Generic Construction of Audit Logging Schemes with Forward Privacy and Authenticity
 1k Downloads
Abstract
In this paper, audit logging schemes with forward privacy and authenticity are formalized in the symmetrickey setting. Then, two generic audit logging schemes with forward privacy and authenticity are proposed. One consists of an authenticated encryption scheme with associated data. The other consists of a symmetric encryption scheme and a MAC function. Both of them also uses a forwardsecure pseudorandom generator to achieve forward security. Finally, the forward privacy and authenticity of the schemes are confirmed in the manner of provable security. The security properties of the proposed schemes are reduced to the standard security properties of the underlying primitives.
Keywords
Audit logging Forward security Privacy Authenticity1 Introduction
Background and Our Motivation. Audit logging is an important technique to secure the systems. Audit logs record the events on systems to give a view of system activities. Any tampering with records including deletion and reordering should at least be detectable. Audit logs may contain sensitive information to be kept secret from attackers. Cryptographic techniques are useful to guarantee such authenticity and privacy of log files. Once an attacker gets the key, however, he can tamper with the records or decrypt the ciphertexts of sensitive information. To thwart these attacks, forward security is often incorporated in secure audit logging schemes [5, 12, 18].
Forward security prevents attackers having got the current key, for example, by intrusion from tampering with records or decrypting ciphertexts generated in the past by updating keys. Two settings for updating keys are found in literature of secure audit logging. We will call them timedriven setting and eventdriven setting. In the timedriven setting, the time is divided into intervals, and secret keys are updated at the end of every interval. Thus, multiple records may be generated with the same key assigned to an interval. In the eventdriven setting, on the other hand, secret keys are updated after every event. Each record is generated with a new secret key.
In spite of the importance of forwardsecure audit logging with privacy and authenticity, it has not been provided formal treatment and its security has been discussed informally.
Our Contribution. First, audit logging schemes and their security are formally defined in the symmetrickey setting. The security properties are called forward privacy and forward authenticity. Then, two generic constructions of audit logging schemes with forward privacy and authenticity are presented. One assumes the timedriven setting and is constructed with an AEAD (authenticated encryption with associated data) scheme. The other assumes the eventdriven setting and is constructed with a symmetrickey encryption scheme and a MAC function. For the first scheme, as far as the authors know, application of AEAD to secure audit logging has not been discussed before. Both schemes also use a forwardsecure pseudorandom generator to get forward security. Finally, it is shown that the proposed schemes are provably secure. The forward privacy and authenticity of the proposed schemes are reduced to the standard security properties of their components.
Related Work. Schneier and Kelsey [18, 19] proposed a forwardsecure audit logging scheme with privacy and authenticity in the symmetrickey setting. Actually, they also considered a communication protocol between an untrusted machine creating its log files and a trusted machine which stores log files. We will focus on the creation of log files in this paper.
Forward security was first introduced for key exchange protocols [10]. Bellare and Yee [6] formalized forwardsecure symmetrickey primitives and their security notions. They treated pseudorandom generators, message authentication schemes, and encryption schemes. They also provided their generic constructions and discussed their security.
Audit logging schemes with authenticity can also be found in literature. Bellare and Yee [5] initiated the study to secure audit logging with cryptographic techniques. Ma and Tsudik [12] introduced the notion of forwardsecure sequential aggregate message authentication, which can be used for audit logging with authenticity [13]. They also presented a scheme using a collisionresistant hash function as well as a MAC function. Hirose and Kuwakado [11] formalized the notion and proposed a provably secure scheme without a collisionresistant hash function.
Among the audit logging schemes mentioned above, the BellareYee scheme [5] and the HiroseKuwakado scheme [11] assume the timedriven setting for key update. The SchneierKelsey scheme [18, 19] and the MaTsudik scheme [13], on the other hand, assume the eventdriven setting.
Accorsi [1] made a brief survey of secure logging schemes. It also includes the schemes in the publickey setting, which are out of scope of the paper.
Recently, due to the CAESAR project [8], authenticated encryption has been attracting much interest. AEAD is formalized in [15]. Generic composition of an encryption scheme and a MAC function for AEAD is discussed in [3, 14].
