SYSTEM AND METHOD FOR SECURE REVIEW OF AUDIT LOGS

US 20170103228A1
Filed: 06/02/2015
Published: 04/13/2017
Est. Priority Date: 06/02/2014
Status: Active Grant

First Claim

Patent Images

1. A method for searching encrypted log data comprising:

generating with a logging machine a first log message include first plaintext content;

identifying with the logging machine at least one keyword in the first log message;

encrypting with the logging machine the first log message using a first cryptographic key to produce a first encrypted log message;

generating with the logging machine a first encrypted searchable representation of the first message including the at least one keyword using a second cryptographic key, the second cryptographic key being different than the first cryptographic key;

transmitting with the logging machine the first encrypted searchable representation to an auditor;

performing with the auditor a search to identify at least one search keyword in the first encrypted searchable representation, the auditor using the second cryptographic key to access the first encrypted searchable representation; and

generating with the auditor a first output indicating presence or absence of the at least one search keyword from the first log message, the first output not including the first plaintext content of the first log message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Audit logs are a fundamental digital forensic mechanism for providing security in computer systems. In one embodiment, a system that enables the verification of log data integrity and that provides searchable encryption of the log data by an auditor includes a key generation center, logging machine, and an auditor computing device. The system enables Compromise-Resilient Searchable Encryption, Authentication and Integrity, Per-item QoF with E&A for Searchable Encrypted Audit Logs, and a Key Management and System Model.

Citations

20 Claims

1. A method for searching encrypted log data comprising:
- generating with a logging machine a first log message include first plaintext content;
  
  identifying with the logging machine at least one keyword in the first log message;
  
  encrypting with the logging machine the first log message using a first cryptographic key to produce a first encrypted log message;
  
  generating with the logging machine a first encrypted searchable representation of the first message including the at least one keyword using a second cryptographic key, the second cryptographic key being different than the first cryptographic key;
  
  transmitting with the logging machine the first encrypted searchable representation to an auditor;
  
  performing with the auditor a search to identify at least one search keyword in the first encrypted searchable representation, the auditor using the second cryptographic key to access the first encrypted searchable representation; and
  
  generating with the auditor a first output indicating presence or absence of the at least one search keyword from the first log message, the first output not including the first plaintext content of the first log message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - applying with the logging machine a one-way function to the first cryptographic key to generate an updated first cryptographic key, the updated first cryptographic key being different than the first cryptographic key;
      
      applying with the logging machine the one-way function to the second cryptographic key to generate an updated second cryptographic key, the updated second cryptographic key being different than the second cryptographic key;
      
      generating with the logging machine a second log message include second plaintext content;
      
      identifying with the logging machine at least one keyword in the second log message;
      
      generating with the logging machine a second encrypted searchable representation of the second message including the at least one keyword using the updated second cryptographic key;
      
      encrypting with the logging machine the second log message using the updated first cryptographic key to produce a second encrypted log message;
      
      transmitting with the logging machine the second encrypted searchable representation to the auditor;
      
      applying with the auditor the one-way function to the second cryptographic key to generate the updated second cryptographic key;
      
      performing with the auditor another search to identify the at least one search keyword in the second encrypted searchable representation, the auditor using the updated second cryptographic key to access the second encrypted searchable representation; and
      
      generating with the auditor a second output indicating presence or absence of the at least one search keyword from the second log message, the second output not including the second plaintext content of the second log message.
  - 3. The method of claim 2, wherein the logging machine generates the first updated key and the second updated key in response to expiration of a predetermined time period, the second log message being generated after expiration of the predetermined time period.
  - 4. The method of claim 2, wherein the logging machine generates the first updated key and the second updated key in response to use of the first cryptographic key to generate the first encrypted message and the use of the second cryptographic key to generate the first searchable encrypted representation.
  - 5. The method of claim 2 further comprising:
    - deleting with the logging machine the first cryptographic key in response to the generation of the updated first cryptographic key to preserve forward security of the first encrypted log message; and
      
      deleting with the logging machine the second cryptographic key in response to the generation of the updated second cryptographic key to preserve forward security of the first encrypted searchable representation.
  - 6. The method of claim 1 further comprising:
    - generating with the logging machine a first cryptographic signature corresponding to the first encrypted searchable representation using a third cryptographic key;
      
      transmitting with the logging machine the first cryptographic signature to the auditor in association with the first encrypted searchable representation; and
      
      performing with the auditor a search to identify at least one search keyword in the first encrypted searchable representation only in response to verification of the first cryptographic signature using the third cryptographic key.
  - 7. The method of claim 1 further comprising:
    - generating with a key generation center (KGC) the first cryptographic key, the second cryptographic key, a third cryptographic key;
      
      distributing with the KGC the first cryptographic key, the second cryptographic key, the third cryptographic key, and the fourth cryptographic key to the logging machine prior to the generation of the first encrypted message and the first encrypted searchable representation;
      
      distributing with the KGC only the second cryptographic key, the third cryptographic key, and the fourth cryptographic key to the auditor prior to performing the search to identify the at least one search keyword.
  - 8. The method of claim 7 further comprising:
    - transmitting with the logging machine the first encrypted log message to the auditor;
      
      distributing with the KGC the first cryptographic key to the auditor;
      
      decrypting with the auditor the first encrypted cryptographic message using the first cryptographic key; and
      
      generating with the auditor a second output including the first plaintext of the first encrypted message.
  - 9. The method of claim 8, further comprising:
    - generating with the logging machine a cryptographic signature of the first encrypted message using the third cryptographic key;
      
      transmitting with the logging machine the cryptographic signature to the auditor in association with the first encrypted message; and
      
      generating with the auditor the second output including the first plaintext of the first encrypted message only in response to verification of the cryptographic signature using the third cryptographic key.
  - 10. The method of claim 7 further comprising:
    - transmitting with the logging machine the first encrypted log message to the KGC;
      
      decrypting with the KGC the first encrypted cryptographic message using the first cryptographic key;
      
      transmitting with the KGC the first plaintext of the first log message to the auditor; and
      
      generating with the auditor a second output including the first plaintext of the first encrypted message.

