Comes from four facts:• The authentication key is hashed after each The authentication key is hashed after each

log entry, replacing the previous one. So, if log entry, replacing the previous one. So, if an attacker got hold of the machine after a an attacker got hold of the machine after a log was entered, he would be unable to log was entered, he would be unable to retrieve even the most recent entry.retrieve even the most recent entry.

• Encryption key derived from authentication Encryption key derived from authentication keykey– Therefore, users can not make changes to Therefore, users can not make changes to

entriesentries

Security of System, cont.Security of System, cont.

• Hash chainHash chain– authenticates the values of all previous authenticates the values of all previous

entriesentries

• Each log entry contains own permission Each log entry contains own permission maskmask– Different partially trusted users are then able Different partially trusted users are then able

to access different entries based on typeto access different entries based on type– Unable to lie about type, since the encryption Unable to lie about type, since the encryption

keys are derived from the type, so they would keys are derived from the type, so they would never match up.never match up.

Creating new log entryCreating new log entry DDjj: data to be entered: data to be entered

WWjj: Type of the log entry (permission mask): Type of the log entry (permission mask)

AAjj: authentication key: authentication key

KKjj: encryption key: encryption key

YYjj: Hash chain: Hash chain

ZZjj: MAC: MACAAjj (Y (Yjj))

LLjj: The j: The jthth log entry log entry

AAj+1j+1 : Incremental hash of A : Incremental hash of Ajj

Creating the logfileCreating the logfile Initially:Initially:

• UU knows knows TT’s public key& has a certificate of her own ’s public key& has a certificate of her own public key from public key from TT

First, First, UU creates: creates:• KK00: a random session key: a random session key

• d: original timestampd: original timestamp• dd++: timeout timestamp: timeout timestamp• IDIDloglog: ID for this logfile: ID for this logfile

• CCuu : : UU’s certificate from ’s certificate from TT

• AA00 : random starting point : random starting point

• XX00 : p, d, C : p, d, Cuu, A, A00

Creating new logfile cont.Creating new logfile cont.

Then Then UU sends to sends to TT• MM00 = p, ID = p, IDuu, PKE, PKEPKPKTT (K (K00), E), EKK00 (X (X00, SIGN, SIGNSKSKUU (X (X00))))

First log entry is created on First log entry is created on UU with with • WW00 = LogfileIntializationType = LogfileIntializationType

• DD00= d, d= d, d++, ID, IDloglog, M, M00

TT receives, creates X receives, creates X11 = p, ID = p, IDloglog, hash(X, hash(X00), ), generates another session key, Kgenerates another session key, K11, then , then sends:sends:• MM11 = p, ID = p, IDTT, PKE, PKEPKPKUU (K (K11), E), EKK11 (X (X11, SIGN, SIGNSKSKTT (X (X11)) ))

Creating new logfile cont.Creating new logfile cont.

UU receives and verifies M receives and verifies M11, then creates a , then creates a new log entry : new log entry : • WWjj = ResponseMessageType = ResponseMessageType

• DDjj = M = M11

Also, calculates AAlso, calculates A11

If If UU doesn’t receive M doesn’t receive M11, or it is incorrect, , or it is incorrect, UU creates log entry: creates log entry:• WW11 = AbnormalCloseType = AbnormalCloseType

• DD11 = current timestamp & reason for closing = current timestamp & reason for closing

Closing LogfileClosing Logfile

Three steps:Three steps:• write final message:write final message:

– WWf f = NormalCloseMessage= NormalCloseMessage

– DDff = timestamp = timestamp

• Delete permanently ADelete permanently Aff and K and Kff

• Physically close logfilePhysically close logfile

Verification of EntriesVerification of Entries

A machine, A machine, VV, might need to verify or , might need to verify or read some of the entries while still read some of the entries while still on on UU

Allowed if:Allowed if:• UU has sent M has sent M11 to to UU

• VV has a channel to and from has a channel to and from UU• Can occur before Can occur before TT receives a copy from receives a copy from

UU and before and before UU has closed the logfile. has closed the logfile.

Protocol for verificationProtocol for verification

VV receives copy of audit log from receives copy of audit log from Log must include MLog must include M11 entry entry VV verifies all entries in the hash chain verifies all entries in the hash chain Secure connection established btw. Secure connection established btw. TT and and

VV VV generates a list, Q[0..n], where Q generates a list, Q[0..n], where Qii = j, W = j, Wjj

VV sends to sends to TT::• MM22 = p, Id = p, Idloglog, f, Y, f, Yff, Z, Zff, Q[0..n], Q[0..n]

Protocol for Verification Protocol for Verification cont.cont.