Waters et al. [20] presented a scheme to construct encrypted audit log searchable with keywords in the publickey setting.
Organization. Section 2 gives notations and definitions of cryptographic primitives used in the proposed schemes. Section 3 presents definitions of audit logging schemes and their forward privacy and authenticity. Section 4 describes the proposed generic constructions. Section 5 shows that the generic constructions are secure if their components are secure. Section 6 concludes the paper.
2 Preliminaries
Notation. For sequences x and y, \(x\Vert y\) represents their concatenation. An empty sequence is denoted by \(\varepsilon \).
Let \(\varvec{F}(\mathcal {X},\mathcal {Y})\) be the set of all functions with domain \(\mathcal {X}\) and range \(\mathcal {Y}\). For keyed function \(F:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) with key space \(\mathcal {K}\), \(F(K,\cdot )\) is often denoted by \(F_{K}(\cdot )\).
For set S, let \(s\twoheadleftarrow S\) denote that an element s is chosen uniformly at random from S. For a pair of elements \(e_1\) and \(e_2\) of a totally ordered set, let \([e_1,e_2]=\{e\,\,e_1\le e\le e_2\}\). If \(e_1\) and \(e_2\) are integers, then \([e_1,e_2]\) represents the set of integers from \(e_1\) to \(e_2\) inclusive.
Pseudorandom Generator. A pseudorandom generator (PRG) [7] is a function with its range larger than its domain. Let \(G:\mathcal {S}\rightarrow \mathcal {S}'\) such that \(\mathcal {S}'>\mathcal {S}\). G is called PRG if it is intractable to distinguish G(S) with \(S\twoheadleftarrow \mathcal {S}\) and \(S'\twoheadleftarrow \mathcal {S}'\).
Pseudorandom Function. A pseudorandom function (PRF) [9] is a keyed function. \(F:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) is called PRF if it is intractable to distinguish \(F_{K}\) with \(K\twoheadleftarrow \mathcal {K}\) and a function chosen uniformly at random from \(\varvec{F}(\mathcal {X},\mathcal {Y})\).
Theorem 1
Rogaway and Shrimpton [17] introduced a vectorinput PRF. It is a PRF which takes as input a vector of strings as well as a key. They also showed how to construct a vectorinput PRF from a regular PRF which takes as input a string as well as a key.
ForwardSecure Pseudorandom Generator. A forwardsecure pseudorandom generator (FSPRG) [6] is a stateful generator. A stateful generator is defined by \(\mathsf {Gen}=(G,n)\), where \(G:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\) such that \((K_{i},S_{i+1})\leftarrow G(S_{i})\) for \(1\le i\le n\) and \(S_{1}\in \mathcal {S}\). It is depicted in Fig. 1.
Theorem 2
SymmetricKey Encryption. A symmetrickey encryption scheme is defined by \(\mathsf {SE}=(E,D)\), where \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {C}\) is an encryption algorithm and \(D:\mathcal {K}\times \mathcal {C}\rightarrow \mathcal {M}\cup \{\bot \}\) is a decryption algorithm. \(\mathcal {K}\) is the key space, \(\mathcal {M}\) is the message space and \(\mathcal {C}\) is the ciphertext space. For any \(K\in \mathcal {K}\), if \(C\leftarrow E_K(M)\) for some \(M\in \mathcal {M}\), then \(M\leftarrow D_K(C)\). Otherwise, \(\bot \leftarrow D_K(C)\).
Authenticated Encryption with Associated Data. We will define noncebased authenticated encryption with associated data (AEAD) [15, 16]. An AEAD scheme is defined by \(\mathsf {AEAD}=(\mathsf {en},\mathsf {de})\). \(\mathsf {en}:\mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {M}\rightarrow \mathcal {C}\times \mathcal {T}\) is an encryption algorithm and \(\mathsf {de}:\mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {C}\times \mathcal {T}\rightarrow \mathcal {M}\cup \{\bot \}\) is a decryption algorithm. \(\mathcal {K}\) is the key space, \(\mathcal {N}\) is the nonce space, \(\mathcal {A}\) is the associateddata space, \(\mathcal {M}\) is the message space, \(\mathcal {C}\) is the ciphertext space, and \(\mathcal {T}\) is the tag space. For any \(K\in \mathcal {K}\), if \((C,T)\leftarrow \mathsf {en}_K(N,A,M)\) for some \((N,A,M)\in \mathcal {N}\times \mathcal {A}\times \mathcal {M}\), then \(M\leftarrow \mathsf {de}_K(N,A,C,T)\). Otherwise, \(\bot \leftarrow \mathsf {de}_K(N,A,C,T)\). The security requirements for AEAD is privacy and authenticity. Messages require both privacy and authenticity, while associated data require only authenticity.
3 Audit Logging Scheme with Privacy and Authenticity
3.1 Scheme
An audit logging scheme is a stateful scheme defined by \(\mathsf {ALG}=(\mathsf {U},\mathsf {E},\mathsf {D},n)\), where \(\mathsf {U}:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\) is a keyupdate algorithm, \(\mathsf {E}:\mathcal {K}\times \mathcal {T}\times \mathcal {A}\times \mathcal {M}\rightarrow \mathcal {C}\times \mathcal {T}\) is an encryption algorithm, \(\mathsf {D}:\mathcal {K}^{+}\times \mathcal {T}\times (\mathcal {A}\times \mathcal {C}\times \mathcal {T})^{+}\rightarrow \mathcal {M}^{+}\cup \{\bot \}\) is a decryption algorithm, and n is the number of the stages. The algorithms are described below.

