Building an Encrypted and Searchable Audit Log 11th Annual Network and Distributed Security Symposium (NDSS '04); 2004 February 5-6; San Diego; CA. Presented by Yu-Sheng Chen

Outline Introduction-a searchable encrypted audit log Symmetric key based scheme Asymmetric key based scheme (New) Conclusion

An audit log Bob Server Modify xxx.c Delete xyz.dll Log in Bob 12:20 3/26/2005 Logs Investigator Alice 11:30 3/25/2005 Modify xxx.c Search “delete” 12:20 3/26/2005 Modify xxx.c Delete xyz.dll Bob

Introduction Audit logs are an important part of any secure system. Audit logs have sensitive information →encrypt audit logs Hardness: A audit log should be searchable! How to construct a searchable encrypted audit logging system?

Traditional technique Just encrypt audit logs as usual. When searching for a keyword, we need to decrypt all of the log data. Disadvantage Decrypting all regardless of what information one is looking for opens opportunities for unintended access. Require the entity with the decryption key to interactively process all the log data.

A good searchable encrypted log Should keep Integrity Prevent and detect tampering Control access to contents Only decrypt the relevant data to the investigator Usefulness searchable

A searchable encrypted log -illustration Server An Encrypted Audit Log Investigator dwdw w Search Keyword w Search capability d w for w Audit escrow Agent dwdw Search result

Symmetric key based scheme -Encrypt s is the secret key H K is a keyed pseudorandom functioneg: HMAC-SHA1 E K is a symmetric encryption functioneg: AES flag is a constant bit string of length l eg: (Server) encrypt the log entry m along with keywords w 1,w 2, …,w n For each entry choose a random symmetric encryption key K compute E K (m) choose a random bit string r For each keyword w i  a i =H s (w i )  b i =H a i (r)  c i =b i ⊕ (flag|K) The server saves as the audit log entry.

(Investigator) send keyword w to the agent (Agent) compute d w =H s (w) (d w is called a search capability for w) and give d w to the investigator. (Investigator) use d w to search: For each log entry (E K (m), r, c 1, c 2, …, c n ) b i ’=H d w (r) For each encrypted keyword c i  b i ’ ⊕ c i ?= (flag|***)  Yes → extract K=***  m = D K (E K (m)) Symmetric key based scheme -Search & Decrypt Encrypt for w i a i =H s (w i ) b i =H a i (r) c i =b i ⊕ (flag|K) recover

Symmetric key based scheme -illustration Server secret s dwdw w Search capability for w d w =H s (w) Audit escrow Agent secret s dwdw Encrypt for w i a i =H s (w i ) b i =H a i (r) c i =b i ⊕ (flag|K) Search b i ‘=H d w (r) c i ⊕ b i ‘ ?= (flag|***) An Encrypted Logs result Investigator Search Keyword w

Symmetric key based scheme -discuss An investigator receiving a search capability d w for a keyword w learns no new information about the capability corresponding to any other keyword w’. Primary problem If the adversary compromises s, he can create any search capability d w

Asymmetric key based scheme -base on IBE……….IBE IBE ( Identity-Based Encryption ) [2003Boneh&Franklin] Setup

Asymmetric key based scheme -base on IBE……….IBE (continue) IBE ( Identity-Based Encryption ) IBE Key Generation Any arbitrary string w can be a public key Private key d w = s H 1 (w) IBE encryptionIBE w (m) Q W =H 1 (w) g w =e(Q w,P 1 ) choose random r c = = IBE decryptionIBD dw (c) V ⊕ H 2 (e(d w,U)) = m ⊕ H 2 (g w r ) ⊕ H 2 (e(d w, rP 0 )) = m ∵ e(d w,rP 0 ) = e(sQ w,rP 0 ) = e(Q w,P 0 ) sr = e(Q w,sP 0 ) r = g w r

Asymmetric key based scheme -base on IBE Encrypt (Server) For each log entry ( m, w 1, w 2, …, w n ) choose a random symmetric encryption key K encrypt m using K ： E K (m) For each keyword w i  compute c i = IBE w i (flag|K) The server saves as the audit log entry Search & Decrypt (Investigator) give w to Agent (Agent) compute d w = s H 1 (w) and send d w back (Investigator) For each audit log entry For each c i  IBD d w (c i ) ?= (flag|***)  Yes → extract K=***  m = D K (E K (m)) recover

Asymmetric key based scheme -illustration Server No secret dwdw w Search capability for w d w = s H 1 (w) Audit escrow Agent secret s dwdw Encrypt for w i c i = IBE w i (flag|K) Search IBD d w (c i ) ?= (flag|***) An Encrypted Logs result Investigator Search Keyword w

Asymmetric key based scheme -discuss Server only stores public parameters P, there are no secret keys for an attacker to steal. Disadvantage Low performance ∵ Computations of the pairing and modular exponentiations for each keyword w

Optimizations for the asymmetric scheme When encrypting a log entry (m, w 1, …, w n ) Pairing reuse g w only needs to be performed once per keyword. Indexing Buffer entries sent to the audit log. Randomness reuse For each entry, use the same r in calculation of c 1, c 2, …, c n In the decryption of c 1, c 2, …, c n, only one pairing is needed for each distinct r chosen. Q w =H 1 (w) g w =e(Q w,P 1 ) In the encryption… c i = = In the decryption… V ⊕ H 2 (e(d w,U)) ?= (flag|***)

Optimization result

Conclusion A searchable encrypted audit log A asymmetric key based scheme Server uses keywords as public key to encrypt. Investigator asks the audit escrow agent “search capabilities” to do search. Advantage: Server does not store secrets. Disadvantage: Low performance Optimization The End