Secure Audit Logging with Tamper-Resistant HardwareCheun N Chong Zhonghong Peng Pieter H HartelDept. of Computer ScienceUniversity of TwenteThe Netherlandsfchong,zhong,pieterg@cs.utwente.nlAbstract the rights on the content, such as cryptography,digital ngerprinting, watermarking etc. In thisSecure perimeter schemes (e.g. DRM) and tracing paper, we assume that users can be identi ed, andtraitor schemes (e.g. watermarking, audit logging) we concern ourselves with the issue of gatheringstrive to mitigate the problems of content escap- information on the user’s behaviour.ing the control of the rights holder. Secure audit Secure audit logging records the actions of a userlogging records the user’s actions on content and on an item of content and does so in a manner thatenables detection of some forms of tampering with allows some forms of tampering with the log tothe logs. We implement Schneier and Kelsey’s se- be detected. We implement Schneier and Kelseycure audit logging protocol [1], strengthening the secure audit logging protocol [1], using tamper-protocol by using tamper-resistant hardware (an resistant hardware (TRH). For brevity in the se-iButton) in two ways: Firstly our implementation quel, we refer to Schneier and Kelsey [1] as \SK".of the protocol works o ine as well as online. Sec-An audit log is an important tool to detect andondly, we use unforgeable time stamps to increaseto comprehend damages of a computer or networkthe possibilities of ...
Client Java iButton Downloading a projec proposal from the Serv Downloading an associated digital licens Client is under surveillance of server Client is accessing Server lost control the digital content over the client OFFLINE oggi Logs are generated according to all the actions client exercises lient is connected an gs are sent to the serv
LiljkXW dTV“]eX Tj XogcT]eXW ]e jXVk]fe -’ Tlk“Xe( k]VTkXj k“X 9c]Xek lj]e[ T jkTeWTiW Tlk“Xek]VTk]fe dXk“fW W]jVljjXW Ui]Xflp ]e jXVk]fe 0).) L“X jkXgj TeW dXjjT[Xj fY =][liX / TeW =][liX 0 VTe UX XogcT]eXW Tj Yfccfnj6 -) Lf jkTik TlW]k cf[[]e[’ k“X 9c]Xek kTbXj k“X ]e]k]Tk]mXUpTVk]mTk]e[P-)7YkXiP-’k“X 9c]Xek “Tj k“X ]e]k]Tc Tlk“Xek]VTk]fe bXp’ A 0 TeW k“X VliiXek XeVipgkXW k]dXjkTdg’ A K iB ffl W 0 )) KE cXTmXj ]k kf k“X 9c]Xek kf WXV]WX 0 TeW W ) OX cXTmX k“XjX knf ]kXdj [ XW A Xe XiTk fe k“X ]8lkkfe’ Tj XogcT]eXW ]e jXVk]fe 0)/) ’ LF ; .) L“X 9c]Xek Yfidj T iTeWfd jXjj]fe bXp 