efficient data structures for tamper evident logging
play

Efficient Data Structures for Tamper-Evident Logging Scott A. - PowerPoint PPT Presentation

Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice University Everyone has logs Tamper evident solutions Current commercial solutions Write only hardware appliances Security depends on


  1. Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice University

  2. Everyone has logs

  3. Tamper evident solutions • Current commercial solutions – ‘Write only’ hardware appliances – Security depends on correct operation • Would like cryptographic techniques – Logger proves correct behavior – Existing approaches too slow

  4. Our solution • History tree – Logarithmic for all operations – Benchmarks at >1,750 events/sec – Benchmarks at >8,000 audits/sec • In addition – Propose new threat model – Demonstrate the importance of auditing

  5. Threat model • Forward integrity – Events prior to Byzantine failure are tamper-evident • Don’t know when logger becomes evil – Clients are trusted • Strong insider attacks – Malicious administrator • Evil logger – Clients may be mostly evil • Only trusted during insertion protocol

  6. Limitations and Assumptions • Limitations – Detect misbehaviour, not prevent it – Cannot prevent ‘junk’ from being logged • Assumptions – Privacy is outside our scope • Data may encrypted – Crypto is secure

  7. System design Client • Logger – Stores events Client Logger – Never trusted Client • Clients Auditor – Little storage Auditor – Create events to be logged – Trusted only at time of event creation – Sends commitments to auditors • Auditors – Verify correct operation – Little storage – Trusted, at least one is honest

  8. This talk • Discuss the necessity of auditing • Describe the history tree • Evaluation • Scaling the log

  9. Tamper evident log • Events come in • Commitments go out – Each commits to the entire past X n-3 C n-3 C n-2 Logger X n-2 C n-1 X n-1

  10. Hash chain log • Existing approach [Kelsey,Schneier] – C n =H(C n-1 || X n ) – Logger signs C n C n-3 X n-5 X n-4 X n-3

  11. Hash chain log • Existing approach [Kelsey,Schneier] – C n =H(C n-1 || X n ) – Logger signs C n C n-2 X n-5 X n-4 X n-3 X n-2

  12. Hash chain log • Existing approach [Kelsey,Schneier] – C n =H(C n-1 || X n ) – Logger signs C n C n-1 X n-5 X n-4 X n-3 X n-2 X n-1

  13. Problem • We don’t trust the logger! X n-4 X n-3 X n-2 X n-1 X n C n Logger returns a stream of commitments C n Each corresponds to a log C n-2 C n-1

  14. Problem • We don’t trust the logger! X n-4 X n-3 X n-2 X n-1 X n C n Does really contain the just inserted X n ? C n Do and really commit the same historical events? C n-2 C n-1 Is the event at index i in log really X i ? C n

  15. Problem • We don’t trust the logger! – Logger signs stream of log heads – Each corresponds to some log Does really contain the just inserted X n-3 ? C n-3 Do and really commit the same historical events? C n-2 C n-1 Is the event at index i in log really X i ? C n

  16. Solution: Audit the logger • Only way to detect tampering – Check the returned commitments  • For consistency C n-2 C n-1 X n-3  • For correct event lookup C n-3 • Previously – Auditing = looking historical events • Assumed to infrequent • Performance was ignored

  17. Solution • Auditors check the returned commitments  – For consistency C n-2 C n-1 X n-3  – For correct event lookup C n-3 • Previously – Auditing = looking historical events • Assumed to infrequent • Performance was ignored

  18. Auditing is a frequent operation • If the logger knows this commitment will not be audited for consistency with a later commitment. C’ n-1 X’ n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  19. Auditing is a frequent operation • Successfully tampered with a ‘tamper evident’ log • Auditing required in forward integrity threat model C’ n-1 X’ n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  20. Auditing is a frequent operation • Every commitment must have a non-zero probability of being audited C’ n-1 X’ n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  21. Forking the log • Rolls back the log and adds on different events – Attack requires two commitments on different forks disagree on the contents of one event. – If system has historical integrity, audits must fail or be skipped C’ n-1 X n-5 X’ n-4 X n-3 X n-2 X n-1 C n-3 X n-6 X n-5 X n-4 X n-3

  22. New paradigm • Auditing cannot be avoided • Audits should occur – On every event insertion – Between commitments returned by logger • How to make inserts and audits cheap – CPU – Communications complexity – Storage

