Secure audit logging
First Claim
Patent Images
1. A method for generating a secure audit log comprising:
- a first device recording, signing, encrypting, and locally storing an event in an audit log following the event, wherein a first entry of the secure audit log is an encryption key and any subsequent entries of the audit log are event logs;
wherein the audit log includes a monotonically increasing entry counter enabling a second device to verify that all of the event logs are accounted for in an uploaded audit log file;
the first device encrypting the audit log to produce an encrypted audit log, wherein the encrypted audit log can be unencrypted with a first encryption key;
the first device storing the first encryption key in a memory of the first device;
the first device, while in an unauthenticated state, transmitting the encrypted audit log to the second device via a network;
the second device decrypting the encrypted audit log with a compatible encryption key to produce the audit log, wherein the second device uses the secure audit log to perform a forensic root cause analysis;
the first device purging the encrypted audit log and the first encryption key from the memory of the first device; and
the first device creating a second encryption key to encrypt a second audit log, wherein encrypting the audit log protects a chain of title for the audit log.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention includes systems and methods to asymmetrically encrypt audit logs, store a limited period of the encrypted audit logs, periodically send the encrypted audit logs to a central location for storage and further process in order to provide tamper-proof evidence of an activity. The system comprises a secure audit client enabled to perform various activities. A secure audit manager logs such activities in an audit log for uploading to a secure audit server. The secure audit server receives the audit logs from the secure audit manager. Finally a secure audit log consumer requests audit log data from the secure audit log manager to review the secure audit log.
-
Citations
14 Claims
-
1. A method for generating a secure audit log comprising:
-
a first device recording, signing, encrypting, and locally storing an event in an audit log following the event, wherein a first entry of the secure audit log is an encryption key and any subsequent entries of the audit log are event logs; wherein the audit log includes a monotonically increasing entry counter enabling a second device to verify that all of the event logs are accounted for in an uploaded audit log file; the first device encrypting the audit log to produce an encrypted audit log, wherein the encrypted audit log can be unencrypted with a first encryption key; the first device storing the first encryption key in a memory of the first device; the first device, while in an unauthenticated state, transmitting the encrypted audit log to the second device via a network; the second device decrypting the encrypted audit log with a compatible encryption key to produce the audit log, wherein the second device uses the secure audit log to perform a forensic root cause analysis; the first device purging the encrypted audit log and the first encryption key from the memory of the first device; and the first device creating a second encryption key to encrypt a second audit log, wherein encrypting the audit log protects a chain of title for the audit log. - View Dependent Claims (2, 3)
-
-
4. A method for creating and securely transmitting event logs comprising:
-
a secure audit log manager generating an asymmetric key pair and a Galois/Counter Mode (GCM) initialization vector to produce a symmetric Advanced Encryption Standard (AES) key; the secure audit log manager using the symmetric AES key with the GCM initialization vector to establish an AES-GCM encryption stream for encrypting an audit log; a client requesting the secure audit log manager to log, sign, encrypt, and locally store an event in an event log following the event; the secure audit log manager creating an audit log, wherein a first entry of the audit log is an encryption key and any subsequent entries of the audit log are event logs; wherein the audit log includes a monotonically increasing entry counter enabling the secure audit manager to verify that all of the event logs are accounted for; the secure audit log manager serializing the event logs and passing the audit log through the AES-GCM encryption stream to create the secure audit log; the secure audit log manager terminating the AES-GCM encryption stream to terminate the secure audit log; the secure audit log manager adding the secure audit log to a queue of files for uploading to a secure audit log server via a network; the secure audit log manger uploading the queue of files via the network to the secure audit log server via an authenticated message addressed to the secure audit log server, wherein a permanent private key of the secure audit log manager is used to sign the authenticated message to assure authenticity of the secure audit log; the secure audit log server receiving the authenticated message via the network, validating the signature, and accessing the secure audit log; the secure audit log server decrypting the secure audit log to yield the event logs; the secure audit log server deserializing the event logs; and the secure audit log server sending the event logs via the network to the client while the client is in an unauthenticated state. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
Specification