Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2017: Financial Cryptography and Data Security pp 268–284Cite as

Attacks on Secure Logging Schemes

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10322))

Abstract

We present four attacks on three cryptographic schemes intended for securing log files against illicit retroactive modification. Our first two attacks regard the LogFAS scheme by Yavuz et al. (Financial Cryptography 2012), whereas our third and fourth attacks break the BM- and AR-FssAgg schemes by Ma (AsiaCCS 2008).

All schemes have an accompanying security proof, seemingly contradicting the existence of attacks. We point out flaws in these proofs, resolving the contradiction.

G. Hartung—The research project leading to this report was funded by the German Federal Ministry of Education and Research under grant no. 01\(\vert \)S15035A. The author bears the sole responsibility for the content of this report.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    For efficiency reasons, schemes where each secret key can be computed from the previous one, and where there is only single, compact key for verification are desirable. However these properties are not strictly required.

  2. 2.

    The original scheme in [22] includes the value \(e_j\) in the signature. We have omitted this, as \(e_j\) can be recomputed by the verifier.

  3. 3.

    For this reason, our attack does not carry over to the underlying forward-secure signature scheme by Bellare and Miner [3]. There, the values \(r_j\) are chosen uniformly and independently at random, which prevents our attack.

  4. 4.

    As with our attack on the BM-FssAgg scheme, our attack does not carry over to the underlying forward-secure signature scheme by Abdalla and Reyzin [1], since the values \(r_j\) are chosen independently at random in their signature scheme.

  5. 5.

    Our attacks can be easily generalized to work with any \(t+1\) consecutive aggregate signatures \(\sigma _{1,k}, \ldots , \sigma _{1,k + t+ 1}\) or even with any \(t\) pairs of directly consecutive aggregate signatures \((\sigma _{1,k_1}, \sigma _{1,k_1 + 1}), \ldots , (\sigma _{1,k_t}, \sigma _{1,k_t+ 1})\).

  6. 6.

    Our implementation of the schemes is only intended to provide a background for our attacks. We did therefore not attempt to harden our implementation against different types of attacks at all.

  7. 7.

    The number of supported epochs \(T\) may be unrealistically low. But since \(T\) does not influence the time required for executing our attacks, a small \(T\) is sufficient for our demonstration.

References

  1. Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_10

    Chapter  Google Scholar 

  2. Adkins, W.A., Weintraub, S.H.: Algebra: An Approach via Module Theory. Graduate Texts in Mathematics, vol. 136. Springer, New York (1992). https://doi.org/10.1007/978-1-4612-0923-2

    Book  MATH  Google Scholar 

  3. Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, pp. 62–73. ACM, New York (1993)

    Google Scholar 

  5. Bellare, M., Yee, B.S.: Forward integrity for secure audit logs. Technical report, University of California at San Diego (1997)

    Google Scholar 

  6. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26

    Chapter  Google Scholar 

  7. Common Criteria for Information Technology Security Evaluation, version 3.1 r4, part 2, Accessed 19 Nov 2017. https://www.commoncriteriaportal.org/cc/

  8. Department of defense trusted computer system evaluation criteria, Accessed 19 Nov 2017. http://csrc.nist.gov/publications/history/dod85.pdf

  9. Holt, J.E.: Logcrypt: forward security and public verification for secure audit logs. In: Proceedings of the 2006 Australasian Workshops on Grid Computing and e-Research - Volume 54, ACSW Frontiers 2006, pp. 203–211. Australian Computer Society Inc., Darlinghurst (2006)

    Google Scholar 

  10. Kannan, R., Bachem, A.: Polynomial algorithms for computing the smith and hermite normal forms of an integer matrix. SIAM J. Comput. 8(4), 499–507 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  11. Ma, D.: Practical forward secure sequential aggregate signatures. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2008, pp. 341–352. ACM, New York (2008)

    Google Scholar 

  12. Ma, D., Tsudik, G.: Forward-secure sequential aggregate authentication. Cryptology ePrint Archive, Report 2007/052 (2007). http://eprint.iacr.org/

  13. Ma, D., Tsudik, G.: A new approach to secure logging. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 48–63. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70567-3_4

    Chapter  Google Scholar 

  14. Marson, G.A., Poettering, B.: Practical secure logging: seekable sequential key generators. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 111–128. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_7

    Chapter  Google Scholar 

  15. Micciancio, D., Warinschi, B.: A linear space algorithm for computing the hermite normal form. In: Proceedings of the 2001 International Symposium on Symbolic and Algebraic Computation, ISSAC 2001, pp. 231–236. ACM, New York (2001)

    Google Scholar 

  16. An Introduction to Computer Security: The NIST Handbook, October 1995. NIST Special Publication 800-12

    Google Scholar 

  17. Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: The Seventh USENIX Security Symposium Proceedings (1998)

    Google Scholar 

  18. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 688–689. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_68

    Chapter  Google Scholar 

  19. Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  20. Stein, W.: Sagemath. https://www.sagemath.org/. Accessed 19 Nov 2017

  21. Yavuz, A.A., Peng, N.: BAF: an efficient publicly verifiable secure audit logging scheme for distributed systems. In: Annual Computer Security Applications Conference, 2009, ACSAC 2009, pp. 219–228, December 2009

    Google Scholar 

  22. Yavuz, A.A., Peng, N., Reiter, M.K.: Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 148–163. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_12

    Chapter  Google Scholar 

  23. Yavuz, A.A., Reiter, M.K.: Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. Technical Report TR-2011-21, North Carolina State University. Department of Computer Science, September 2011. http://www.lib.ncsu.edu/resolver/1840.4/4284

Download references

Acknowledgements

I’d like to thank Alexander Koch for his detailed comments, as well as for questioning the security proof of the BM-FssAgg scheme, which was the starting point for my research presented in Sect. 3.

Author information

Authors and Affiliations

  1. Karlsruhe Institute of Technology, Karlsruhe, Germany

    Gunnar Hartung

Authors
  1. Gunnar Hartung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gunnar Hartung .

Editor information

Editors and Affiliations

  1. University of Edinburgh, Edinburgh, UK

    Aggelos Kiayias

A The Schnorr Signature Scheme

A The Schnorr Signature Scheme

The Schnorr Signature Scheme [18, 19] is based on the hardness of the discrete logarithm problem in some group G. It uses a prime-order subgroup G of \(\mathbb {Z}_{p}^*\), where p is large a prime, G’s order q is also a large prime, and q divides \(p-1\). Let \(\alpha \) be a generator of G. A secret key for Schnorr’s scheme is \(y \leftarrow \mathbb {Z}_{q}^*\), the corresponding public key is \(Y :=\alpha ^y \pmod {p}\).

In order to sign a message \(m\), choose \(r \leftarrow \mathbb {Z}_{q}^*\), set \(R :=\alpha ^r \pmod {p}\), compute the hash value \(e :=H(m\mathop {\Vert }R)\) and set \(s :=r - ey \pmod {q}\). The signature is the tuple (Rs). To verify such a signature, recompute the hash value \(e :=H(m\mathop {\Vert }R)\) (where R is taken from the signature and \(m\) is given as input to the verification algorithm). Then check if \(R = Y^e \alpha ^s \pmod {p}\) and return \(1\) if and only if this holds.

The Schnorr signature scheme can be shown to be secure based on the hardness of the discrete logarithm problem in G, if \(H\) is modelled as a random oracle [4].

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Hartung, G. (2017). Attacks on Secure Logging Schemes. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70972-7_14

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70971-0

  • Online ISBN: 978-3-319-70972-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation