Ras mus Da hl ber g a nd To bia s P ulls | S ta nd ar dis ed Sys lo g P ro ces si ng
S tandard ised Sys log Process ing
Today ’s compu ter logs are l ike smok ing guns and treasure maps in case o f susp ic ious sys tem ac t iv i t ies : they documen t in trus ions , and log cruc ia l in forma t ion such as fa i led sys tem upda tes and crashed serv ices . An adversary thus has a c lear mo t ive to observe , a l ter , and de le te log en tr ies , cons ider ing tha t she cou ld ( i ) s tar t by us ing the log ’s con ten t to iden t i fy new secur i ty vu lnerab i l i t ies , and ( i i ) exp lo i t them w i thou t ever be ing de tec ted . W i th th is in m ind we cons ider sys log s tandards and open source pro jec ts tha t sa feguard even ts dur ing the s torage and trans i t phases , and exam ine how da ta compress ion e f fec ts secur i ty . W e conc lude tha t there are sys log s tandards in p lace tha t sa t is fy secur i ty on a hop -by -hop bas is , tha t there are no such s tandards for secure s torage , and tha t message compress ion is no t recommended dur ing trans i t .
Facu l ty o f Hea l th , Sc ience and Techno logy Facu l ty o f Hea l th , Sc ience and Techno logy
Rasmus Dah lberg and Tob ias Pu l ls
S tandard ised Sys log Process ing
Rev is i t ing Secure Re l iab le Da ta T rans fer and
Message Compress ion
Standard isedSys logProcess ing
Rev is i t ingSecureRe l iab leDa taT rans ferandMessageCompress ion
RasmusDah lberg
Kar ls tadUn ivers i ty ,Dep t .o fMa thema t icsand Compu terSc ience ,Sweden
Tob iasPu l ls
Kar ls tadUn ivers i ty ,Dep t .o fMa thema t icsand Compu terSc ience ,Sweden
ABSTRACT
Today ’scomputerlogsarel ikesmok inggunsandtreasure mapsincaseo fsusp ic ioussystemact iv it ies :theydocument intrus ions ,andlogcruc ia lin format ionsuchasfa i ledsystem updatesandcrashedserv ices . Anadversarythushasac lear mot ivetoobserve ,a lter ,andde letelogentr ies ,cons ider ing thatshecou ld( i)startbyus ingthelog ’scontenttoident i fy newsecur ityvu lnerab i l it ies ,and( i i)exp lo itthem w ithout everbe ingdetected . W ithth isin m indwecons idersys log standardsandopensourceprojectsthatsa feguardevents dur ingthestorageandtrans itphases ,andexam inehow datacompress ioneffectssecur ity . Weconc ludethatthere aresys logstandardsinp lacethatsat is fysecur ityonahop- by-hopbas is ,thattherearenosuchstandardsforsecure storage ,andthat messagecompress ionisnotrecommended dur ingtrans it .
Keywords
Sys log ,standard isedlogg ing ,securedatacompress ion
1 . INTRODUCTION
Acomputerlogw ithdescr ipt ionso fpastact iv itysuchas fi leaccess ,author isat iondec is ions ,andsystemd iagnost ics is ,andhavelongbeen ,aninva luab leresourceforsystem adm in istratorsdur ingtroub leshoot ing .Forexamp le ,legacy sys log[18]datesbackasfarasthe1980s ,andtobeg inw ith theor ig ina ldes ignhadl itt leinterestinsecur ity[13] . Th is contrad ictsthecurrentneeds ,cons ider ingthattoday ’slogs conta insens it ivedatathat mustnotbeobserved ,dropped , ora ltered :secur itynot ificat ions ,users ’systemtraces ,and soforth .Inotherwords ,itisessent ia ltoensuresecurelog managementonaprotoco landin frastructura lleve l ,asis ident ifiedinthesys logre latedrequestforcomments(RFCs) andinacomprehens ivesurveypub l ishedbythe Nat iona l Inst ituteo fStandardsandTechno logy(NIST)[14] .