TT verifies this request, if there is a verifies this request, if there is a problem, he records itproblem, he records it

Else, Else, TT makes a list of responses to the makes a list of responses to the requests, R[0..n]requests, R[0..n]

TT sends to sends to VV::• MM33 = p, R[0..n] = p, R[0..n]

VV can now decrypt and read, but not can now decrypt and read, but not changechange

Then the keys, sent by Then the keys, sent by TT, are deleted., are deleted.

Abnormal ShutdownsAbnormal Shutdowns Hard to distinguish between a system that Hard to distinguish between a system that

crashed and a system that was made to crashed and a system that was made to look like it crashed by an attackerlook like it crashed by an attacker

Therefore, an additional step was added Therefore, an additional step was added to each log entry creation:to each log entry creation:• An abnormal shutdown message is placed in An abnormal shutdown message is placed in

nonvolatile storage with each log entrynonvolatile storage with each log entry• Then if a crash occurs this message is Then if a crash occurs this message is

retrieved and placed in the logfile, else the retrieved and placed in the logfile, else the message is deleted.message is deleted.

Cross-Linking Audit LogsCross-Linking Audit Logs

If several untrusted machines, If several untrusted machines, UUs, are s, are running the same protocol they are running the same protocol they are able to cross-link their logs.able to cross-link their logs.

This method further reduces the This method further reduces the likelihood of a compromised machine likelihood of a compromised machine having it logfiles altered.having it logfiles altered.• Due to the fact that the file will be Due to the fact that the file will be

constantly committed to an constantly committed to an uncompromised machine.uncompromised machine.

Cross-Linking ProtocolCross-Linking Protocol

Conversation btw two untrusted Conversation btw two untrusted machines, machines, UU00 and and UU11::• Create secure connectionCreate secure connection• UU00 creates and enters a log entry creates and enters a log entry

– WWjj = CrossAuthenticationSend = CrossAuthenticationSend

– DDjj = W = Wjj, ID , ID UU11, d0, d0

• UU00 sends to sends to UU11 : :

• M4 = p, YM4 = p, Yjj, d0, d0

Cross-Linking Protocol Cross-Linking Protocol cont.cont.

UU11 receives M receives M44, verifies (using d, verifies (using d00), ), creates a log entry:creates a log entry:• WWii = CrossAuthenticationReceive = CrossAuthenticationReceive

• DDii = W = Wii, ID , ID UU00, d, d00, Y, Yjj

• UU11 sends back to sends back to UU00 : :– MM55 = p, Y = p, Yii

Cross-Linking Protocol Cross-Linking Protocol cont.cont.

However, if However, if UU11 doesn’t agree with doesn’t agree with dd00, creates:, creates:• WWii = CrossAuthenticationReceiveError = CrossAuthenticationReceiveError

• DDii = W = Wii, IDU0, d, IDU0, d00, d, d11, Y, Yjj

• Sends back to Sends back to UU00 : :– MM55 = p, Y = p, Yii, ErrorCode, ErrorCode

Cross-Linking Protocol Cross-Linking Protocol cont.cont.

MM55 is received by is received by UU00.. If an error, If an error, UU00 writes: writes:

• WWj+1j+1 = CrossAuthenticationReplyError = CrossAuthenticationReplyError

• DDj+1j+1 = W = Wj+1j+1, ID , ID UU11, ErrorCode, ErrorCode

If not, If not, UU00 writes: writes:• WWj+1j+1 = CrossAuthenticationReply = CrossAuthenticationReply

• DDj+1j+1 = W = Wj+1j+1, ID , ID UU11, Y, Yii

Benefits of Cross-LinkingBenefits of Cross-Linking It is extremely unlikely that all connected It is extremely unlikely that all connected

untrusted machines would be taken over at one untrusted machines would be taken over at one time.time.