Key Update \((K_{i},S_{i+1})\leftarrow \mathsf {U}(S_{i})\) for \(1\le i\le n\), where \(S_{1}\twoheadleftarrow \mathcal {S}\).
The keyupdate algorithm takes as input the secret master key \(S_{i}\) for the ith stage. It then outputs the secret key \(K_{i}\) for the current stage and the new secret master key \(S_{i+1}\) for the next stage.

Encryption \((C_{i,j},\tau _{i,j})\leftarrow \mathsf {E}(K_{i},\tau _{i,j1},A_{i,j},M_{i,j})\) for \(1\le i\le n\) and \(j\ge 1\).
In the ith stage, the encryption algorithm takes encryption key \(K_{i}\), previous tag \(\tau _{i,j1}\), associated data \(A_{i,j}\) and message \(M_{i,j}\) as input. \(\tau _{i,0}\) is an initial state of the ith stage. It then outputs ciphertext \(C_{i,j}\) for \(M_{i,j}\), and tag \(\tau _{i,j}\) for \((A_{i,j}, M_{i,j})\). \((A_{i,j}, M_{i,j})\) is called an event. \((A_{i,j},C_{i,j},\tau _{i,j})\) is called a record.
 Decryption Let \(\varvec{R}=(\varvec{R}_1,\varvec{R}_2,\ldots ,\varvec{R}_n)\) be the ordered sequence of the records, where \(\varvec{R}_i=(R_{i,1},R_{i,2},\ldots ,R_{i,\sigma _i})\) and \(R_{i,j}=(A_{i,j},C_{i,j},\tau _{i,j})\) for \(1\le i\le n\) and \(1\le j\le \sigma _i\). \(\sigma _i\) is the total number of the records in the ith stage. For \(1\le i\le n\) and \(1\le j\le \sigma _i\), let (i, j) be a pair of integers such that \((i,j)\le (i',j')\) if and only if \(i<i'\), or \(i=i'\) and \(j\le j'\). The decryption algorithm is defined as follows:where \((1,1)\le (i_1,j_1)\le (i_2,j_2)\le (n,\sigma _n)\), \(\varvec{K}_{[i_1,i_2]}\) is the subsequence of \(K_1,K_2,\ldots ,K_n\) from \(K_{i_1}\) to \(K_{i_2}\) inclusive, and \(\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}\) is the subsequence of \(\varvec{R}\) from the \((i_1,j_1)\)th record to the \((i_2,j_2)\)th record inclusive. \(\mathsf {D}\) outputs \(M_{i_1,j_1},\ldots ,M_{i_2,j_2}\) if \(\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}\) is valid with respect to \(\tau _{i_1,j_11}\). Otherwise, it outputs \(\bot \).$$ \alpha \leftarrow \mathsf {D}(\varvec{K}_{[i_1,i_2]},\tau _{i_1,j_11},\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}), $$
We consider two kinds of settings for key update: timedriven setting and eventdriven setting. In the timedriven setting, time is divided into intervals, and the key is updated at the end of each interval. In the eventdriven setting, on the other hand, the key is updated after every event. A stage corresponds to an interval in the timedriven setting and to an event in the eventdriven setting.
For event \((A_{i,j},M_{i,j})\), it is assumed that \(A_{i,j}\) includes the index i of the current stage. For the timedriven setting, it is assumed that \(A_{i,j}\) also includes a flag representing whether the event is the last one in the ith stage or not. The flag is a countermeasure against truncation attacks [5, 13]. A truncation attack simply deletes the tail of a sequence of records and the corresponding tags. Thus, it cannot be detected without any kind of endmarker such as the flag assumed in the scheme.
3.2 Security
The forward privacy and authenticity of \(\mathsf {ALG}=(\mathsf {U},\mathsf {E},\mathsf {D},n)\) is defined below. Each of them is defined by an experiment with an adversary. The adversary works in two phases: The first phase is the query phase, and the second phase is the try phase.