Theconsequenceso funsecurelogmanagementisev ident ly devastat ing . Cons iderwhatwou ldhappeni flogentr ieswere tamperedw ith ,de leted ,or ma l ic ious lyinsertedintothelog byanadversary . Thetraceso fanent ireattackcou ldeas i ly beh idden ,andfa lseev idenceproducedforev i lpurposes . Even moresevere ly ,d isc losureo ftheusers ’sens it ivedata hasprev ious lydr ivenpeop letosu ic ide[2] . Thus ,asecure logg ingin frastructurecannotrunasi fitmere lyconta insde- bugg ingin format ion . Theimpacto f ,e .g . ,den ia lo fserv ice attacks ,confident ia l itybreaches ,andintegr itycomprom ises mustbecare fu l lycons ideredandaccountedforaccord ing ly , pre ferab lydepend ingonwe l l-definedpo l ic ies .
Current lythereare manysys logre latedstandards ,some o fwh ichareo ldorobso lete[23,30,31]andothersthatare qu iterecent[9,10,13,20,24] . Apartfromthestandards , mu lt ip leopensourceprojectsex istthatprov idesecurelog managementso lut ions[32,35] .Intheresearchcommun ity therehasa lsobeensevera lpreva lentadvancements , most notab lyinc lud ingforward-secureconstruct ions[4,19] . I f th isisapp l icab le ,however ,isdependentonthesett ing .For instance ,aforwardsecureschemeservesnopurposewhena system ’sdev iceshavetobetrustedata l lt imes .
1 .1 Term ino logyandSett ing
Wecons iderthreetypeso ftrusteddev ices ,name ly or ig i- nators,re lays,andco l lectors. Anor ig inatorgeneratesevents thataresentacrossanunre l iab leandunsecurenetwork . The eventsareformattedassys log messages ,and maybesent to mu lt ip lere laysandco l lectors . Uponrece ipto fanevent , are layispreconfiguredtoserveaforward ingfunct ion . The co l lectors ,ontheotherhand ,arch iveeventsandper form logana lys is . Adev icecanbeanycomb inat iono for ig inator , re layandco l lector .
F igure 1dep ictsoursett ing . Anact iveadversarythat iscomputat iona l lyboundedintercepts ,exam ines , mod ifies , de lays ,andrep layseventsintrans it .She maya lsoattempt tocauseava i lab i l ityissuesbyin ject ing ma l ic iouseventsto exhaustbothre laysandco l lectors . Further ,th irdpart ies thatareab letoauthent icatethemse lvesquerytheco l lectors forevents ,demand ingver ifiab leresponsesw ithregardtothe or ig inatorthatgeneratedwh icheventatrough lywhatt ime .
Col lector Re lay
Or ig inator
C lient query
answer m
2m
1m
1m
2F igure1 : Asketcho foursett ing .
Foror ig inatorsandre lays ,spaceisal im itedresourcein
theordero fafewg igabytes . Theco l lectorsareassumed
tobe morepower fu l ,anditisdes irab letosavebandw idth
w ithoutcomprom is inganysecur ity . Wedonotcons ider
rep l icat ionattheco l lectors ,butth isisinherent lysupported
bythe mode ls inceaco l lectorcana lsobeare lay .
1 .2 Goa landScope
Wew ishtoexam inesys logstandardsandre latedconcepts thatareapp l icab leto Un ix- l ikeenv ironments . Thea imis toprov idegu ide l inesbasedonoursett ingwherea l ldev ices havetobetrusted ,andwehopetofindso lut ionsthatoffer :
– Re l iab letransportbetweenthed ifferentdev ices ; – Confident ia l ity ,integr ity ,andava i lab i l ity ;
– Or ig inauthent icat iononaper-messagebas is ,i .e . ,wh ich or ig inatorgeneratedwhat message .
Itisa lsodes iredthatwecons idersecuredatacompress ion dur ingtrans itandlong-termstorage . Ourscopeisl im ited tostandard isedandwe l lestab l ishedopensourceprojects .
