ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Secure audit logs to support computer forensics
Full text PdfPdf (126 KB)
Source ACM Transactions on Information and System Security (TISSEC) archive
Volume 2 ,  Issue 2  (May 1999) table of contents
Pages: 159 - 176  
Year of Publication: 1999
ISSN:1094-9224
Authors
Bruce Schneier  Counterpane Systems, Minneapolis, MN
John Kelsey  Counterpane Systems, Minneapolis, MN
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 35,   Downloads (12 Months): 263,   Citation Count: 28
Additional Information:

abstract   references   cited by   index terms   review   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/317087.317089
What is a DOI?

ABSTRACT

In many real-world applications, sensitive information must be kept it log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to modify or destroy undetectably.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Ross J. Anderson , Roger M. Needham, Robustness Principles for Public Key Protocols, Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology, p.236-247, August 27-31, 1995
 
2
ANDERSON, R. AND KUHN, M. 1996. Tamper resistance: A cautionary note. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce (Nov.). USENIX Assoc., Berkeley, CA, 1-11.
 
3
Mihir Bellare , Ran Canetti , Hugo Krawczyk, Keying Hash Functions for Message Authentication, Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, p.1-15, August 18-22, 1996
 
4
Whitfield Diffie , Paul C. Van Oorschot , Michael J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, v.2 n.2, p.107-125, June 1992  [doi>10.1007/BF00124891]
 
5
Hans Dobbertin , Antoon Bosselaers , Bart Preneel, RIPEMD-160: A Strengthened Version of RIPEMD, Proceedings of the Third International Workshop on Fast Software Encryption, p.71-82, February 21-23, 1996
 
6
ELGAMAL, T. 1985. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. IT-31, 4, 469-472.
 
7
Stuart Haber , W. Scott Stornetta, How to Time-Stamp a Digital Document, Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology, p.437-455, August 11-15, 1990
 
8
KELSEY, J. AND SCHNEIER, B. 1996. Authenticating outputs of computer software using a cryptographic coprocessor. In Proceedings of the 1996 CARDIS (Sept.). 11-24.
 
9
J. Kelsey , B. Schneier , C. Hall, An Authenticated Camera, Proceedings of the 12th Annual Computer Security Applications Conference, p.24, December 09-13, 1996
 
10
John Kelsey , Bruce Schneier , David Wagner, Protocol Interactions and the Chosen Protocol Attack, Proceedings of the 5th International Workshop on Security Protocols, p.91-104, April 07-09, 1997
 
11
LAI, X., MASSEY, J., AND MURPHY, S. 1991. Markov ciphers and differential crytanalysis. In Advances in Cryptology (CRYPTO '91). Springer-Verlag, New York, NY, 17-38.
 
12
MCCORMAC, J. 1996. European Scrambling Systems. Waterford University Press.
 
13
Alfred J. Menezes , Scott A. Vanstone , Paul C. Van Oorschot, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, 1996
 
14
NBS, 1977. NBS FIPS PUB 46, Data Encryption Standard. U.S. Department of Commerce.
 
15
NIST, 1993. NIST FIPS PUB 180, Secure Hash Standard. U.S. Department of Commerce.
 
16
NIST, 1994. NIST FIPS PUB 186, Digital Signature Standard. U.S. Department of Commerce.
17
Michael Reiter, Distributing trust with the Rampart toolkit, Communications of the ACM, v.39 n.4, p.71-74, April 1996  [doi>10.1145/227210.227228]
 
18
James Riordan , Bruce Schneier, Environmental Key Generation Towards Clueless Agents, Mobile Agents and Security, p.15-24, January 1998
19
R. L. Rivest , A. Shamir , L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, v.21 n.2, p.120-126, Feb. 1978  [doi>10.1145/359340.359342]
 
20
Bruce Schneier, Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish), Fast Software Encryption, Cambridge Security Workshop, p.191-204, December 09-11, 1993
 
21
Bruce Schneier, Applied cryptography (2nd ed.): protocols, algorithms, and source code in C, John Wiley & Sons, Inc., New York, NY, 1995
 
22
Bruce Schneier , John Kelsey, Automatic Event-Stream Notarization Using Digital Signatures, Proceedings of the International Workshop on Security Protocols, p.155-169, April 10-12, 1996
 
23
Bruce Schneier , John Kelsey, Remote auditing of software outputs using a trusted coprocessor, Future Generation Computer Systems, v.13 n.1, p.9-18, July 1997  [doi>10.1016/S0167-739X(97)00004-6]
 
24
SCHNEIER, B. AND KELSEY, J. 1998. Cryptographic support for secure logs on untrusted machines. In Proceedings of the 7th on USENIX Security Symposium (Jan.). USENIX Assoc., Berkeley, CA, 53-62.
 
25
SCHNEIER, B. AND KELSEY, J. 1999. Tamperproof audit logs as a forensics tool for intrusion detection systems. Comput. Networks ISDN Syst. 31.
 
