Secure Audit Logs to Secure Audit Logs to Support Computer Support Computer ForensicsForensics
Bruce Schneier & John KelseyBruce Schneier & John Kelsey
Presented by: Meredith Presented by: Meredith WhibleyWhibley
April 10, 2000April 10, 2000
Discussion LayoutDiscussion Layout
Introduction to problemIntroduction to problem Notation & ToolsNotation & Tools Overview of MethodOverview of Method Additional ApplicationsAdditional Applications How to use the audit log as a forensic How to use the audit log as a forensic
tooltool Summary Summary Further RecommendationsFurther Recommendations
The problemThe problem
With the least amount of interaction with a With the least amount of interaction with a trusted machine, trusted machine, TT, we want to make the , we want to make the strongest security guarantees possible onstrongest security guarantees possible on UU, an untrusted machine., an untrusted machine.
An attacker that takes over An attacker that takes over UU at time at time tt, , should not be able to alter or delete any log should not be able to alter or delete any log entry before entry before tt without without TT knowing about the knowing about the manipulation.manipulation.
The system is intended to only detect The system is intended to only detect break-ins, not to prevent them.break-ins, not to prevent them.
Possible ApplicationsPossible Applications
If If UU is: is:• An electronic walletAn electronic wallet• A computer that logs network activityA computer that logs network activity• An intrusion-detection system, An intrusion-detection system,
logging the entry and exit of people logging the entry and exit of people onto a system.onto a system.
• A computer under the control of a A computer under the control of a marginally trusted personmarginally trusted person
Limits to the ProtocolLimits to the Protocol We can only be assured of the We can only be assured of the
security of log entries made before security of log entries made before the compromise of the systemthe compromise of the system• After that the attacker can write After that the attacker can write
whatever he wants to the audit log.whatever he wants to the audit log. Protocol not needed if there is a Protocol not needed if there is a
secure, high-bandwidth channel secure, high-bandwidth channel between between TT and and UU..
Can not prevent the deletion of Can not prevent the deletion of entries, can only detect this deletion.entries, can only detect this deletion.
Notation for ProtocolNotation for Protocol
IDIDxx
PKEPKEPKPKXX (K) (K)
SIGNSIGNSKSKxx (Z) (Z)
EEKK00 (X) (X)
MACMACKK00 (X) (X)
hash (X)hash (X)
X, YX, Y
Notation cont.Notation cont.
p, nounce : identifies application, p, nounce : identifies application, protocol, version, and step, limits protocol, version, and step, limits damaging protocol interaction.damaging protocol interaction.
TT, trusted server, trusted server UU, untrusted machine, where log is , untrusted machine, where log is
keptkept VV, verifier machine, can review some , verifier machine, can review some
of the logs, but can not changeof the logs, but can not change
Assumptions About Assumptions About SystemSystem
Two parties set up a secure connectionTwo parties set up a secure connection• using a protocol such as Diffie-Hellmanusing a protocol such as Diffie-Hellman• Verifies identity to one anotherVerifies identity to one another
UU has long-term and short-term storage has long-term and short-term storage• Long-term stores the audit log, any size.Long-term stores the audit log, any size.• Can permanently delete info from short-termCan permanently delete info from short-term
UU is able to generate strong is able to generate strong pseudorandom values.pseudorandom values.
Initially, Initially, UU shares a secret key with shares a secret key with TT
Security of SystemSecurity of System
Comes from four facts:Comes from four facts:• The authentication key is hashed after each The authentication key is hashed after each
log entry, replacing the previous one. So, if log entry, replacing the previous one. So, if an attacker got hold of the machine after a an attacker got hold of the machine after a log was entered, he would be unable to log was entered, he would be unable to retrieve even the most recent entry.retrieve even the most recent entry.
• Encryption key derived from authentication Encryption key derived from authentication keykey– Therefore, users can not make changes to Therefore, users can not make changes to
entriesentries
Security of System, cont.Security of System, cont.
• Hash chainHash chain– authenticates the values of all previous authenticates the values of all previous
entriesentries
• Each log entry contains own permission Each log entry contains own permission maskmask– Different partially trusted users are then able Different partially trusted users are then able
to access different entries based on typeto access different entries based on type– Unable to lie about type, since the encryption Unable to lie about type, since the encryption
keys are derived from the type, so they would keys are derived from the type, so they would never match up.never match up.