1 .3 Roadmap
Therema indero fthereportisstructuredasfo l lows .Sec- t ion2prov idesanoverv iewo fex ist ingsys logstandardsand thesecur itypropert iestheyen force . Sect ion3h igh l ights popu laropensourceprojectsre latedtosca lab leandsecure logg ingin frastructures .Sect ion4introducestechn iquesfor datacompress ionandhowtheyeffectsecur ity . Sect ion5 setsourd iscuss ionintocontext ,prov id inggu ide l inesbased onbestpract ices .F ina l ly ,Sect ion6conc ludesthereport .
2 . SYSLOGSTANDARDS
F irstweintroducepastdeve lopmentandimportantnotes regard ingthesys logprotoco l ,thenthelateststandardsfor re l iab ledatatrans ferandsecur ityareexam ined .
2 .1 TheSys logProtoco l
A fteraw ideuseacrossnetworksformanyyears ,observed behav iouro fBSDsys logwasdocumentedinRFC3164[18] . Theintent wastoprov ideas imp leprotoco ltransport ing eventsfromsourcestos inks ,resu lt ingintheuseo f UDP w ithoutacknow ledgementsandsecur itycons iderat ions .
RFC3164waslaterondec laredobso leteandprecededby astandardinRFC5424[9] . Alayeredarch itectureinterms o fanapp l icat ionandtransportlayerwasintroduced ,anda newstructureforthe messageformatdefined . Wh i lenone o fthetrad it iona lsecur itypropert ieswereaddressed ,severa l encod ingissueswerereso lvedandacommongroundtobu i ld uponprov ided . Inother words ,toatta inpropert iessuch asguaranteedde l ivery ,confident ia l ity ,andintegr ity ,other standardsorvendorspec ificso lut ions mustbecons idered .
2 .2 UDPandTCPTransport Mapp ings
Desp itethegenera linteresttosecuresys log ,except ions ex istwhere inatrad it iona ltransportlayersuffices .Forsuch purposestherearebothUserDatagramProtoco l(UDP)and T ransm iss ionContro lProtoco l(TCP) mapp ingsdefinedfor sys log[10,24] . Noneo ftheseopt ionsareent ire lyre l iab le , however ,becausesys logiss imp lexw ithoutanyapp l icat ion leve lacknow ledgements . Forinstance ,itcanbenontr iv ia l todeterm ine wh ich messageshavebeencorrect lyrece ived intheevento fapremature lyc losed TCP-connect ion . A separaterecovery mechan ism maythere forebenecessary .
The TCPtransport mapp ingisnot w ithoutdrawbacks . Thereisl itt lecontro lregard ingwhenapacketissent ,and bydes ignthethroughputislessthanthato f UDP . The TCPpushflag m ighthe lptoensurethatimportantevents cannotres ideins idebuffersforlongper iodso ft ime ,but
extralatencyisinev itab ledueto ,e .g . ,thein it ia lhandshake andcongest ion mechan ism .Furthermore ,i fTCPisfeas ib le , itisl ike lythattheT ransportLayerSecur ity(TLS)mapp ing isapp l icab le(seeSect ion2 .3) . The Datagram T ransport LayerSecur ity(DTLS) mapp ingforsys logcou lda lsobe o finterestinc ircumstances wherere l iab ledatatrans feris irre levantortoocost lyintermso foverhead[ 34] .
2 .3 TLSTransport Mapp ing
Theuseo fTLSisrecommendedtoprotectsys logevents onahop-by-hopbas is ,i .e . ,intrans itfromor ig inatorsand re laystootherre laysandco l lectors[9,24] .Forth ispurpose , thereisa TLStransport mapp ingdefinedforsys log[20] . Mutua lauthent icat ionispre ferab lycert ificate-based ,and confident ia l ityandintegr ityispreservedbyencapsu lat inga l l sys log messagesasTLSapp l icat iondata . Notethatre l iab le datatrans ferisnotnecessar i lyprov ided(seeSect ion2 .2) , andden ia lo fserv iceison lypart ia l lyguardedaga instdue totheprov idedauthent icat ioncapab i l it ies . Wew i l ld iscuss se lect iono fTLSc iphersu iteslateroninSect ion5 .2.