\(1\le i_1\le i_2\le a\), \( (\tau _{i_1,j_11}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}') \not \in \varvec{V}(\varvec{R},i_1,i_2) \), and

the output of \(\mathsf {D}(\varvec{K}_{[i_1,i_2]},\tau _{i_1,j_11}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}')\) is not \(\bot \).
4 Generic Construction
For each of the timedriven setting and the eventdriven setting, an audit logging scheme with forward privacy and authenticity is proposed. The FSPRG \(\mathsf {Gen}\) with PRG \(G:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\) is used for key update in both of the settings.
4.1 TimeDriven Setting
An audit logging scheme in the timedriven setting is composed with an AEAD scheme \(\mathsf {AEAD}=(\mathsf {en},\mathsf {de})\) and the FSPRG \(\mathsf {Gen}=(G,n)\). It is called \(\mathsf {t}\mathsf {ALG}\). \(\mathsf {t}\mathsf {ALG}\) requires some injective encoding from the tag space to the nonce space of \(\mathsf {AEAD}\). In the following, it is assumed for the simplicity of the description that the tag space is included in the nonce space.

Key update \((K_{i},S_{i+1})\leftarrow G(S_{i})\) for \(1\le i\le n\).

Encryption \( (C_{i,j},\tau _{i,j})\leftarrow \mathsf {en}_{K_{i}}(\tau _{i,j1},A_{i,j},M_{i,j}) \) for \(1\le i\le n\) and \(1\le j\le \sigma _i\), where \(\sigma _{i}\) is the total number of the events in the ith stage, \(\tau _{1,0}\) is an initial constant, and \(\tau _{i,0}=\tau _{i1,\sigma _{i1}}\) for \(i\ge 2\).

Decryption For \((\tau _{i_1,j_11},\varvec{R}_{[(i_1,j_1),(i_2,j_2)]})\), if \(\mathsf {de}_{K_{i}}(\tau _{i,j1},A_{i,j},C_{i,j},\tau _{i,j})\ne \bot \) for all \((i,j)\in [(i_1,j_1),(i_2,j_2)]\), then output \(\mathsf {de}_{K_{i}}(\tau _{i,j1},A_{i,j},C_{i,j},\tau _{i,j})\) for all \((i,j)\in [(i_1,j_1),(i_2,j_2)]\). Otherwise, it outputs \(\bot \).
4.2 EventDriven Setting
Let \(\mathsf {SE}=(E,D)\) be an encryption scheme such that \(E:\mathcal {K}_{\mathrm {e}}\times \mathcal {M}\rightarrow \mathcal {C}\) and \(D:\mathcal {K}_{\mathrm {e}}\times \mathcal {C}\rightarrow \mathcal {M}\). Let \(F:\mathcal {K}_{\mathrm {t}}\times (\mathcal {T}\times \mathcal {A}\times \mathcal {C})\rightarrow \mathcal {T}\) be a vectorinput PRF. For \(\mathsf {Gen}=(G,n)\) with \(G:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\), let \(\mathcal {K}=\mathcal {K}_{\mathrm {e}}\times \mathcal {K}_{\mathrm {t}}\).
An audit logging scheme in the eventdriven setting is composed with \(\mathsf {SE}\), F and \(\mathsf {Gen}\). It is an EncryptthenMAC scheme [3, 4, 14]. It is called \(\mathsf {e}\mathsf {ALG}\). In this setting, only a single record is generated in each stage. Thus, in the following description, the index (i, j) of an event or a record is simply replaced with i.

Key update \((K_{i},L_{i},S_{i+1})\leftarrow G(S_{i})\) for \(1\le i\le n\).

Encryption For a new event \((A_i,M_i)\), \(C_i\leftarrow E_{K_{i}}(M_i)\) and \(\tau _{i}\leftarrow F_{L_{i}}(\tau _{i1},A_i,C_i)\), where \(1\le i\le n\) and \(\tau _0\) is an initial constant.

