Efficient log authentication for Forensic Computing - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Efficient log authentication for Forensic Computing

Description:

Nobutaka Kawaguchj, Naohiro Obata, Shintaro Ueda, Yusuke Azuma, Hirashi Shigeno ... (3) Dlink R TT between a parent node and a child node of. a node. ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 27
Provided by: swo84
Category:

less

Transcript and Presenter's Notes

Title: Efficient log authentication for Forensic Computing


1
  • Efficient log authentication for Forensic
    Computing
  • Nobutaka Kawaguchj, Naohiro Obata, Shintaro
    Ueda, Yusuke Azuma, Hirashi Shigeno and Kenichi
    Okada
  • ??????
  • ???????

2
SUMMARY
  • In this paper, an efficient log
    authentication scheme for Forensic Computing is
    proposed.
  • To conduct reliable Forensic Computing, it is
    required that the logs as digital evidences be
    verified, To verify them, digital signatures
    issued by authorities are needed . However, if
    many logging hosts connect to the server that
    issues the signatures, the traffic of the server
    will increase. And this paper propose a scheme to
    solve this problem by using distributed Merkle
    Tree Algorithm .

3
PROPOSAL
  • When many logging nodes connect to the Sign
    Server , the traffic of the server will increase.
  • There is an efficient signing scheme that
    reduces the traffic of the Sign Server by
    constructing distributed Merkle Tree composed of
    logging hosts.

4
  • In distributed Merkle Tree, hosts construct a
    tree topology. Next, hashes of all hosts are
    accumulated and sent to the Sign Server from the
    root node. The root node is the only host, which
    communicates directly with the Sign Server.
  • Therefore , traffic of the server can be
    reduced to a remarkable degree and the traffic
    increase of the logging hosts is minimized.

5
Disrributed Merkle Tree
6
  • Each logging host connects with each other
    similar to a P2P network. And In this model, hash
    values, signature and authentication information
    are transmitted between logging hosts and Sign
    Server.

7
Computation of hash values
  • Each logging host computes the hash value of
    the logs as soon as the logs are generated. the
    logging host positioned at the leaf node of the
    tree constructs a binary Merkle Tree. The tree is
    constructed by the hash values. Finally the
    logging host sends the root hash to the parent
    node. In the case when the node does not generate
    any log within a signature interval time, a dummy
    hash (e.g., all the bit is set to zero) is sent
    to the parent node.

8
Transmission of hashes to the parent node
(1)The parent node receives the hashes from the
child nodes
(2)Using the hashes received from the child nodes
to compute the hash , and a Merkle Tree is
constructed. The root hash of the tree is sent to
the parent node's parent node.
(3) The hashes used for constructing the tree are
stored temporarily for later use
9
Computation of the signature by the Sign Server
  • The root node in the distributed Merkle Tree
    communicates with the Sign Server. On receiving
    the hash from the root node, the Sign Server
    concatenates the hash with the current timestamp
    and signs the concatenated value.

10
Reception of the signature andauthentication
information from the Sign Server
  • Each logging host needs to receive the
    signature and authentication information
    corresponding to the hash that the host sent to
    the parent node and verifies the signature.
  • We call the signature and authentication
    information as the authdata.

11
The format of the authdata sent by both the Sign
Server and the parent nodes to the child nodes.
12
Each entry in the format is composed of the
data to reconstruct a Merkle Tree. Using the
authdata, the hash sent to the parent node before
is verified as follows.
  • (1) Using the root hash which was stored
    temporally when the hash is sent to the parent
    node and entry 1 in the format, Merkle Tree is
    constructed. The index in entry 1 indicates the
    position of the root hash of entry 1 in the
    Merkle Tree.

13
  • (2) Using the hash computed as the root hash of
    the Merkle Tree constructed in (1) and the entry
    2, a new Merkle Tree is constructed again. The
    process is continued until all the entries are
    consumed to construct the tree.
  • (3) Finally the root hash of the final Merkle
    Tree and the timestamp is verified by the
    signature.