  23. Two kinds of audits X i  • Membership auditing C n – Verify proper insertion – Lookup historical events • Incremental auditing  C i C n – Prove consistency between two commitments

  24. Membership auditing a hash chain X n-5  • Is ? C n-3 C n-3

  25. Membership auditing a hash chain X n-5  • Is ? C n-3 P X’ n-6 X’ n-5 X’ n-4 X’ n-3 C n-3 X n-5 X n-4 X n-3

  26. Membership auditing a hash chain X n-5  • Is ? C n-3 X’ n-6 X’ n-5 X’ n-4 X’ n-3 C n-3 X n-5 X n-4 X n-3

  27. Incremental auditing a hash chain  • Are ? C’’ n-5 C’ n-1

  28. Incremental auditing a hash chain P X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  29. Incremental auditing a hash chain P C n-5 X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  30. Incremental auditing a hash chain P C n-1 X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  31. Incremental auditing a hash chain P C n-5 C n-1 X n-6 X n-5 X n-4 X n-3 X n-2 X n-1 C’ n-1 X’ n-6 X’ n-5 X’ n-4 X’ n-3 X’ n-2 X’ n-1 X’’ n-6 X’’ n-5 C’’ n-5

  32. Existing tamper evident log designs • Hash chain – Auditing is linear time – Historical lookups • Very inefficient • Skiplist history [Maniatis,Baker] – Auditing is still linear time – O(log n) historical lookups

  33. Our solution • History tree – O(log n) instead of O(n) for all operations – Variety of useful features • Write-once append-only storage format • Predicate queries + safe deletion • May probabilistically detect tampering – Auditing random subset of events – Not beneficial for skip-lists or hash chains

  34. History Tree • Merkle binary tree – Events stored on leaves – Logarithmic path length • Random access – Permits reconstruction of past version and past commitments

  35. History Tree C 2 X 1 X 2

  36. History Tree C 3 X 1 X 2 X 3

  37. History Tree C 4 X 1 X 2 X 3 X 4

  38. History Tree C 5 X 1 X 2 X 3 X 4 X 5

  39. History Tree C 6 X 1 X 2 X 3 X 4 X 5 X 6

  40. History Tree C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7

  41. History Tree X 1 X 2 X 3 X 4 X 5 X 6 X 7

  42. Incremental auditing

  43. Auditor C 3 C 3 X 1 X 2 X 3

  44. C 3 Auditor C 4 X 1 X 2 X 3 X 4

  45. C 3 Auditor C 5 X 1 X 2 X 3 X 4 X 5

  46. C 3 Auditor C 6 X 1 X 2 X 3 X 4 X 5 X 6

  47. C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7

  48. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7

  49. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  50. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  51. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  52. Incremental proof  C 3 C 7 C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • P is consistent with C 7 • P is consistent with C 3 • Therefore and are consistent. C 7 C 3

  53. Pruned subtrees C 3 C 3 Auditor C 7 C 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • Although not sent to auditor – Fixed by hashes above them – , fix the same (unknown) events C 3 C 7

  54. Membership proof that  X 3 C’’ 7 C’’ 7 X 1 X 2 X 3 X 4 X 5 X 6 X 7 • Verify that has the same contents as P C’’ 7 • Read out event X 3

  55. Merkle aggregation

  56. Merkle aggregation • Annotate events with attributes $1 $8 $3 $2 $5 $2 $2

  57. Aggregate them up the tree • Max() $8 $5 $8 $8 $3 $5 $4 $1 $8 $3 $2 $5 $2 $4 Included in hashes and checked during audits

  58. Querying the tree • Max() $8 $5 $8 $8 $3 $5 $4 $1 $8 $3 $2 $5 $2 $4 Find all transactions over $6

  59. Safe deletion • Max() $8 $5 $8 $8 $3 $5 $4 $1 $8 $3 $3 $3 $3 $2 $2 $2 $5 $2 $4 Authorized to delete all transactions under $4

  60. Merkle aggregation is flexible • Many ways to map events to attributes – Arbitrary computable function • Many attributes – Timestamps, dollar values, flags, tags • Many aggregation strategies +, *, min(), max(), ranges, and/or, Bloom filters

Recommend


More recommend