2 .4 IPsecforSys log
InternetProtoco lSecur ity(IPsec)isasecur ityprotoco l thatoperatesonthenetworklayer[15] . A l ltransportlayer serv icesthatrunontopo fIPsecw i l lthusreaptheharvest fromtheprov idedsecur itypropert ies ,fo l low ingfromtwo assoc iatedIPsecprotoco ls . F irst ,anauthent icatedheader offersintegr ity ,or ig inauthent icat ion ,andopt iona lrep lay res istance . Second ,anencapsu latedsecur itypay loadoffers thesameseto fserv icesas we l lasconfident ia l ity . Botho f thetwoprotoco lssupportaccesscontro l ,andrunine ither transportortunne l mode. Thed ifferent modesdeterm ine deta i lsregard ing ,e .g . ,howadatagramshou ldbeprocessed .
Whatisnotapparentfromth isbr ie fintroduct ionisthat IPsecisacomp lexprotoco lw ith manyqu irks[26] .Itspans hundredso fpages ,andevensevera lRFCs . However ,wh i le comp lex ityiso ftencons ideredasecur ityconcern[8] ,IPsec doesaddress manysecur ityissuesi fimp lementedcorrect ly .
2 .5 S ignedSys log Messages
Sys log-s ign[13]usesthestructureddatae lementsdefined inRFC5424[ 9]toauthent icateastreamo fsys logmessages , introduc ings ignatureandcert ificateb locks. Asdep ictedin F igure2,as ignatureb lockconta inshasheso fprev ious lysent messagesandisd ig ita l lys igned . Theassoc iatedkey ma- ter ia lisd istr ibutedper iod ica l lythroughcert ificateb locks , and mustbeprotectedexterna l ly ,e .g . ,v iaTLS ,toprevent man- in-the-m idd leattacks .Itshou ldbenotedthatne ither s ignaturenorcert ificateb locksareinc ludedinthestream o fs igned messages . Theyare ,however ,encodedus ingthe sys log messageformat .
... s e H(m
s) ... H(m
e) σ p;σ← S ig(sk,p)
F igure2 : Therat iona lebeh inds ignatureb locks ; sande re fertothefirstandlast messageind ices ,respect ive ly .
Theresu lt ingsys log-s ignprotoco lprov idesintegr itycheck-
ing ,sequenc ingo fevents ,andor ig inauthent icat ion . Thus ,
rep layattacksand m iss ingeventscanbeaccountedfor .In
add it ion ,twoproceduresforon l ineandoffl inever ificat ion
aredefined ,andvendorspec ificver ificat ionissupported . F ina l ly ,duetos ignaturegroups,eventscanbegroupedand s ignedseparate lybytheor ig inator . Th isisanimportant feature whend ifferenteventsshou ldbeforwardedtovar i- oussetso fco l lectors ,e .g . ,depend ingonapp l icat ion ,pr ior ity , andrep l icat ionpo l icy .
3 . OPENSOURCEPROJECTS
Severa lopensourceprojectsex istthatarea imedtowards securelog management . Webr ieflydescr ibetwoo fthe most estab l ishedones ,name lysys lognewgenerat ion(sys log-ng) andtherocket- fastsystemforlogprocess ing(rsys log) . Then alogg ingut i l itythatres idesw ith insystemdish igh l ighted .
3 .1 Sys log-ng
Sys log-ng[35]isacentra l isedlogg ingin frastructurethat isava i lab leon manyhardwarearch itecturesandoperat ing systems ,inc lud ingx86andUn ix- l ikeenv ironments . Among otherfeatures ,suchasdatabase managementandfi lter ing , thereissupportforre l iab ledatatrans fer , messagesecrecy andintegr ity ,and mutua lauthent icat ion .Sys log-ngisa lso compat ib lew ithIPv4/IPv6networks ,andthec l ient ,re lay , andservermodesarepart icu lar lyconven ientforoursett ing . Notethatsys log-ngisnotintendedforlogana lys is :itcan per formru le-basedfi lter ingandtrans form messagesfrom oneformattoanother , butnotinterpretthe ir mean ing . Moreover ,thereiscurrent lyno mechan ismdefinedthatcan generateproo fsw ithregardtot imeandor ig in .
