Browse Prior Art Database

Hardware signed audit logs

IP.com Disclosure Number: IPCOM000196788D
Publication Date: 2010-Jun-15
Document File: 2 page(s) / 52K

Publishing Venue

The IP.com Prior Art Database

Abstract

Computer systems (virtual or physical) often generate auditing log files which detail activities that occur during operation. Such logs may track the behaviour of system users, administrators, software and components. Such logs can be useful in electronic crime investigation, intrusion detection and various other fields - authenticity and security of such logs is vital for them to be of any use. Security of the logs can be easily compromised if they simply exist on disk or in memory accessible by the system, one way to solve this, for example, is to duplicate the logs (in real time) on a separate system which is not otherwise accessible from the primary system. Authenticity of the logs can be disputed even with a secure method of storage. Whilst the logs may be demonstrated as unmodified, it is difficult to prove that they originated from a given system and thus refer to a specific user or piece of software. This disclosure provides a mechanism to cryptographically sign the audit logs using platform-bound hardware to give non-repudiation as to their origin. Such hardware is embodied in the Trusted Computing Group's (TCG) Trusted Platform Module (TPM).

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 55% of the total text.

Page 1 of 2

Hardware signed audit logs

Computer systems (virtual or physical) often generate auditing log files which detail activities that occur during operation. Such logs may track the behaviour of system users, administrators, software and components. The granularity of logs is usually configurable - from tracking only fatal errors down to monitoring of individual user commands. Such logs can be useful in electronic crime investigation, intrusion detection and various other fields.

    Authenticity and security of such logs is vital for them to be of any use. Security of the logs can be easily compromised if they simply exist on disk or in memory accessible by the system. A system administrator, for example, may perform illegal activities and then simply modify the logs to remove incriminating evidence. One way to solve this, for example, is to duplicate the logs (in real time) on a separate system which is not otherwise accessible from the primary system. Another method is to use a write-only storage device such as no-rewind tape.

    Authenticity of the logs can be disputed even with a secure method of storage. Whilst the logs may be demonstrated as unmodified, it is difficult to prove that they originated from a given system and thus refer to a specific user or piece of software.

    This disclosure provides a mechanism to cryptographically sign the audit logs using platform-bound hardware to give non-repudiation as to their origin. Such hardware is embodied in the Trusted Platform Module (TPM).

    The cryptographically secure hardware, in this case a TPM, contains both identity (AIKs) and signing keys. AIKs are bound uniquely to the TPM and thus transitively bound to the TPM's host platform. The binding is established during AIK creation by a digital certificate which is issued by a known and trusted certificate authority. The AIK is not able to sign arbitrary data, but it is able to sign certain elements of TPM state - including internally generated signing keys. A TPM signing key is generated by the TPM expressly to sign external data - and like an AIK the private portion of the key is protected within the TPM and never externally visible. Once an AIK has issued a certificate on a signing key, that key is bound uniquely to the TPM's host platform in the same way as the AIK.

    The signing key, once established in this manner, may be used to sign audit messages and thus prove that they originated from the TPM's host system. The most simple implementation uses the TPM

_

    An auditing system will be based around at least one entity (often kernel-based) which is able to monitor activity on the host and write events to a log file and/or remote storage. The audit component writes important events to both a local log file and to a separate system which provides immutability of the logs. When auditing is initially configured the system administrator will use the host's TPM to generate an identity key pair using whatever certific...