(19)
(11)EP 3 149 651 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
29.04.2020 Bulletin 2020/18

(21)Application number: 15803388.6

(22)Date of filing:  02.06.2015
(51)International Patent Classification (IPC): 
G06F 21/62(2013.01)
H04L 9/08(2006.01)
H04L 9/32(2006.01)
G06F 21/60(2013.01)
H04L 9/14(2006.01)
(86)International application number:
PCT/US2015/033699
(87)International publication number:
WO 2015/187640 (10.12.2015 Gazette  2015/49)

(54)

SYSTEM AND METHOD FOR SECURE REVIEW OF AUDIT LOGS

SYSTEM UND VERFAHREN ZUR SICHEREN ÜBERPRÜFUNG VON AUDITPROTOKOLLEN

SYSTÈME ET PROCÉDÉ POUR SÉCURISER L'ÉTUDE DE LISTES DE CONTRÔLE


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 02.06.2014 US 201462006476 P

(43)Date of publication of application:
05.04.2017 Bulletin 2017/14

(73)Proprietor: Robert Bosch GmbH
70442 Stuttgart (DE)

(72)Inventor:
  • YAVUZ, Attila, Altay
    Corvallis, OR 97331 (US)

(74)Representative: DREISS Patentanwälte PartG mbB 
Friedrichstraße 6
70174 Stuttgart
70174 Stuttgart (DE)


(56)References cited: : 
US-A1- 2009 138 706
US-A1- 2013 159 695
US-B1- 8 370 648
US-A1- 2011 145 594
US-A1- 2014 068 247
  
  • Brent R Waters ET AL: "Building an Encrypted and Searchable Audit Log", roc. of Network and Distributed System Security Symposium, 1 May 2004 (2004-05-01), XP055376874, Retrieved from the Internet: URL:https://www.cs.utexas.edu/~bwaters/pub lications/papers/audit_log.pdf [retrieved on 2017-05-29]
  • OHTAKI Y ED - CETINKAYA O: "Partial Disclosure of Searchable Encrypted Data with Support for Boolean Queries", AVAILABILITY, RELIABILITY AND SECURITY, 2008. ARES 08. THIRD INTERNATIONAL CONFERENCE ON, IEEE, PISCATAWAY, NJ, USA, 4 March 2008 (2008-03-04), pages 1083-1090, XP031264804, ISBN: 978-0-7695-3102-1
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

CLAIM OF PRIORITY



[0001] This application claims priority to U.S. Provisional Application No. 62/006,476, which is entitled "SYSTEM AND METHOD FOR SECURE REVIEW OF AUDIT LOGS," and was filed on June, 2, 2014.

FIELD



[0002] This disclosure relates generally to the fields of information security, and, more particularly, to systems and methods for searchable encryption and secure access to log data in computing systems.

BACKGROUND



[0003] In operation of computing systems, log files provide diagnostic information about the operation of one or more software programs and often provide information about the activities of users who access the computing system. Since log files maintain a record of past activity, these files are commonly used in computer forensics and auditing to identify malfunctions in the operation of software programs and to identify the presence and activities of intruders if a computing system is attacked. Providing information about the current and past states of systems, audit logs are invaluable parts of system security. The forensic value of audit logs makes them an attractive target for attackers. For instance, an active attacker controls a logging machine that can read and/or modify log messages related to the past and erase records of the previous break-in attempts from the attacker.

[0004] Protection of the integrity and authentication of audit logs to valid parties while preventing access or corruption of the logs in the presence of active attackers is important during forensic analysis of a computing system. Due to their significant forensic value, the confidentiality of audit logs is also very important and should be protected against the active adversaries. In particular, the ability to perform searches on audit logs without compromising their privacy, authentication, and integrity, even in the presence of active attacker is highly desirable but very challenging research task. Consequently, improvements to the generation and access of audit logs in computing systems would be beneficial.

[0005] Brent R Waters ET AL: "Building an Encrypted and Searchable Audit Log", Proc. Of Network and Distributed System Security Symposium, 1 May 2004 (2004-05-01) discloses am approach for constructing searchable encrypted audit logs which can be combined with any number of existing approaches for creating tamper-resistant logs.

SUMMARY



[0006] The present invention is defined by the appended independent claims 1 and 7.

[0007] The embodiments described herein provide searchable encrypted log files with integrity and authentication in an environment where the computing device that generates the log files is susceptible to an attacker. The embodiments provide compromise-resilient searchable encryption, authentication and integrity. The audit logging systems and processes described below enable encrypted searches on audit logs by preserving forward-secure encryption, authentication and integrity simultaneously. That is, even if an attacker compromises the logging machine and recovers cryptographic keys, all log messages and SR that were encrypted and signed before the compromise will remain confidential from the attacker. Additionally, if the attacker tampers with the contents of the previously generated log messages and SRs, then the tampering will be evident since the corresponding cryptographic signatures for the log messages and SRs will not match the tampered log messages, and the attacker cannot regenerate new signatures for previously generated log messages.