0 k“X k]dXflk gXi]fW k“Tk k“X 9c]Xek n]cc nT]k Yfi k“X iXjgfejX Yifd k“X ]8lkkfe’ W 0 ”; T le]hlX ]WXek]ffXi Yfi k“]j cf[ ffcX’ I, log ; TeW T efeVX befne Tj jkXg ]WXek]ffXi’ p ) L“X 9c]Xek VfeVTkXeTkXj p ’ A K iB ffl W 0 )’ TeW A 0 kf Yfid k“X dXjjT[X P 0 ) /) L“X 9c]Xek XeVipgkj LF 0 n]k“ k“X ]8lkkfeffij glUc]V bXp’ I F iB TeW XeVipgkj k“ j][ 0 X eXW P n]k“ LF 0 ) L“X 9c]Xek Yfidj T dXjjT[X’ H 0 Up VfeVTkXeTk]e[ p ’ I, C ’ k“X XeVipgkXW LF ’ 0 TeW k“X XeVipgkXW j][eXW P 0 ) 0) L“X 9c]Xek [XeXiTkXj TeW jkfiXj k“X “Tj“ fY P 0 Yfi mTc]WTk]fe ]e k“X jlUjXhlXek jkXgj) 1) L“X 9c]Xek jXeWj k“X dXjjT[X’ H 0 kf k“X ]8lk( kfe) 2) L“X ]8lkkfe iXki]XmXj k“X iTeWfd jXjj]fe bXp’ LF 0 Up Wf]e[ gi]mTkX bXp WXVipgk]fe) L“X ]8lkkfe VTe k“Xe WXVipgk TeW iXki]XmX P 0 Up lj]e[ LF Tj T WXVipgk]fe bXp) L“X ]8lk( 0 kfe mTc]WTkXj P 0 Up mXi]Yp]e[ k“X j][eTkliX) =]eTccp’ T eXn iTeWfd jXjj]fe bXp’ LF + ]j [XeXiTkXW) 3) L“X ]8lkkfe Yfidj dXjjT[X P + ’ Up VfeVTkX( eTk]e[ k“X jkXg ]WXek]ffXi p ’ I, log ’ TeW “Tj“ fY P 0 ) L“X ]8lkkfe [XeXiTkXj dXjjT[X H + Up VfeVTkXeTk]e[ I, iB ’ XeVipgkXW LF + n]k“ k“X 9c]Xekffij glUc]V bXp’ I F C ’ TeW k“X XeVipgkXW j][eXW P + n]k“ LF + ) 4) L“X ]8lkkfe jXeWj k“X iXgcp dXjjT[X’ H + kf k“X 9c]Xek)
3
iButton
Client 1 P1 2 Generates RK 0 , d 0 +, p, ID log , X 0 = p, E K iB (d 0 ) _ 3 M 0 = p, ID C , PKE PK iB (RK 0 ), _ E RK 0 (X 0 , SIGN SK C (X 0 ) _ _ 4 Stores hash(X 0 ) 5 M 0 6 Retrieves RK 0 by PKD SK iB _ Retrieves X 0 by D RK 0 _ Verifies signature of X 0 Genereates RK 1 7 X 1 = p, ID log , hash(X 0 ) M 1 = p, ID iB , PKE PK C (RK 1 ), _ X E RK 1 ( 1 , SIGN SK iB (X 1 )) _ _ 8 9 M 1 Retrieves RK 1 by PKD SK C _ Retrieves X 1 by D RK 1 _ Verifies signature of X 1 Compare hash(X 0 ) 10 W 0 = "LogfileInitializationType" D 0 = E K iB (d 0 ), d0+, ID log , M 0 _ K 0 = hash("Encryption Key", W 0 , A 0 ) Y -1 = "0000000000000000000" Y 0 = hash(Y -1 , E K 0 (D 0 ), W 0 ) _ Z 0 = MAC A0 (Y 0 ) L 0 = W 0 , E K 0 (D 0 ), Y 0, Z 0 _ A 0 and K 0 are disposed 11 P1 12 Generates RK 2 , d 1 +, ID log X 1 = p, E K iB (d 1 ) _ 13 M 2 = p, ID C , PKE PK iB (RK 2 ), _ E RK 2 (X 1 , SIGN SK C (X 1 ) _ _ 14 Stores hash(X 1 ) 15 Time M 2 =][liX /6 L“X gifkfVfc fY ViXTk]e[ TlW]k cf[j ffljkXgj - kf -1))
Client