Creating new log entryCreating new log entry DDjj: data to be entered: data to be entered
WWjj: Type of the log entry (permission mask): Type of the log entry (permission mask)
AAjj: authentication key: authentication key
KKjj: encryption key: encryption key
YYjj: Hash chain: Hash chain
ZZjj: MAC: MACAAjj (Y (Yjj))
LLjj: The j: The jthth log entry log entry
AAj+1j+1 : Incremental hash of A : Incremental hash of Ajj
Creating the logfileCreating the logfile Initially:Initially:
• UU knows knows TT’s public key& has a certificate of her own ’s public key& has a certificate of her own public key from public key from TT
First, First, UU creates: creates:• KK00: a random session key: a random session key
• d: original timestampd: original timestamp• dd++: timeout timestamp: timeout timestamp• IDIDloglog: ID for this logfile: ID for this logfile
• CCuu : : UU’s certificate from ’s certificate from TT
• AA00 : random starting point : random starting point
• XX00 : p, d, C : p, d, Cuu, A, A00
Creating new logfile cont.Creating new logfile cont.
Then Then UU sends to sends to TT• MM00 = p, ID = p, IDuu, PKE, PKEPKPKTT (K (K00), E), EKK00 (X (X00, SIGN, SIGNSKSKUU (X (X00))))
First log entry is created on First log entry is created on UU with with • WW00 = LogfileIntializationType = LogfileIntializationType
• DD00= d, d= d, d++, ID, IDloglog, M, M00
TT receives, creates X receives, creates X11 = p, ID = p, IDloglog, hash(X, hash(X00), ), generates another session key, Kgenerates another session key, K11, then , then sends:sends:• MM11 = p, ID = p, IDTT, PKE, PKEPKPKUU (K (K11), E), EKK11 (X (X11, SIGN, SIGNSKSKTT (X (X11)) ))
Creating new logfile cont.Creating new logfile cont.
UU receives and verifies M receives and verifies M11, then creates a , then creates a new log entry : new log entry : • WWjj = ResponseMessageType = ResponseMessageType
• DDjj = M = M11
Also, calculates AAlso, calculates A11
If If UU doesn’t receive M doesn’t receive M11, or it is incorrect, , or it is incorrect, UU creates log entry: creates log entry:• WW11 = AbnormalCloseType = AbnormalCloseType
• DD11 = current timestamp & reason for closing = current timestamp & reason for closing
Closing LogfileClosing Logfile
Three steps:Three steps:• write final message:write final message:
– WWf f = NormalCloseMessage= NormalCloseMessage
– DDff = timestamp = timestamp
• Delete permanently ADelete permanently Aff and K and Kff
• Physically close logfilePhysically close logfile
Verification of EntriesVerification of Entries
A machine, A machine, VV, might need to verify or , might need to verify or read some of the entries while still read some of the entries while still on on UU
Allowed if:Allowed if:• UU has sent M has sent M11 to to UU
• VV has a channel to and from has a channel to and from UU• Can occur before Can occur before TT receives a copy from receives a copy from
UU and before and before UU has closed the logfile. has closed the logfile.
Protocol for verificationProtocol for verification
VV receives copy of audit log from receives copy of audit log from Log must include MLog must include M11 entry entry VV verifies all entries in the hash chain verifies all entries in the hash chain Secure connection established btw. Secure connection established btw. TT and and
VV VV generates a list, Q[0..n], where Q generates a list, Q[0..n], where Qii = j, W = j, Wjj
VV sends to sends to TT::• MM22 = p, Id = p, Idloglog, f, Y, f, Yff, Z, Zff, Q[0..n], Q[0..n]
Protocol for Verification Protocol for Verification cont.cont.
TT verifies this request, if there is a verifies this request, if there is a problem, he records itproblem, he records it
Else, Else, TT makes a list of responses to the makes a list of responses to the requests, R[0..n]requests, R[0..n]
TT sends to sends to VV::• MM33 = p, R[0..n] = p, R[0..n]
VV can now decrypt and read, but not can now decrypt and read, but not changechange
Then the keys, sent by Then the keys, sent by TT, are deleted., are deleted.
