Secure audit logging

US 9,852,300 B2
Filed: 09/25/2015
Issued: 12/26/2017
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method for generating a secure audit log comprising:

a first device recording, signing, encrypting, and locally storing an event in an audit log following the event, wherein a first entry of the secure audit log is an encryption key and any subsequent entries of the audit log are event logs;

wherein the audit log includes a monotonically increasing entry counter enabling a second device to verify that all of the event logs are accounted for in an uploaded audit log file;

the first device encrypting the audit log to produce an encrypted audit log, wherein the encrypted audit log can be unencrypted with a first encryption key;

the first device storing the first encryption key in a memory of the first device;

the first device, while in an unauthenticated state, transmitting the encrypted audit log to the second device via a network;

the second device decrypting the encrypted audit log with a compatible encryption key to produce the audit log, wherein the second device uses the secure audit log to perform a forensic root cause analysis;

the first device purging the encrypted audit log and the first encryption key from the memory of the first device; and

the first device creating a second encryption key to encrypt a second audit log, wherein encrypting the audit log protects a chain of title for the audit log.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention includes systems and methods to asymmetrically encrypt audit logs, store a limited period of the encrypted audit logs, periodically send the encrypted audit logs to a central location for storage and further process in order to provide tamper-proof evidence of an activity. The system comprises a secure audit client enabled to perform various activities. A secure audit manager logs such activities in an audit log for uploading to a secure audit server. The secure audit server receives the audit logs from the secure audit manager. Finally a secure audit log consumer requests audit log data from the secure audit log manager to review the secure audit log.

Citations

14 Claims

1. A method for generating a secure audit log comprising:
- a first device recording, signing, encrypting, and locally storing an event in an audit log following the event, wherein a first entry of the secure audit log is an encryption key and any subsequent entries of the audit log are event logs;
  
  wherein the audit log includes a monotonically increasing entry counter enabling a second device to verify that all of the event logs are accounted for in an uploaded audit log file;
  
  the first device encrypting the audit log to produce an encrypted audit log, wherein the encrypted audit log can be unencrypted with a first encryption key;
  
  the first device storing the first encryption key in a memory of the first device;
  
  the first device, while in an unauthenticated state, transmitting the encrypted audit log to the second device via a network;
  
  the second device decrypting the encrypted audit log with a compatible encryption key to produce the audit log, wherein the second device uses the secure audit log to perform a forensic root cause analysis;
  
  the first device purging the encrypted audit log and the first encryption key from the memory of the first device; and
  
  the first device creating a second encryption key to encrypt a second audit log, wherein encrypting the audit log protects a chain of title for the audit log.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the first device stores a set of encrypted audit logs.
  - 3. The method of claim 2, wherein the first device periodically sends the set of encrypted audit logs to the second device for storage and processing.

4. A method for creating and securely transmitting event logs comprising:
- a secure audit log manager generating an asymmetric key pair and a Galois/Counter Mode (GCM) initialization vector to produce a symmetric Advanced Encryption Standard (AES) key;
  
  the secure audit log manager using the symmetric AES key with the GCM initialization vector to establish an AES-GCM encryption stream for encrypting an audit log;
  
  a client requesting the secure audit log manager to log, sign, encrypt, and locally store an event in an event log following the event;
  
  the secure audit log manager creating an audit log, wherein a first entry of the audit log is an encryption key and any subsequent entries of the audit log are event logs;
  
  wherein the audit log includes a monotonically increasing entry counter enabling the secure audit manager to verify that all of the event logs are accounted for;
  
  the secure audit log manager serializing the event logs and passing the audit log through the AES-GCM encryption stream to create the secure audit log;
  
  the secure audit log manager terminating the AES-GCM encryption stream to terminate the secure audit log;
  
  the secure audit log manager adding the secure audit log to a queue of files for uploading to a secure audit log server via a network;
  
  the secure audit log manger uploading the queue of files via the network to the secure audit log server via an authenticated message addressed to the secure audit log server, wherein a permanent private key of the secure audit log manager is used to sign the authenticated message to assure authenticity of the secure audit log;
  
  the secure audit log server receiving the authenticated message via the network, validating the signature, and accessing the secure audit log;
  
  the secure audit log server decrypting the secure audit log to yield the event logs;
  
  the secure audit log server deserializing the event logs; and
  
  the secure audit log server sending the event logs via the network to the client while the client is in an unauthenticated state.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 5. The method of claim 4 wherein, the key entry includes information necessary for the secure audit log to be decrypted.
  - 6. The method of claim 4 wherein the ephemeral asymmetric key pair is used to execute an elliptic curve Diffie-Hellman key agreement between the asymmetric key pair and a public key of the secure audit log manager to produce the symmetric AES key.
  - 7. The method of claim 4 wherein the log entry comprises a log level, a message, a time stamp, and an entry counter.
  - 8. The method of claim 4 wherein the secure audit log manager terminates the secure audit log when the secure audit log reaches a maximum size, or when the secure audit log reaches a configured time period, or when the client requests an upload.
  - 9. The method of claim 4 wherein the secure audit log manager uploads the queue of files when a permanent private key of the secure audit log manager is unlocked, or when the secure audit log manager has access to a network connection.
  - 10. The method of claim 4 wherein the signature is required for authentication and no further encryption is required.
  - 11. The method of claim 4 wherein the secure audit log server generates the symmetric key by performing an elliptic curve Diffie-Hellman key agreement between the public audit log key and the permanent private key of the secure audit log server.
  - 12. The method of claim 4 wherein the secure audit log manager sanitizes the symmetric key and the asymmetric key pair after terminating the secure audit log.
  - 13. The method of claim 4 wherein the authenticated message includes the secure audit log, a creation date of the secure audit log, and an identifier for the secure audit log manager.
  - 14. The method of claim 4, wherein the secure audit log manager creates a new secure audit log and a new key entry after the secure audit log is sent to the secure log manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Saife Inc.
Original Assignee
Saife Inc.
Inventors
Lindteigen, Ty, Payne, Anthony
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sherkat, Arezoo

Application Number

US14/864,863
Publication Number

US 20170091463A1
Time in Patent Office

823 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/088   Usage controlling of secret...

Secure audit logging

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Secure audit logging

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links