Download
1 / 19
190 likes | 363 Views
Building an Encrypted and Searchable Audit Log. 11th Annual Network and Distributed Security Symposium (NDSS '04); 2004 February 5-6; San Diego; CA. Presented by Yu-Sheng Chen. Outline. Introduction-a searchable encrypted audit log Symmetric key based scheme
E N D
Building an Encrypted and Searchable Audit Log 11th Annual Network and Distributed Security Symposium (NDSS '04); 2004 February 5-6; San Diego; CA. Presented by Yu-Sheng Chen
Outline • Introduction-a searchable encrypted audit log • Symmetric key based scheme • Asymmetric key based scheme (New) • Conclusion
An audit log Server Logs Alice Log in 11:30 3/25/2005 Modify xxx.c Bob Bob 12:20 3/26/2005 Modify xxx.c Delete xyz.dll Search “delete” Bob 12:20 3/26/2005 Modify xxx.c Delete xyz.dll Investigator
Introduction • Audit logs are an important part of any secure system. • Audit logs have sensitive information →encrypt audit logs • Hardness: • A audit log should be searchable! • How to construct a searchable encrypted audit logging system?
Traditional technique • Just encrypt audit logs as usual. • When searching for a keyword, we need to decrypt all of the log data. • Disadvantage • Decrypting all regardless of what information one is looking for opens opportunities for unintended access. • Require the entity with the decryption key to interactively process all the log data.
A good searchable encrypted log • Should keep • Integrity • Prevent and detect tampering • Control access to contents • Only decrypt the relevant data to the investigator • Usefulness • searchable
A searchable encrypted log-illustration Server An Encrypted Audit Log dw < EK’(m’), r’, c1’, … , cn’) > Investigator Search Keyword w result < EK(m), r, c1, … , cn) > Search dw w Search capabilitydw for w Audit escrow Agent
Symmetric key based scheme-Encrypt s is the secret key HK is a keyed pseudorandom function eg: HMAC-SHA1 EK is a symmetric encryption function eg: AES flag is a constant bit string of length l eg: 1010101010 • (Server) encrypt the log entry m along with keywords w1,w2, … ,wn • For each entry < m, w1,w2, … , wn > • choose a random symmetric encryption key K • compute EK(m) • choose a random bit string r • For each keyword wi • ai=Hs(wi) • bi=Hai(r) • ci=bi⊕(flag|K) • The server saves < EK(m), r, c1, c2, …, cn > as the audit log entry.
Symmetric key based scheme-Search & Decrypt • (Investigator) send keyword w to the agent • (Agent) compute dw=Hs(w) (dw is called a search capability for w) and give dw to the investigator. • (Investigator) use dw to search: • For each log entry (EK(m), r, c1, c2, … , cn) • bi’=Hdw(r) • For each encrypted keyword ci • bi’⊕ci ?= (flag|***) • Yes → extract K=*** • m = DK(EK(m)) • Encrypt for wi • ai=Hs(wi) • bi=Hai(r) • ci=bi ⊕(flag|K) recover
Symmetric key based scheme-illustration Server secret s An Encrypted Logs dw < EK’(m’), r’, c1’, … , cn’) > Investigator Search Keyword w result < EK(m), r, c1, … , cn) > Search bi‘=Hdw(r) ci⊕bi‘ ?= (flag|***) • Encrypt for wi • ai=Hs(wi) • bi=Hai(r) • ci=bi⊕(flag|K) dw w Search capability for w dw=Hs(w) Audit escrow Agent secret s
Symmetric key based scheme-discuss • An investigator receiving a search capability dw for a keyword w learns no new information about the capability corresponding to any other keyword w’. • Primary problem • If the adversary compromises s, he can create any search capability dw
Asymmetric key based scheme-base on IBE……….IBE • IBE ( Identity-Based Encryption ) [2003Boneh&Franklin] • Setup
Asymmetric key based scheme-base on IBE……….IBE (continue) • IBE ( Identity-Based Encryption ) • IBE Key Generation • Any arbitrary string w can be a public key • Private keydw= s H1(w) • IBE encryption IBEw(m) • QW=H1(w) • gw=e(Qw,P1) • choose random r • c = < rP0, m⊕H2(gwr) > = < U, V > • IBE decryption IBDdw(c) • V ⊕H2(e(dw,U)) = m ⊕ H2(gwr) ⊕H2(e(dw, rP0)) = m ∵e(dw,rP0) = e(sQw,rP0) = e(Qw,P0)sr = e(Qw,sP0)r = gwr
Asymmetric key based scheme-base on IBE • Encrypt • (Server) For each log entry ( m, w1, w2, … , wn) • choose a random symmetric encryption key K • encrypt m using K:EK(m) • For each keyword wi • compute ci = IBEwi(flag|K) • The server saves <EK(m), c1, … , cn> as the audit log entry • Search & Decrypt • (Investigator) give w to Agent • (Agent) compute dw= s H1(w) and send dw back • (Investigator) For each audit log entry < EK(m), c1, … , cn> • For each ci • IBDdw(ci) ?= (flag|***) • Yes → extract K=*** • m = DK(EK(m)) recover
Asymmetric key based scheme-illustration Server No secret An Encrypted Logs dw < EK’(m’), c1’, … , cn’) > Investigator result < EK(m), c1, … , cn) > Search Keyword w Search IBDdw(ci) ?= (flag|***) dw Encrypt for wi ci = IBEwi(flag|K) w Search capability for w dw = s H1(w) Audit escrow Agent secret s
Asymmetric key based scheme-discuss • Server only stores public parameters P, there are no secret keys for an attacker to steal. • Disadvantage • Low performance ∵ Computations of the pairing and modular exponentiations for each keyword w
Optimizations for the asymmetric scheme When encrypting a log entry (m, w1, … , wn) • Pairing reuse • gw only needs to be performed once per keyword. • Indexing • Buffer entries sent to the audit log. • Randomness reuse • For each entry, use the same r in calculation of c1, c2, … , cn ----- In the decryption of c1, c2, … , cn , only one pairing is needed for each distinct r chosen. Qw=H1(w) gw=e(Qw,P1) In the encryption… ci = < rP0, (flag|K)⊕H2(gwr) > = < U, V > In the decryption… V ⊕H2(e(dw,U)) ?= (flag|***)
Conclusion • A searchable encrypted audit log • A asymmetric key based scheme • Server uses keywords as public key to encrypt. • Investigator asks the audit escrow agent “search capabilities” to do search. • Advantage: Server does not store secrets. • Disadvantage: Low performance • Optimization The End