26
Douglas R. Stinson, Cryptography: Theory and Practice, CRC Press, Inc., Boca Raton, FL, 1995
 
27
Clifford Stoll, The cuckoo's egg: tracking a spy through the maze of computer espionage, Doubleday, New York, NY, 1989
 
28
WILDING, E. 1997. Computer forensics: Trends and concerns. Inf. Sec. Bull. 2, 6 (Dec.), 15-18.

CITED BY  28
Brian Carrier , Clay Shields, The session token protocol for forensics and traceback, ACM Transactions on Information and System Security (TISSEC), v.7 n.3, p.333-362, August 2004
Randal Burns , Zachary Peterson , Giuseppe Ateniese , Stephen Bono, Verifiable audit trails for a versioning file system, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA
Sastry Duri , Jeffrey Elliott , Marco Gruteser , Xuan Liu , Paul Moskowitz , Ronald Perez , Moninder Singh , Jung-Mu Tang, Data protection and data sharing in telematics, Mobile Networks and Applications, v.9 n.6, p.693-701, December 2004
Matthew Bing , Carl Erickson, Extending UNIX System Logging with SHARP, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
Florian P. Buchholz , Clay Shields, Providing process origin information to aid in computer forensic investigations, Journal of Computer Security, v.12 n.5, p.753-776, September 2004
Susan J. Chinburg , Ramesh Sharda , Mark Weiser, Establishing the business value of network security using analytical hierarchy process, Creating business value with information technology: challenges and solutions, Idea Group Publishing, Hershey, PA, 2003
Jason E. Holt, Logcrypt: forward security and public verification for secure audit logs, Proceedings of the 2006 Australasian workshops on Grid computing and e-research, p.203-211, January 16-19, 2006, Hobart, Tasmania, Australia
Bhavani Thuraisingham , Murat Kantarcioglu , Srinivasan Iyer, Extended RBAC-based design and implementation for a secure data warehouse, International Journal of Business Intelligence and Data Mining, v.2 n.4, p.367-382, December 2007
Aydan R. Yumerefendi , Jeffrey S. Chase, Trust but verify: accountability for network services, Proceedings of the 11th workshop on ACM SIGOPS European workshop: beyond the PC, p.37-es, September 19-22, 2004, Leuven, Belgium
Stefan Sackmann , Jens Strüker , Rafael Accorsi, Personalization in privacy-aware highly dynamic systems, Communications of the ACM, v.49 n.9, September 2006
Kyriacos Pavlou , Richard T. Snodgrass, Forensic analysis of database tampering, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA
Adam G. Pennington , John D. Strunk , John Linwood Griffin , Craig A. N. Soules , Garth R. Goodson , Gregory R. Ganger, Storage-based intrusion detection: watching storage activity for suspicious behavior, Proceedings of the 12th conference on USENIX Security Symposium, p.10-10, August 04-08, 2003, Washington, DC
Florian P. Buchholz , Clay Shields, Providing Process Origin Information to Aid in Network Traceback, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.261-274, June 10-15, 2002
Aydan R. Yumerefendi , Jeffrey S. Chase, Strong accountability for network storage, ACM Transactions on Storage (TOS), v.3 n.3, p.11-es, October 2007
Steena D. S. Monteiro , Robert F. Erbacher, An authentication and validation mechanism for analyzing syslogs forensically, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
Richard T. Snodgrass , Shilong Stanley Yao , Christian Collberg, Tamper detection in audit logs, Proceedings of the Thirtieth international conference on Very large data bases, p.504-515, August 31-September 03, 2004, Toronto, Canada
Daniel Sandler , Kyle Derr , Dan S. Wallach, VoteBox: a tamper-evident, verifiable electronic voting system, Proceedings of the 17th conference on Security symposium, p.349-364, July 28-August 01, 2008, San Jose, CA
Thomas Ristenpart , Gabriel Maganis , Arvind Krishnamurthy , Tadayoshi Kohno, Privacy-preserving location tracking of lost or stolen devices: cryptographic techniques and replacing trusted third parties with DHTs, Proceedings of the 17th conference on Security symposium, p.275-290, July 28-August 01, 2008, San Jose, CA
Sean Peisert , Matt Bishop , Keith Marzullo, Computer forensics in forensis, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
Di Ma, Practical forward secure sequential aggregate signatures, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
Luis F. G. Sarmenta , Marten van Dijk , Jonathan Rhodes , Srinivas Devadas, Offline count-limited certificates, Proceedings of the 2008 ACM symposium on Applied computing, March 16-20, 2008, Fortaleza, Ceara, Brazil
Michael Gormish , Greg Wolff , Kurt Piersol , Peter Hart, Document logs: a distributed approach to metadata for better security and flexibility, Proceeding of the eighth ACM symposium on Document engineering, September 16-19, 2008, Sao Paulo, Brazil
Sean Peisert , Matt Bishop , Sidney Karin , Keith Marzullo, Analysis of Computer Intrusions Using Sequences of Function Calls, IEEE Transactions on Dependable and Secure Computing, v.4 n.2, p.137-150, April 2007
Kyriacos E. Pavlou , Richard T. Snodgrass, Forensic analysis of database tampering, ACM Transactions on Database Systems (TODS), v.33 n.4, p.1-47, November 2008
Ragib Hasan , Radu Sion , Marianne Winslett, The case of the fake picasso: preventing history forgery with secure provenance, Proccedings of the 7th conference on File and stroage technologies, p.1-14, February 24-27, 2009, San Francisco, California
Bon K. Sy, Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS, Information Fusion, v.10 n.4, p.325-341, October, 2009
Fabio Massacci , Gene Tsudik , Artsiom Yautsiukhin, Logging key assurance indicators in business processes, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
Di Ma , Gene Tsudik, A new approach to secure logging, ACM Transactions on Storage (TOS), v.5 n.1, p.1-21, March 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS


General Terms:
Security


Keywords:
audit logs, auditing, authenthication, computer forensics, hash chains, intrusion detection


REVIEW

"Jonathan K. Millen : Reviewer"

The scheme in this paper protects the integrity of an audit log against attempts by a dishonest user or intruder to read it or to delete or change it undetectably. The basic idea is to encrypt each entry with a different key chained to the pre  more...

Collaborative Colleagues:
Bruce Schneier: colleagues
John Kelsey: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player