Improving Integrity Assurances of Log Entries From the Perspective of Intermittently Disconnected Devices

• Main Authors: Andersson, Marcus, Nilsson, Alexander
• Format: Others
• Language: English
• Published: Blekinge Tekniska Högskola, Institutionen för datalogi och datorsystemteknik 2014
• Subjects: Secure logging; forward security; TPM; digital signature; Computer Sciences; Datavetenskap (datalogi); Software Engineering; Programvaruteknik
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3994

It is common today in large corporate environments for system administrators to employ centralized systems for log collection and analysis. The log data can come from any device between smart-phones and large scale server clusters. During an investigation of a system failure or suspected intrusion these logs may contain vital information. However, the trustworthiness of this log data must be confirmed. The objective of this thesis is to evaluate the state of the art and provide practical solutions and suggestions in the field of secure logging. In this thesis we focus on solutions that do not require a persistent connection to a central log management system. To this end a prototype logging framework was developed including client, server and verification applications. The client employs different techniques of signing log entries. The focus of this thesis is to evaluate each signing technique from both a security and performance perspective. This thesis evaluates "Traditional RSA-signing", "Traditional Hash-chains"', "Itkis-Reyzin's asymmetric FSS scheme" and "RSA signing and tick-stamping with TPM", the latter being a novel technique developed by us. In our evaluations we recognized the inability of the evaluated techniques to detect so called `truncation-attacks', therefore a truncation detection module was also developed which can be used independent of and side-by-side with any signing technique. In this thesis we conclude that our novel Trusted Platform Module technique has the most to offer in terms of log security, however it does introduce a hardware dependency on the TPM. We have also shown that the truncation detection technique can be used to assure an external verifier of the number of log entries that has at least passed through the log client software.