Abnormal ShutdownsAbnormal Shutdowns Hard to distinguish between a system that Hard to distinguish between a system that
crashed and a system that was made to crashed and a system that was made to look like it crashed by an attackerlook like it crashed by an attacker
Therefore, an additional step was added Therefore, an additional step was added to each log entry creation:to each log entry creation:• An abnormal shutdown message is placed in An abnormal shutdown message is placed in
nonvolatile storage with each log entrynonvolatile storage with each log entry• Then if a crash occurs this message is Then if a crash occurs this message is
retrieved and placed in the logfile, else the retrieved and placed in the logfile, else the message is deleted.message is deleted.
Cross-Linking Audit LogsCross-Linking Audit Logs
If several untrusted machines, If several untrusted machines, UUs, are s, are running the same protocol they are running the same protocol they are able to cross-link their logs.able to cross-link their logs.
This method further reduces the This method further reduces the likelihood of a compromised machine likelihood of a compromised machine having it logfiles altered.having it logfiles altered.• Due to the fact that the file will be Due to the fact that the file will be
constantly committed to an constantly committed to an uncompromised machine.uncompromised machine.
Cross-Linking ProtocolCross-Linking Protocol
Conversation btw two untrusted Conversation btw two untrusted machines, machines, UU00 and and UU11::• Create secure connectionCreate secure connection• UU00 creates and enters a log entry creates and enters a log entry
– WWjj = CrossAuthenticationSend = CrossAuthenticationSend
– DDjj = W = Wjj, ID , ID UU11, d0, d0
• UU00 sends to sends to UU11 : :
• M4 = p, YM4 = p, Yjj, d0, d0
Cross-Linking Protocol Cross-Linking Protocol cont.cont.
UU11 receives M receives M44, verifies (using d, verifies (using d00), ), creates a log entry:creates a log entry:• WWii = CrossAuthenticationReceive = CrossAuthenticationReceive
• DDii = W = Wii, ID , ID UU00, d, d00, Y, Yjj
• UU11 sends back to sends back to UU00 : :– MM55 = p, Y = p, Yii
Cross-Linking Protocol Cross-Linking Protocol cont.cont.
However, if However, if UU11 doesn’t agree with doesn’t agree with dd00, creates:, creates:• WWii = CrossAuthenticationReceiveError = CrossAuthenticationReceiveError
• DDii = W = Wii, IDU0, d, IDU0, d00, d, d11, Y, Yjj
• Sends back to Sends back to UU00 : :– MM55 = p, Y = p, Yii, ErrorCode, ErrorCode
Cross-Linking Protocol Cross-Linking Protocol cont.cont.
MM55 is received by is received by UU00.. If an error, If an error, UU00 writes: writes:
• WWj+1j+1 = CrossAuthenticationReplyError = CrossAuthenticationReplyError
• DDj+1j+1 = W = Wj+1j+1, ID , ID UU11, ErrorCode, ErrorCode
If not, If not, UU00 writes: writes:• WWj+1j+1 = CrossAuthenticationReply = CrossAuthenticationReply
• DDj+1j+1 = W = Wj+1j+1, ID , ID UU11, Y, Yii
Benefits of Cross-LinkingBenefits of Cross-Linking It is extremely unlikely that all connected It is extremely unlikely that all connected
untrusted machines would be taken over at one untrusted machines would be taken over at one time.time.
In the even that one machine was taken over, In the even that one machine was taken over, the hash lattice would allow the log entries to be the hash lattice would allow the log entries to be reconstructed using the Y, or hash chain, sent to reconstructed using the Y, or hash chain, sent to another another UU• This can be done since This can be done since TT has A has A00, which can be used to , which can be used to
reengineer the log filereengineer the log file Each machine doesn’t have to speck with Each machine doesn’t have to speck with TT as as
frequently, as long as in contact with another frequently, as long as in contact with another UU
Replacing Replacing TT TT can be replace with a network of can be replace with a network of UUss If If UU00 is starting a log file, is starting a log file, UU00 acts as the acts as the
trusted machine.trusted machine. The protocol:The protocol:
• A secure connection is establishedA secure connection is established• UU00 forms: forms:
– d, d+, IDd, d+, IDloglog, A, A00, ID, IDUU00, ID, IDUU11
– XX00 = p, ID = p, IDUU00, ID, IDUU11, d, IDlog, A, d, IDlog, A00
• Sends:Sends:– MM00 = X = X00
Replacing Replacing TT cont. cont.