[0008] The embodiments described below enable per-item Quality of Forward Security (QoF) with encryption & authentication (E&A) for Searchable Encrypted Audit Logs. The per-item QoF is implemented with the recommended order of encryption and authentication for forward-secure searchable encryption and authentication. Hence, the embodiments described herein provide superior security and privacy compared to the previous secure cryptographic audit logging methods that cannot achieve all these properties simultaneously.

[0009] The embodiments described below implement a key management and system model. Integrating searchable encryption (SE) with forward-secure encryption, authentication, integrity and signature aggregation require a new system model. In particular, a computing device that implements logging permits an approved auditor computing device to check the authentication and integrity of audit logs, but may not allow the decryption of audit logs due to the confidentiality requirements. In one embodiment of the key management and system model, the auditor verifies the forward-secure and aggregate signatures and conducts encrypted searches. However, the auditor must interact with a trusted third party or the KGC to be able to decrypt the encrypted search results, so the auditor does not have full access to the plaintext log messages in log files without additional authorization from the KGC.

[0010] In one embodiment, a method for searching encrypted log messages has been developed. The method includes generating with a logging machine a first log message include first plaintext content, identifying with the logging machine at least one keyword in the first log message, encrypting with the logging machine the first log message using a first cryptographic key to produce a first encrypted log message, generating with the logging machine a first encrypted searchable representation of the first message including the at least one keyword using a second cryptographic key, the second cryptographic key being different than the first cryptographic key, transmitting with the logging machine the first encrypted searchable representation to an auditor, performing with the auditor a search to identify at least one search keyword in the first encrypted searchable representation, the auditor using the second cryptographic key to access the first encrypted searchable representation, and generating with the auditor a first output indicating presence or absence of the at least one search keyword from the first log message, the first output not including the first plaintext content of the first log message.

[0011] In another embodiment, an encrypted log generation and audit system has been developed. The system includes a logging machine communicatively coupled to an auditor. The logging machine is configured to generate a first log message include first plaintext content, identify at least one keyword in the first log message, encrypt the first log message using a first cryptographic key to produce a first encrypted log message, generate a first encrypted searchable representation of the first message including the at least one keyword using a second cryptographic key, the second cryptographic key being different than the first cryptographic key, and transmit the first encrypted searchable representation to the auditor. The auditor is configured to perform a search to identify at least one search keyword in the first encrypted searchable representation, the auditor using the second cryptographic key to access the first encrypted searchable representation and generate a first output indicating presence or absence of the at least one search keyword from the first log message, the first output not including the first plaintext content of the first log message.

BRIEF DESCRIPTION OF THE DRAWINGS



[0012] 

FIG. 1 is a diagram of a computing system that generates encrypted logs and provides a process for auditing the encrypted log data without exposing full plaintext log data to the auditor.

FIG. 2 is a block diagram of a process for the generation of encrypted log messages and for searching encrypted searchable representations of the encrypted log messages with optional decryption of selected log messages in the system of FIG. 1.


DETAILED DESCRIPTION



[0013] For the purposes of promoting an understanding of the principles of the embodiments described herein, reference is now be made to the drawings and descriptions in the following written specification. No limitation to the scope of the subject matter is intended by the references. This patent also includes any alterations and modifications to the illustrated embodiments and includes further applications of the principles of the described embodiments as would normally occur to one skilled in the art to which this document pertains.

[0014] Definitions that pertain to the systems and methods described herein are set forth below. Operators ∥ and |x| denote the concatenation operation and the bit length of variable x, respectively.

denotes that variable x is randomly and uniformly selected from set S. For any integer

means

|S| denotes the cardinality of set S.

denotes (x0, ... , xl). The term {0, 1}* denotes the set of binary strings of any finite length. Variable κ is an integer that denotes a security parameter.

[0015] ε = (Enc, Dec, Gen) is an IND-CPA secure symmetric key encryption scheme, which is includes three algorithms: z1 ← ε.Gen(1κ) is a probabilistic polynomial time (PPT) algorithm that takes a security parameter κ and returns a secret key z1; c← ε.Encz1 (M) takes secret key z1 and a message M, and returns a ciphertext c; Mε.Decz1 (c) is a deterministic algorithm that takes z1 and c, and returns M if z1 was the key that was used to generate the ciphertext c. The term "IND-CPA" refers to an encryption scheme where the encryption results of two or more plaintexts are indistinguishable to an attacker ("IND") and where the attacker has the capability to generate encrypted texts for any arbitrarily chosen plain text ("CPA") using, for example, an oracle that generates the encrypted text even if the attacker does not have access to a secret key that performs the encryption. The embodiments presented here employ symmetric key cryptographic schemes for the encryption of data and the generation of cryptographic signatures.

