Abstract
We present four attacks on three cryptographic schemes intended for securing log files against illicit retroactive modification. Our first two attacks regard the LogFAS scheme by Yavuz et al. (Financial Cryptography 2012), whereas our third and fourth attacks break the BM- and AR-FssAgg schemes by Ma (AsiaCCS 2008).
All schemes have an accompanying security proof, seemingly contradicting the existence of attacks. We point out flaws in these proofs, resolving the contradiction.
G. Hartung—The research project leading to this report was funded by the German Federal Ministry of Education and Research under grant no. 01\(\vert \)S15035A. The author bears the sole responsibility for the content of this report.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For efficiency reasons, schemes where each secret key can be computed from the previous one, and where there is only single, compact key for verification are desirable. However these properties are not strictly required.
- 2.
The original scheme in [22] includes the value \(e_j\) in the signature. We have omitted this, as \(e_j\) can be recomputed by the verifier.
- 3.
For this reason, our attack does not carry over to the underlying forward-secure signature scheme by Bellare and Miner [3]. There, the values \(r_j\) are chosen uniformly and independently at random, which prevents our attack.
- 4.
As with our attack on the BM-FssAgg scheme, our attack does not carry over to the underlying forward-secure signature scheme by Abdalla and Reyzin [1], since the values \(r_j\) are chosen independently at random in their signature scheme.
- 5.
Our attacks can be easily generalized to work with any \(t+1\) consecutive aggregate signatures \(\sigma _{1,k}, \ldots , \sigma _{1,k + t+ 1}\) or even with any \(t\) pairs of directly consecutive aggregate signatures \((\sigma _{1,k_1}, \sigma _{1,k_1 + 1}), \ldots , (\sigma _{1,k_t}, \sigma _{1,k_t+ 1})\).
- 6.
Our implementation of the schemes is only intended to provide a background for our attacks. We did therefore not attempt to harden our implementation against different types of attacks at all.
- 7.
The number of supported epochs \(T\) may be unrealistically low. But since \(T\) does not influence the time required for executing our attacks, a small \(T\) is sufficient for our demonstration.
References
Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_10
Adkins, W.A., Weintraub, S.H.: Algebra: An Approach via Module Theory. Graduate Texts in Mathematics, vol. 136. Springer, New York (1992). https://doi.org/10.1007/978-1-4612-0923-2
Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, pp. 62–73. ACM, New York (1993)
Bellare, M., Yee, B.S.: Forward integrity for secure audit logs. Technical report, University of California at San Diego (1997)
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26
Common Criteria for Information Technology Security Evaluation, version 3.1 r4, part 2, Accessed 19 Nov 2017. https://www.commoncriteriaportal.org/cc/
Department of defense trusted computer system evaluation criteria, Accessed 19 Nov 2017. http://csrc.nist.gov/publications/history/dod85.pdf
Holt, J.E.: Logcrypt: forward security and public verification for secure audit logs. In: Proceedings of the 2006 Australasian Workshops on Grid Computing and e-Research - Volume 54, ACSW Frontiers 2006, pp. 203–211. Australian Computer Society Inc., Darlinghurst (2006)
Kannan, R., Bachem, A.: Polynomial algorithms for computing the smith and hermite normal forms of an integer matrix. SIAM J. Comput. 8(4), 499–507 (1979)
Ma, D.: Practical forward secure sequential aggregate signatures. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2008, pp. 341–352. ACM, New York (2008)
Ma, D., Tsudik, G.: Forward-secure sequential aggregate authentication. Cryptology ePrint Archive, Report 2007/052 (2007). http://eprint.iacr.org/
Ma, D., Tsudik, G.: A new approach to secure logging. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 48–63. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70567-3_4
Marson, G.A., Poettering, B.: Practical secure logging: seekable sequential key generators. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 111–128. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_7
Micciancio, D., Warinschi, B.: A linear space algorithm for computing the hermite normal form. In: Proceedings of the 2001 International Symposium on Symbolic and Algebraic Computation, ISSAC 2001, pp. 231–236. ACM, New York (2001)
An Introduction to Computer Security: The NIST Handbook, October 1995. NIST Special Publication 800-12
Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: The Seventh USENIX Security Symposium Proceedings (1998)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 688–689. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_68
Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Stein, W.: Sagemath. https://www.sagemath.org/. Accessed 19 Nov 2017
Yavuz, A.A., Peng, N.: BAF: an efficient publicly verifiable secure audit logging scheme for distributed systems. In: Annual Computer Security Applications Conference, 2009, ACSAC 2009, pp. 219–228, December 2009
Yavuz, A.A., Peng, N., Reiter, M.K.: Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 148–163. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_12
Yavuz, A.A., Reiter, M.K.: Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. Technical Report TR-2011-21, North Carolina State University. Department of Computer Science, September 2011. http://www.lib.ncsu.edu/resolver/1840.4/4284
Acknowledgements
I’d like to thank Alexander Koch for his detailed comments, as well as for questioning the security proof of the BM-FssAgg scheme, which was the starting point for my research presented in Sect. 3.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A The Schnorr Signature Scheme
A The Schnorr Signature Scheme
The Schnorr Signature Scheme [18, 19] is based on the hardness of the discrete logarithm problem in some group G. It uses a prime-order subgroup G of \(\mathbb {Z}_{p}^*\), where p is large a prime, G’s order q is also a large prime, and q divides \(p-1\). Let \(\alpha \) be a generator of G. A secret key for Schnorr’s scheme is \(y \leftarrow \mathbb {Z}_{q}^*\), the corresponding public key is \(Y :=\alpha ^y \pmod {p}\).
In order to sign a message \(m\), choose \(r \leftarrow \mathbb {Z}_{q}^*\), set \(R :=\alpha ^r \pmod {p}\), compute the hash value \(e :=H(m\mathop {\Vert }R)\) and set \(s :=r - ey \pmod {q}\). The signature is the tuple (R, s). To verify such a signature, recompute the hash value \(e :=H(m\mathop {\Vert }R)\) (where R is taken from the signature and \(m\) is given as input to the verification algorithm). Then check if \(R = Y^e \alpha ^s \pmod {p}\) and return \(1\) if and only if this holds.
The Schnorr signature scheme can be shown to be secure based on the hardness of the discrete logarithm problem in G, if \(H\) is modelled as a random oracle [4].
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Hartung, G. (2017). Attacks on Secure Logging Schemes. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-70972-7_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70971-0
Online ISBN: 978-3-319-70972-7
eBook Packages: Computer ScienceComputer Science (R0)