UU00 forms first log entry: forms first log entry:• WW00 = LogfileInitializationType = LogfileInitializationType
• DD00 = d, d = d, d++, ID, IDloglog, M, M00
U1 verifies MU1 verifies M00 and creates: and creates:• XX11 = p, Id = p, Idloglog, hash(X, hash(X00))
Then Sends to UThen Sends to U00::• MM11 = X = X11
Replacing Replacing TT cont. cont.
UU00 receives correct M receives correct M11 and creates: and creates:
• WWjj = ResponseMessageType = ResponseMessageType
• DDjj = M = M11
If MIf M11 is wrong, creates: is wrong, creates:
• WWjj = AbnormalCloseType = AbnormalCloseType
• DDjj = timestamp & reason for closing = timestamp & reason for closing
Potential Problems With Potential Problems With This MethodThis Method
UU11 may be compromised, thereby may be compromised, thereby allowing all logs to be changedallowing all logs to be changed• UU00 could keep parallel logfiles on could keep parallel logfiles on
different Usdifferent Us• UU00 could commit to the number of could commit to the number of
entries in the logfile, therefore, Uentries in the logfile, therefore, U11 could calculate Acould calculate ANN and K and K0..N0..N, and delete , and delete AA00. So entries couldn’t be altered.. So entries couldn’t be altered.
Potential Problems with Potential Problems with this Method cont.this Method cont.
Can apply even more untrusted Can apply even more untrusted machines to the scheme to beef up machines to the scheme to beef up securitysecurity
Seems to work better for authenticating Seems to work better for authenticating log entries, rather than protecting the log entries, rather than protecting the data in the entries.data in the entries.
Good method for situations where the Good method for situations where the trusted machine isn’t completely trusted machine isn’t completely secure.secure.
Using Log as A Forensic Using Log as A Forensic ToolTool
Audit Log must detect an intrusionAudit Log must detect an intrusion• opening of a dooropening of a door• access of a normally secret fileaccess of a normally secret file
If the intrusion is undetected in the If the intrusion is undetected in the logfile, this system does not work.logfile, this system does not work.
Someone must monitor the logfilesSomeone must monitor the logfiles• Can use software.Can use software.
Using as a Forensic ToolUsing as a Forensic Tool
Two types of suspicious entry for Two types of suspicious entry for this system:this system:• Valid entries that are suspectValid entries that are suspect• Invalid entries that show that the log Invalid entries that show that the log
has been tampered with (deletion of has been tampered with (deletion of an entry)an entry)
All entries after a bad entry should All entries after a bad entry should be considered suspect.be considered suspect.
SummarySummary
System provides for only the System provides for only the DETECTION of an attack and DETECTION of an attack and evidence to use in a court of law.evidence to use in a court of law.
Prevents attackers from being able Prevents attackers from being able to cover their tracksto cover their tracks
Allows the victim of the attack to Allows the victim of the attack to promptly respond to the attckpromptly respond to the attck
Summary cont.Summary cont.
The per-record encryption heightens The per-record encryption heightens security so that certain machines are security so that certain machines are able to access certain log entries able to access certain log entries (using permission masks)(using permission masks)
Main limitation to the system:Main limitation to the system: An attacker could take over a machine An attacker could take over a machine
through an unlogged attack and make through an unlogged attack and make no changes to the log file, just no changes to the log file, just observe.observe.
Further ResearchFurther Research
Develop specific protocols for a Develop specific protocols for a scheme using multiparty machines.scheme using multiparty machines.
Further polish the network of Further polish the network of untrusted machines replacing a untrusted machines replacing a trusted machine, so that an attacker trusted machine, so that an attacker unable to determine the other unable to determine the other machines he needs to compromise to machines he needs to compromise to remove all memory of the audit log.remove all memory of the audit log.
QuestionsQuestions
??
Top Related