I have been working on a project lately that I don’t really get to talk about much, but it is a technology that I am quite fond of: Immutable Log Files. For those of you who do not know what these are, immutable logs are log files protected from tampering and erroneous insertion. Depending upon the implementation, the files can have additional protections from poisoning and fictional recreation/forgery as well. There are many other names for this type of technology, such as content integrity verification, court admissible evidentiary data, incontrovertible data, and even “signed and sequenced” data. Regardless of name, the intent is to create a tamper-resistant archive of events. A high level overview of the process might look like the following:
Take a log entry, syslog for example, and add a time stamp and/or sequence number to that entry. Create a digital hash of the log entry to ensure integrity, and cryptographically sign it so you know the hash was produced by whatever authority is entrusted with managing the log. Now the log entry contains self-validating information as well. Each subsequent log entry would be bundled with one or more data points from previous log entries prior to creating the hash, to ensure that the sequence of events has not been altered. What you end up with is a chain of events that can be verified for data integrity.
There are many variants to this process that offer additional assurances, but that is the gist of it. I had the opportunity back in 1998 to implement a variant of this technology based upon what I consider to be ground-breaking work by John Kelsey, then of Counterpane. We had a specific problem with dispute resolution we needed to address in our e-Commerce system, and this paper describes both a generic approach to solving the problem, but also includes some references that were specific to our technology and not applicable to most needs. There are a few vendors that have advanced the state of the art in this area, but they largely go unnoticed by the security community at large. While this is a valuable technology for solving certain problems, it remains a rare feature.
I am writing this post as I have a request from both the security and the IT practitioner community. I am interested in knowing if you or your organization uses this type of technology today, or if it is something you have considered? If you are a product vendor and you are thinking about implementing such a technology as a competitive differentiator, I would greatly appreciate a heads-up. I am seeing some indications that this may be a requirement for government based upon the recent draft for tamper resistant syslog files by John Kelsey of NIST, J Callas of PGP, and A Clemm from Cisco, but the status of this draft work remains elusive. I have spoken with a half dozen security strategists who consider this a compelling solution to several different data integrity problems in the areas of eDiscovery and electronic data archival. If this is something you have interest in, please take a minute and post a comment or shoot me an email at alane at securosis with the obligatory dot and com postfix. I would very much like to know what your thoughts are.