Decryption For \((\tau _{i_11}, \varvec{R}_{[i_1,i_2]})\), compute \(\tau '_{i}\leftarrow F_{L_{i}}(\tau _{i1},A_{i},C_{i})\) for \(i_1\le i\le i_2\). If \(\tau '_{i_2}=\tau _{i_2}\), then return \(M_{i}\leftarrow D_{K_{i}}(C_{i})\) for \(i_1\le i\le i_2\). Otherwise, return \(\bot \).
Figure 6 depicts the encryption procedure for a sequence of events.
Remark 1
The decryption algorithm only checks the validity of the final tag \(\tau _{i_2}\). It does not check the validity of intermediate tags. This allows \(\mathsf {e}\mathsf {ALG}\) aggregation of the tags.
5 Provable Security of Generic Construction
The forward privacy and authenticity of the proposed schemes are analyzed in the manner of provable security.
5.1 TimeDriven Setting
The following theorem asserts that \(\mathsf {t}\mathsf {ALG}\) satisfies forward privacy if the underlying AEAD scheme satisfies privacy and the function G is a PRG:
Theorem 3
It is assumed that the run time of an experiment includes the run time of the adversary and the time required when the oracles of the adversary are simulated.
Proof
The following theorem asserts that \(\mathsf {t}\mathsf {ALG}\) satisfies forward authenticity if the underlying AEAD scheme satisfies both privacy and authenticity and the function G is a PRG:
Theorem 4
Proof
5.2 EventDriven Setting
The forward privacy of \(\mathsf {e}\mathsf {ALG}\) is reduced to the privacy of encryption function E, the PRF property of keyed function F and the PRG property of function G:
Theorem 5
The forward authenticity of \(\mathsf {e}\mathsf {ALG}\) is reduced to the PRF property of keyed function F and the PRG property of function G:
Theorem 6
The proofs of Theorems 5 and 6 are omitted due to the page limit.
Remark 2
The security of \(\mathsf {e}\mathsf {ALG}\) requires the underlying encryption scheme to be secure only against singlequery adversaries. Thus, to construct \(\mathsf {e}\mathsf {ALG}\), we can use naive modes of operations for encryption such as CBC and CTR in textbooks.
6 Conclusion
In this paper, audit logging schemes with forward privacy and secrecy have been formalized first. Then, two generic schemes have been proposed. Finally, it has been proved that the proposed schemes meet the security requirements.
Notes
Acknowledgments
The author would like to thank Hidenori Kuwakado for valuable discussions. This work was partially supported by JSPS KAKENHI Grant Number 25330150.
References
 1.Accorsi, R.: Safekeeping digital evidence with secure logging protocols: state of the art and challenges. In: Goebel, O., Ehlert, R., Frings, S., Günther, D., Morgenstern, H., Schadt, D. (eds.) IMF 2009, Fifth International Conference on IT Security Incident Management and IT Forensics, pp. 94–110 (2009)Google Scholar
 2.Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: Proceedings of the 37th IEEE Symposium on Foundations of Computer Science, pp. 514–523 (1996)Google Scholar
 3.Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 4.Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptology 21(4), 469–491 (2008)MathSciNetCrossRefGoogle Scholar
 5.Bellare, M., Yee, B.S.: Forward integrity for secure audit logs. Technical report, University of California, San Diego (1997)Google Scholar
 6.Bellare, M., Yee, B.S.: Forwardsecurity in privatekey cryptography. In: Joye, M. (ed.) CTRSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). the full version is IACR Cryptology ePrint Archive: Report 2001/035 at http://eprint.iacr.org/ CrossRefGoogle Scholar
 7.Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Comput. 13(4), 850–864 (1984)MathSciNetCrossRefGoogle Scholar
 8.CAESAR: Competition for authenticated encryption: security, applicability, and robustness, http://competitions.cr.yp.to/caesar.html
 9.Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefGoogle Scholar
 10.Günther, C.G.: An identitybased keyexchange protocol. In: Quisquater, J.J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990)CrossRefGoogle Scholar
 11.Hirose, S., Kuwakado, H.: Forwardsecure sequential aggregate message authentication revisited. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 87–102. Springer, Heidelberg (2014)Google Scholar
 12.Ma, D., Tsudik, G.: Extended abstract: forwardsecure sequential aggregate authentication. In: IEEE Symposium on Security and Privacy, pp. 86–91. IEEE Computer Society (2007), also published as IACR Cryptology ePrint Archive: Report 2007/052 at http://eprint.iacr.org/
 13.Ma, D., Tsudik, G.: A new approach to secure logging. ACM Trans. Storage 5(1), 2:1–2:21 (2009)CrossRefGoogle Scholar
 14.Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 15.Rogaway, P.: Authenticatedencryption with associateddata. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 98–107 (2002)Google Scholar
 16.Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a blockcipher mode of operation for efficient authenticated encryption. In: ACM Conference on Computer and Communications Security, pp. 196–205 (2001)Google Scholar
 17.Rogaway, P., Shrimpton, T.: A provablesecurity treatment of the keywrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 18.Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: Rubin, A.D. (ed.) Proceedings of the 7th USENIX Security Symposium. USENIX Association (1998)Google Scholar
 19.Schneier, B., Kelsey, J.: Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur. 2(2), 159–176 (1999)CrossRefGoogle Scholar
 20.Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an encrypted and searchable audit log. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2004, The Internet Society (2004)Google Scholar