iButton 15 M 2 16 Retrieves RK 2 by PKD SK iB _ Retrieves X 1 by D RK 2 _ Verifies signature of X 1 Generates RK 3 17 X 2 = p, ID log , hash(X 1 ) M 3 = p, ID iB , PKE PK C (RK 3 ), _ E RK 3 (X 2 , SIGN SK iB (X 2 )) _ _ 18 19 M 3 Retrieves RK 3 by PKD SK C _ Retrieves X 2 by D RK 3 _ Verifies signature of X 2 Compare hash(X 1 ) 20 W 1 = "DRMApplicationType" D D 1 = E K_iB (d 1 ), d 1 +, I log , M 2 , Data K 1 = hash("Encryption Key", W 1 , A 1 ) Y 1 = hash(Y 0 , E K 1 (D 1 ), W 1 ) _ Z = MAC A1 (Y 1 ) 1 L 1 = W 1 , E K_1 (D 1 ), Y 1, Z 1 A 1 and K 1 are disposed 21 P1 22 Generates RK 4 , d 2 +, ID log X 3 = p, d 2 23 M 4 = p, ID C , PKE PK iB (RK 4 ), _ E RK 4 (X 3 , SIGNS SK C (X 3 ) _ _ 24 Stores hash(X 3 ) Time =][liX 06 L“X gifkfVfc fY ViXTk]e[ TlW]k cf[j ffljkXgj -1 fenTiWj))
4
5) O“Xe k“X 9c]Xek iXVX]mXj H + Yifd k“X ]8lk( kfe’ k“X 9c]Xek mXi]ffXj k“X dXjjT[X) L“X 9c]Xek VfdgTiXj k“X “Tj“ mTclX fY P 0 Yifd k“X ]8lkkfe n]k“ k“X jkfiXW “Tj“ mTclX) -,) L“X 9c]Xek [XeXiTkXj k“X ffijk cf[ Xe( kip) L“X ffijk cf[ fflfY kpgX’ N = 00 0 GdXCZaIecZtZRaZzRtZdcTiep 00 ) dljk UX gifg( Xicp YfidXW Tk k“X 9c]Xek fi XcjX k“X KXimXi n]cc jljgXVk k“Tk k“X 9c]Xek “Tj UXXe kTd( gXiXW n]k“) L“X ffijk WTkT ffXcW’ , 0 XeVTg( jlcTkXj A K iB ffl W 0 )’ W 0 ”’ I, log ’ TeW H 0 ) L“X 9c]Xek [XeXiTkXj k“X ffijk cf[ Xekip XeVipgk]fe bXp’ F 0 ) L“XiX ]j ef giXm]flj “Tj“ mTclX kf jkTik k“X “Tj“ V“T]e j]eVX k“]j ]j k“X ffijk cf[ Xekip) L“XiXYfiX’ nX jXk k“X ]e]k]Tc “Tj“ mTclX’ Q − + kf Te TiiTp fY qXifj) BTj“ mTclX’ Q 0 ’ TeW k“X G79 mTclX’ Z TiX [XeXiTkXW) A 0 TeW F 0 0 TiX W]jgfjXW) --) K]d]cTi kf jkXg -’ kf jkTik TlW]k cf[[]e[’ k“X 9c]XekXeTUcXjP-TeWfUkT]ejTeXnTlk“Xe( k]VTk]fe bXp’ A + TeW T eXn XeVipgkXW k]dXj( kTdg’ A K iB ffl W + )) -.) L“X 9c]Xek [XeXiTkXj T eXn iTeWfd jXjj]fe bXp’ LF 0 ’ T eXn k]dXflk’ W + ”) L“X I, log ]j k“X jTdX I, log [XeXiTkXW Tk jkXg -) L“X 9c]Xek VfeVTkXeTkXj p TeW A K iB ffl W + ) TeW Yfidj P + ) -/) K]d]cTi kf jkXg /’ k“X 9c]Xek gifWlVXj dXjjT[X H 0 ) -0) K]d]cTi kf jkXg 0’ k“X 9c]Xek jkfiXj k“X “Tj“ mTclX fY P + Yfi YlkliX mTc]WTk]fe) -1) L“X 9c]Xek jXeWj dXjjT[X H 0 kf k“X ]8lkkfe) -2) L“X ]8lkkfe iXgXTkj jkXg 2) -3) L“X ]8lkkfe iXgXTkj jkXg 3) -4) L“X ]8lkkfe jXeWj k“X [XeXiTkXW dXjjT[X’ H 1 UTVb kf k“X 9c]Xek) -5) L“X 9c]Xek iXgXTkj jkXg 5 Yfi mXi]ffVTk]fe fe k“X dXjjT[Xj iXVX]mXW Yifd k“X ]8lkkfe) .,) L“X 9c]Xek iXgXTkj k“X gifVXWliXj fY [XeXi( Tk]e[ k“X ffijk cf[ Xekip ffljkXg -,) kf [Xe( XiTkX jlUjXhlXek cf[ Xeki]Xj’ n]k“ N j = 00 ,LH AppaZTRtZdcT ipe 00 ’ n“XiX j ]j k“X cf[ Xekip eldUXi) L“X fecp W]XiXeVX ]j k“Tk Tk