11. An encrypted log generation and audit system comprising:
- a logging machine communicatively coupled to an auditor, the logging machine being configured to;
  
  generate a first log message include first plaintext content;
  
  identify at least one keyword in the first log message;
  
  encrypt the first log message using a first cryptographic key to produce a first encrypted log message;
  
  generate a first encrypted searchable representation of the first message including the at least one keyword using a second cryptographic key, the second cryptographic key being different than the first cryptographic key; and
  
  transmit the first encrypted searchable representation to the auditor; and
  
  the auditor being configured to;
  
  perform a search to identify at least one search keyword in the first encrypted searchable representation, the auditor using the second cryptographic key to access the first encrypted searchable representation; and
  
  generate a first output indicating presence or absence of the at least one search keyword from the first log message, the first output not including the first plaintext content of the first log message.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, the logging machine being further configured to:
    - apply a one-way function to the first cryptographic key to generate an updated first cryptographic key, the updated first cryptographic key being different than the first cryptographic key;
      
      apply the one-way function to the second cryptographic key to generate an updated second cryptographic key, the updated second cryptographic key being different than the second cryptographic key;
      
      generate second log message include second plaintext content;
      
      identify at least one keyword in the second log message;
      
      generate a second encrypted searchable representation of the second message including the at least one keyword using the updated second cryptographic key;
      
      encrypt the second log message using the updated first cryptographic key to produce a second encrypted log message; and
      
      transmit the second encrypted searchable representation to the auditor; and
      
      the auditor being further configured to;
      
      apply the one-way function to the second cryptographic key to generate the updated second cryptographic key;
      
      perform another search to identify the at least one search keyword in the second encrypted searchable representation, the auditor using the updated second cryptographic key to access the second encrypted searchable representation; and
      
      generate a second output indicating presence or absence of the at least one search keyword from the second log message, the second output not including the second plaintext content of the second log message.
  - 13. The system of claim 12, the logging machine being further configured to:
    - generate the first updated key and the second updated key in response to expiration of a predetermined time period, the second log message being generated after expiration of the predetermined time period.
  - 14. The system of claim 12, the logging machine being further configured to:
    - generate the first updated key and the second updated key in response to use of the first cryptographic key to generate the first encrypted message and the use of the second cryptographic key to generate the first searchable encrypted representation.
  - 15. The system of claim 12, the logging machine being further configured to:
    - delete the first cryptographic key in response to the generation of the updated first cryptographic key to preserve forward security of the first encrypted log message; and
      
      delete the second cryptographic key in response to the generation of the updated second cryptographic key to preserve forward security of the first encrypted searchable representation.
  - 16. The system of claim 11, the logging machine being further configured to:
    - generate a first cryptographic signature corresponding to the first encrypted searchable representation using a third cryptographic key; and
      
      transmit the first cryptographic signature to the auditor in association with the first encrypted searchable representation; and
      
      the auditor being further configured to;
      
      perform a search to identify at least one search keyword in the first encrypted searchable representation only in response to verification of the first cryptographic signature using the third cryptographic key.
  - 17. The system of claim 11 further comprising:
    - a key generation center (KGC) communicatively coupled to the logging machine and the auditor, the KGC being configured to;
      
      generate the first cryptographic key, the second cryptographic key, and a third cryptographic key;
      
      distribute the first cryptographic key, the second cryptographic key, and the third cryptographic key to the logging machine prior to the generation of the first encrypted message and the first encrypted searchable representation;
      
      distribute only the second cryptographic key and the third cryptographic key to the auditor prior to performing the search to identify the at least one search keyword.
  - 18. The system of claim 17, the logging machine being further configured to:
    - transmit the first encrypted log message to the auditor;
      
      the KGC being further configured to;
      
      distribute the first cryptographic key to the auditor; and
      
      the auditor being further configured to;
      
      decrypt the first encrypted cryptographic message using the first cryptographic key; and
      
      generate a second output including the first plaintext of the first encrypted message.
  - 19. The system of claim 18, the logging machine being further configured to:
    - generate a cryptographic signature of the first encrypted message using the third cryptographic key; and
      
      transmit the cryptographic signature to the auditor in association with the first encrypted message; and
      
      the auditor being further configured to;
      
      generate the second output including the first plaintext of the first encrypted message only in response to verification of the cryptographic signature using the third cryptographic key.
  - 20. The system of claim 17, the logging machine being further configured to:
    - transmit the first encrypted log message to the KGC;
      
      the KGC being further configured to;
      
      decrypt the first encrypted cryptographic message using the first cryptographic key; and
      
      transmit the first plaintext of the first log message to the auditor; and
      
      the auditor being further configured to;
      
      generate a second output including the first plaintext of the first encrypted message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Inventors
Yavuz, Attila Altay

Granted Patent

US 10,318,754 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6227   where protection concerns t...

G06F 2221/2101   Auditing as a secondary aspect

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/3247   involving digital signatures

SYSTEM AND METHOD FOR SECURE REVIEW OF AUDIT LOGS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SECURE REVIEW OF AUDIT LOGS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links