3 .2 Rsys log
Rsys log[32]isacentra l isedlogg ingin frastructurethat isava i lab leonsevera lL inuxd istr ibut ion ,inc lud ingUbuntu andCentOS .Thereissupportforfeaturessuchasdatabases , fi lter ing ,andsecur ityadd-ons , where inre l iab leandsecure trans itisen forcedus ing TCP/TLS ,andakey lesss igna- turein frastructureguardsaga instunauthor isedlog mod i- ficat ions . L ikesys log-ng ,rsys logdoesnotincorporatethe sys log-s ignprotoco l . There fore ,ne ither messageor ig innor thet imeo feventgenerat ioncanbeproventoath irdparty . Interest ing ly ,rsys logsupportsdatacompress iondur ing trans itforstreamsandind iv idua l messages . Asdescr ibed furtherinSect ions4–5,th iscou ldbeasecur ityissue .
3 .3 Journa ldandSystemd
Thejourna ldisalogg ingut i l itythatisparto fthesystemd daemon .Itisre latedtosys log ,support ingstructuredb inary encod ings[37]andforwardsecuresea l ing[ 27] . Theformer increasesstorageandautomatedsearcheffic iency ,wh i lethe latterw i l ll ike lydetectanadversarythattampersw ithpast logentr ies .Itshou ldbenotedthattheeffect ivenesso fsuch integr ityprotect ionre l iesonacheckpo intfrequency ,i .e . , howo ftenkey mater ia lissecure lyincremented ,anditas- sumesthatde let iono ftheent irelogcanbedetectedbyother means . Asacaveat ,thecheckpo intfrequency m ightnotbe suffic ient lylargebyde fau lt . Thus ,ensurethatisconfigured proper lyforthesysteminquest ion .
4 . DATACOMPRESSION
Forthe we l l-be ingo ftheent ireInternet ,itiso fgenera l interesttoreducebandw idthrequ irements . L ikew ise ,there are manyga insinreduc ingstoragerequ irements . Inth is sect ion wea imtoh igh l ightpotent ia lsecur ityissues w ith
themostcommoncompress iontechn iques ,wh ichw i l lbeour bas iswhend iscuss ingthesubjectspec ifica l lyforoursett ing .
4 .1 HuffmanCod ing
Atrad it iona lcharacterencod ingrepresentseachsymbo l w ithequa l ly manyb its . Huffmancod inga imstoreduce thenumbero fb itsforthe mostfrequentsymbo ls ,thereby y ie ld ingasucc inctrepresentat iono ftheor ig ina lstr ing[12] . Forexamp le , w ith UTF-8 ,thestr ing“M iss iss ipp i”requ ires 88← 11·8b its . AsshowninF igure3,th iscanbereduced to21b itsus ingHuffmancod ingasfo l lows .F irst ,countthe frequencyo feachletterandordertheminincreas ingorder . Second ,repeated lybu i ldab inarytree ,bottom-up , where thetwonodes whosecomb inedsymbo lfrequenc iesarethe sma l lest . Eachle ftandr ighttraversa lisinterpretedaszero andone ,respect ive ly . F ina l ly ,theresu lt ingpathsdownto theleavesdefineanopt im isedcharacterencod ing .
(a) i 4 f p 2 s 4 M 1
(b)
ispM11 spM7
pM3 M 1 p2 s4 i4
(c) i 0 e s 10 p 110 M 111
F igure3 : AHuffmanencod ingfor“M iss iss ipp i” ,resu lt ingin theb inarystr ing111010100101001101100.
4 .2 TheLempe l-Z ivFam i ly
Thesem ina lpaperbyZ ivandLempe l[38]introduceda compress ionmechan ism(now)namedLZ77
1. Asopposedto Huffmancod ingthattargetsind iv idua lsymbo ls ,repeated sequencesarerep laced w ithbackwardre ferencestoreduce redundancy . Thebas icpr inc ip leisasfo l lows . Acharacter streamisprocessed ,andas l id ingw indowisadvancedsuch thatthereisasearchbuffertothele ftandalook-ahead buffertother ight . Foreach w indowpos it ion ,thelongest prefix matchisfirstdeterm inedinthesearchbuffer . Next , itisrep lacedw ithare ferenceontheform<d ,l ,c>,where disad istancetotheprev iousoccurrence ,litslength ,and cthenextcharacterinthelook-aheadbuffer . F ina l ly ,the w indowisforwardedbyd+1steps .