14
Transmission of the signature and authdatato the
child nodes
  • On sending the authdata, hashes and index to
    compute the root hash stored temporally is
    appended to the authentication information as new
    entry 1. The appended new entry for each child
    node is distinct. Finally the new authdata are
    sent to the child nodes.

15
Iv. EVALUATION AND DISCUSSION
  • Theoretical Analysiswe call our proposed scheme
    as the tree connection scheme and the scheme in
    which all logging node connects to the Sign
    Server directly as the direct connection scheme.
  • Comparison in the condition where the
    signature delay time of two schemes are
    equivalent

16
Signature delay time
  • In direct connection, since logging hosts
    connect to the Sign Server directly, signature
    delay time is equivalent of one RTT (Round-Trip
    Time?????????????), therefore O (1) . On the
    other hand, in tree connection, from each logging
    node, it takes O (logdN ) hops (the height of the
    tree) to the Sign Server. N is the number of
    logging hosts and d is the degree of the
    distributed Merkle Tree.

17
Sending rate of Sign Server
  • In direct connection, the Sign Server
    communicates with all logging hosts , so in
    Tree-Linking protocol a Merkle Tree is
    constructed by the Sign Server using the hashes
    received in one signature interval time.
  • The size of authentication information required
    to verify a hash is O(log2N). Therefore, the
    sending rate of the Sign Server required to send
    the authdata to N hosts is O (N log2N).

18
  • On the other hand, in tree connection, since
    the Sign Server only communicates to the root
    node of the tree, the Sign Server only sends one
    signature. Therefore, the sending rate is O(1).

19
Receiving rate of Sign Server
  • In direct connection, the Sign Server is
    required to receive the hashes from all logging
    hosts. Therefore, the receiving rate is O(N) .
  • On the other hand, in tree connection, the Sign
    Server only receives a hash from the root node.
    Therefore, the receiving rate is O(1)

20
Sending rate of logging host
  • In direct connection, each host only sends the
    hash values. Therefore, the sending rate is O(1).
    But in tree connection, the sending rate of the
    leaf nodes is different from that of the internal
    nodes. Because the leaf node only sends the hash
    to the parent node. , the sending rate is O(1).
    The internal node sends the authdata to the child
    nodes. Since the authentication information size
    is O(log2 N ) and each internal node has d child
    nodes, the sending rate is
  • O (d log2 N) ,

21
Receiving rate of logging host
  • In both direct connection and tree
    connection, the receiving rate of the logging
    host is O(log2 N) .

22
  • It is obvious that the tree connection scheme
    reduces the traffic of the Sign Server compared
    with the direct connection scheme . On the other
    hand, the tree connection scheme increases the
    signature delay time and the sending rate of the
    logging host.

23
Comparison in the condition where the signature
delay time of two schemes are equivalent
  • First, the following parameters are defined.
  • (1) Dd Signature delay time of the direct
    connection
  • scheme
  • (2) Dt Signature delay time of the tree
    connection scheme
  • (3) Dlink R TT between a parent node and a child
    node of
  • a node.
  • (4) Id Signature interval time of the direct
    connection scheme
  • (5) It Signature interval time of the tree
    connection scheme
  • (6) Sd , Rd Sending rate and receiving rate of
    the Sign Server of the direct connection scheme
    respectively
  • (7) St , Rt Sending rate and receiving rate of
    the Sign Server of the tree connection scheme
    respectively
  • (8) d Degree of the Merkle Tree
  • (9) h Height of the Merkle Tree

24
If Dd Dt and Rrecv gt 1 is true, it is easily
seen that the tree connection scheme is more
effective than the direct connection scheme in
the condition where the signature delay time of
the two schemes are equivalent. And This means
that if the signature delay time is too short, it
is impossible to make the tree connection scheme
more effective than the direct connection scheme.
25
CONCLUSION AND FUTURE WORK
  • Our scheme is scalable in terms of logging host
    traffic versus number of hosts. One of our future
    works is to define the protocols and methods that
    efficiently construct the distributed Merkle
    Tree. In this paper, we do not consider the
    effect of malicious hosts, compromise of the Sign
    Server and network failure. So, we will improve
    our scheme to counter these problems.

26
  • The End
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Efficient log authentication for Forensic Computing" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!