In the even that one machine was taken over, In the even that one machine was taken over, the hash lattice would allow the log entries to be the hash lattice would allow the log entries to be reconstructed using the Y, or hash chain, sent to reconstructed using the Y, or hash chain, sent to another another UU• This can be done since This can be done since TT has A has A00, which can be used to , which can be used to

reengineer the log filereengineer the log file Each machine doesn’t have to speck with Each machine doesn’t have to speck with TT as as

frequently, as long as in contact with another frequently, as long as in contact with another UU

Replacing Replacing TT TT can be replace with a network of can be replace with a network of UUss If If UU00 is starting a log file, is starting a log file, UU00 acts as the acts as the

trusted machine.trusted machine. The protocol:The protocol:

• A secure connection is establishedA secure connection is established• UU00 forms: forms:

– d, d+, IDd, d+, IDloglog, A, A00, ID, IDUU00, ID, IDUU11

– XX00 = p, ID = p, IDUU00, ID, IDUU11, d, IDlog, A, d, IDlog, A00

• Sends:Sends:– MM00 = X = X00

Replacing Replacing TT cont. cont.

UU00 forms first log entry: forms first log entry:• WW00 = LogfileInitializationType = LogfileInitializationType

• DD00 = d, d = d, d++, ID, IDloglog, M, M00

U1 verifies MU1 verifies M00 and creates: and creates:• XX11 = p, Id = p, Idloglog, hash(X, hash(X00))

Then Sends to UThen Sends to U00::• MM11 = X = X11

Replacing Replacing TT cont. cont.

UU00 receives correct M receives correct M11 and creates: and creates:

• WWjj = ResponseMessageType = ResponseMessageType

• DDjj = M = M11

If MIf M11 is wrong, creates: is wrong, creates:

• WWjj = AbnormalCloseType = AbnormalCloseType

• DDjj = timestamp & reason for closing = timestamp & reason for closing

Potential Problems With Potential Problems With This MethodThis Method

UU11 may be compromised, thereby may be compromised, thereby allowing all logs to be changedallowing all logs to be changed• UU00 could keep parallel logfiles on could keep parallel logfiles on

different Usdifferent Us• UU00 could commit to the number of could commit to the number of

entries in the logfile, therefore, Uentries in the logfile, therefore, U11 could calculate Acould calculate ANN and K and K0..N0..N, and delete , and delete AA00. So entries couldn’t be altered.. So entries couldn’t be altered.

Potential Problems with Potential Problems with this Method cont.this Method cont.

Can apply even more untrusted Can apply even more untrusted machines to the scheme to beef up machines to the scheme to beef up securitysecurity

Seems to work better for authenticating Seems to work better for authenticating log entries, rather than protecting the log entries, rather than protecting the data in the entries.data in the entries.

Good method for situations where the Good method for situations where the trusted machine isn’t completely trusted machine isn’t completely secure.secure.

Using Log as A Forensic Using Log as A Forensic ToolTool

Audit Log must detect an intrusionAudit Log must detect an intrusion• opening of a dooropening of a door• access of a normally secret fileaccess of a normally secret file

If the intrusion is undetected in the If the intrusion is undetected in the logfile, this system does not work.logfile, this system does not work.

Someone must monitor the logfilesSomeone must monitor the logfiles• Can use software.Can use software.

Using as a Forensic ToolUsing as a Forensic Tool

Two types of suspicious entry for Two types of suspicious entry for this system:this system:• Valid entries that are suspectValid entries that are suspect• Invalid entries that show that the log Invalid entries that show that the log

has been tampered with (deletion of has been tampered with (deletion of an entry)an entry)

All entries after a bad entry should All entries after a bad entry should be considered suspect.be considered suspect.

SummarySummary

System provides for only the System provides for only the DETECTION of an attack and DETECTION of an attack and evidence to use in a court of law.evidence to use in a court of law.

Prevents attackers from being able Prevents attackers from being able to cover their tracksto cover their tracks

Allows the victim of the attack to Allows the victim of the attack to promptly respond to the attckpromptly respond to the attck

Summary cont.Summary cont.

The per-record encryption heightens The per-record encryption heightens security so that certain machines are security so that certain machines are able to access certain log entries able to access certain log entries (using permission masks)(using permission masks)

Main limitation to the system:Main limitation to the system: An attacker could take over a machine An attacker could take over a machine

through an unlogged attack and make through an unlogged attack and make no changes to the log file, just no changes to the log file, just observe.observe.

Further ResearchFurther Research

Develop specific protocols for a Develop specific protocols for a scheme using multiparty machines.scheme using multiparty machines.

Further polish the network of Further polish the network of untrusted machines replacing a untrusted machines replacing a trusted machine, so that an attacker trusted machine, so that an attacker unable to determine the other unable to determine the other machines he needs to compromise to machines he needs to compromise to remove all memory of the audit log.remove all memory of the audit log.

QuestionsQuestions

??