Anexamp lebasedonthestr ing“M iss iss ipp i”isshown in Tab le1. Thelongestprefix matchinthesearchbuffer ish igh l ightedbyagraybackground ,thenextcharacter inthelook-aheadbufferisbo ld ,andtheresu lt ingstr ing is<0,0,m><0,0,i ><0,0,s><1,1,i ><3,3,p><1,1,i >.In pract ise ,thes izeo fthesearchandlook-aheadbuffersare fixedinadvance ,andnode l im it ingcharactersareused .
Thereisanent irefam i lyo fcompress iona lgor ithmsthat arere latedtothe worko fZ ivandLempe l . Thed ifferent var iat ionsoffertrade-offs w ithregardtocompress iont ime andrat io ,andcanbecomb inedw ithotherapproaches . One suchcomb inat ionis DEFLATE[5] : app lyLZ77 ,fo l lowed by Huffmancod ing . Forfurtherdeta i ls ,p leasere fertothe comprehens ivebookondatacompress ionbySa lomon[33] .
1
LZisanacronymfortheauthors ,Lempe landZ iv ,and
(19)77re ferstotheyearo fpub l icat ion .
Tab le1 : Der iv inganLZ77encod ingfor“M iss iss ipp i”
i Search Look-ahead Output 1 Miss iss ipp i <0,0,M>
2 M iss iss ipp i <0,0,i>
3 M i ss iss ipp i <0,0,s>
3 M is sisspp i <1,1,i>
4 M iss i ss ipp i <3,3,p>
5 M iss iss ip pi <1,1,i>
6 M iss iss ipp i
4 .3 Attack ingCompress ion Mechan isms
W ithoutdoubt ,thepastdecadesshowhownontr iv ia lthe des ignandimp lementat iono fsecurecomputersystemare . Yettodate ,newvu lnerab i l it iesarefoundinSSL/TLS[25] , cert ificateauthor it iesarecomprom ised[16,29] ,andnat iona l stateagenc iesbreaksupposed lysecuredev ices[21] . Wh i le iso latedcryptograph icpr im it ives m ightbesecureonthe ir own ,secur itydoesnotcompose . Infact ,proceduresthat wereneverintendedforsecur itycancausetroub le . Onesuch examp leisdatacompress ionwhenapp l iedtoTLS[11] .
Compress ionRat ioIn fo-Leak MadeEasy(CRIME)isan exp lo itdeve lopedbyR izzoand Doung[7] . Anadversaryis ab letoh i jacktheusers ’pr ivateTLSsess ionsbyguess ingthe authent icat ioncook iesi fthefo l low ingcond it ionsare met :
– Theadversarycanobservethenetworktraffic ,e .g . ,v ia aw ire less med ium .
– Theadversarycanin jectcodeintothev ict im ’sbrowser , e .g . ,byprov id inga ma l ic iousl inkthatisc l icked . – Thev ict imauthent icatesoveran HTTPSconnect ion
thatusesanLZ- l ikecompress ion mechan ism . Theattackproceedsasfo l lows . F irst ,theadversaryin jects codeintothev ict im ’sbrowser . Th isa l lowsforachosen p la intextattack . Next ,spec ia l HTTPrequestsarecra fted suchthatthesecretcook iecanbebrute- forcedonesymbo l atat ime . F ina l ly ,aguessiscons ideredcorrect whenthe observedc iphertextisreducedduetoincreasedredundancy . Inotherwords ,thetr ickisthatarb itrar i lychosenstr ingsare compressedtogetherw iththesecretin format ion ,andLZ77 causescorrectguessestoproducesma l lerc iphertexts .
Someo ftheproposedcountermeasuresaga inst CRIME inc ludenevercompress ingsecretsandadversarycontro l led data . Thesa festopt ion ,however ,appearstobed isab l ing compress iona l ltogether
2. Forinstance ,inthefootstepso f CRIMEfo l low BREACH[28]and TIME[ 3] . Theytarget thecompress iono fHTTPresponses ,andTIMEre laxesthe prerequ is itestolaunchasuccess fu lattackbye l im inat ingthe needtoeavesdrop . Thus ,weconc ludethatdatacompress ion isasens it ivetop icthat mustbecare fu l lycons idered .
5 . RECOMMENDATIONS
F irstweprov ideanoverv iewo fwhattheex ist ingsys log standardscanandcannotaccomp l ishinoursett ing ,then add it iona ldeta i lsregard ingcryptograph icpr im it ives ,secure datacompress ion ,andver ifiab lequer iesared iscussed .
2
Thecurrentdra ftforTLS1 .3removesdatacompress ion .
5 .1 Overv iew
Inasett ingwherea l ldev iceshavetobetrusted ,theex- ist ingsys logstandardscansupportthefo l low ingpropert ies : –Confidentialityandintegrityduringtransit. Use
TCP ,anapp l icat ionleve lrecovery mechan ismforfu l l re l iab i l ity ,ande itherIPsecorTLS .
–Serverand mutualauthentication. Useastrong authent icat ion mechan ismbasedonTLSorIPsec . –Originauthenticationandreplaydetection. Use
sys log-s ign . Th isw i l la lsodetect m iss ingeventsdueto asequenc ingscheme ,andthes ignatureb locksw i l lbe theproo fso fcorrectnessforthequery ingc l ients . Desp itecomb in ingvar ioussys logstandards ,thefo l low ing propert iescannotbeprov ided :
–Securestorage. Ne itherconfident ia l ity ,integr ity , norava i lab i l ityisensureddur ingstorage .
–Secure Data Compression.Nosuchstandardsare definedforsys log .
–Availability . Wh i le mutua lauthent icat ionhe lpsto preventden ia lo fserv ice ,fi lter ingandlogrotat ionis necessarytoassurethatanadversarycannotexhaust thenetworkanditsdev ices . Forlogrotat ionthereis aL inuxserv icethat m ightbeuse fu l[36] .
F ina l ly ,itshou ldbenotedthatas ign ificantamounto f overheadw i l lbeintroducedwhenonesw itchesfromlegacy sys logtoasecurelogg ingin frastructure . Theopensource projectsm ightbeapp l icab leforsomevendors ,anditisl ike ly thatthejourna ldlogg ingut i l ityisworthcons ider ing .
5 .2 Se lect ingCryptograph icPr im it ives
Itappearsthattherearenocurrentrecommendat ions whense lect ingcryptograph icpr im it ivesforsecurelogg ing : thepresentedopensourceprojectsprov idenohe lpinth is regard ,andthesys logstandardsareo ld . There fore , we suggestthatthegu ide l inesprov idedby Goog le ’ssecur ity researchersbefo l lowed ,andposs ib lythatthec iphersu ites supportedbyChromeandF ire foxcou ldbecons idered
3.
Lang ley[17]d iscussedse lect iono fTLSc iphersu itesatthe Goog lesecur ityb log . Heconc ludedthatTLS1 .0shou ldbe avo idedduetosevera lknownflaws ,inc lud ingthosefoundin thestreamc ipherRC4 ,andthatTLS1 .1shou ldbeavo ided too ,i fposs ib le . Forinstance ,the CBCb lockc ipher mode isvu lnerab letotwoattacks : BEAST[ 6]andLucky13[ 1] . Theformertargetsthegenerat iono fin it ia l isat ionvectors andhasbeenpatched , whereasthelatterisat im ingat- tackthatcou ldbepreventedbyproperconfigurat iono fthe TLSserver . However ,itisimposs ib lefortheTLSc l ientsto knowni fthatisthecaseinadvance . Thus ,l ikeLang ley ,we donotrecommendsu itesbasedonRC4orCBC mode .
Instead ,thebetteropt ionistose lectsu itesofferedby TLS1 .2 ,inpart icu larthosebasedontheGCMb lockc ipher modeortheChaCha20-Po ly1305c ipher .Forexamp le ,ona W indows mach inethatrunsChromevers ion51 .0 .2704 .103 , 128-b itsecur ityw ithAESin GCM modeisthefirstcho ice ,
3
![PÓ!9]LL!!!!]l!L](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==)