[0016] F : {0, 1}κ × {0, 1}* → {0, 1}2κ is a keyed Message Authentication Code (e.g., a hash message authentication code (HMAC)) as τFz2 (w), which takes a secret key

and a message M, and returns an output τ. The MAC is one form of cryptographic signature that requires knowledge of the secret key (z2) in order to produce a valid signature. If an attacker tampers with a log message without knowledge of the secret key z2, then the corresponding cryptographic signature does not match the modified log message data, and the attacker cannot produce a valid signature for the modified log message. In some embodiments, a logging machine uses one secret key (e.g. the key z2) to perform both encryption to produce an encrypted SR for a log message and to produce a cryptographic signature for the SR. Similarly, the logging machine uses another secret cryptographic key (e.g. the key z1) to encrypt the plaintext contents of a log message and to generate a cryptographic signature of either the plaintext or ciphertext contents of the log message.

[0017] Upd1 is a key update function as ki+1Upd1 (ki), which takes a symmetric cryptographic key as the input, updates the symmetric key input with a one-way cryptographic hash function, and returns the output of the one-way hash function. Upd1 deletes the old key ki after ki+1 is computed. The output ki+1 is used as another symmetric cryptographic key, and a computing device optionally generates multiple keys using the key update function, Upd1. The Upd2 function is another key update function. Upd2 takes a set of symmetric cryptographic keys as the input, updates both of the symmetric cryptographic keys as described in Upd1 to produce a pair of updated symmetric cryptographic keys. As described below, a logging machine uses the Upd2 function to generate updated cryptographic keys for both encrypting log messages and generating encrypted SRs of the log messages, while the auditor machine uses the function Upd1 to update a copy of the cryptographic key that the logging machine uses to generate the encrypted SRs. The auditor uses the updated keys to search for keywords in the encrypted SRs that the logging machine generates using the corresponding updated secret keys.

[0018] The term tw denotes a single time interval, which is formed from two consecutive predetermined time points Tw-1 and Tw > Tw-1. tw,w' denotes a unified time interval, which starts at the beginning of tw and ends at the end of tw'.

[0019] A Searchable Representation (SR) is an encrypted data structure that enables encrypted searches in searchable encryption schemes. The searchable representation SR for each of the messages M is denoted as I, and a set of searchable representations for multiple messages is denoted as I= (I0, ... , In). In a symmetric encryption system, one computing system uses a cryptographic key to generate the encrypted SR and other parties, including attackers, cannot identify if a keyword is present in the SR without having a copy of the encryption key to perform a search operation that effectively "decrypts" the SR to enable searches for one or more keywords. A computing device that has a copy of the encryption key can search for one or more search keywords to determine if the search keywords are present or absent from the original message text. However, the encrypted SR does not enable the searching party to regenerate the complete original plaintext of the message. An SR can also be signed using a symmetric key to ensure that Multiple searchable representations data structures including encrypted matrix and encrypted red-black trees or other binary tree structures are known to the art and are not discussed in greater detail herein.

[0020] In the embodiments below, each message M is also referred as a log message that is recorded by a logging machine. During a searching process, an auditor device searches for keywords that are contained in one or more of the messages M and are encrypted for use in a searchable encryption process. The contents of M may correspond to a stand-alone message in which the entire message M is simply a keyword w, or the message M may include multiple sub-messages with M = w0,...,wl). Hence, once M is used to generate or update an SR, the keywords in the message M form the basis for updating the SR. That is, message (log message) M is considered as a file f, which is used to generate or update an SR in searchable encryption schemes. The term c denotes the corresponding ciphertext of message M computed under z1 via Enc.

[0021] The embodiments described below use a Dynamic Symmetric Searchable Encryption (DSSE) scheme. Examples of DSSE functions in the DSSE scheme are set forth below. The function (I, c) ← SSE.Encκ (M) takes a message M and a set of secret keys K = (z1, z2) as input; and it returns I and c as SR and the ciphertext of M, respectively. The function extracts keywords from M (if M is a stand-alone message it is accepted as the keyword itself) and produces an encrypted data structure to obtain the SR, such as an encrypted red-black tree or encrypted binary matrix, using the secret key z2. The function also encrypts the message with secret key z1.

[0022] The function (I, c) ← SSE.Addκ (I, M) takes a message M and the current SR I as inputs and returns I and c as an updated SR and ciphertext of M, respectively. The function extracts keywords from M (if M is a stand-alone message it is accepted as the keyword itself) and adds the extracted keywords to the encrypted data structure to obtain an updated SR. The function also encrypts the message with secret key z1.

[0023] The function (c, b) ← SSE.Searchz2 (I, w) takes a keyword w, an SR I and secret key z2 as inputs and returns a ciphertext c and a bit b. The function returns ciphertexts that contain keyword w and sets b = 1, else it returns "null" as ciphertext and sets b = 0 in situations where a keyword w is not present in the SR I.

[0024] The embodiments that are described below are configured for operation in a forward-secure threat/security model that enables aggregate authentication and integrity aspects; and the security model for searchable encryption. The system employs a forward-secure key update strategy for secret keys that are used for searchable encryption scheme. The security model described below does not have limited time of validity. That is to say, the forward-security is effectively permanent for at least the useful lifetime of the audit logs instead of only being valid for a comparatively short finite time interval. The security model also encapsulates the confidentiality with a search property. The system updates the SR properties to implement an encrypt-and-authenticate (E&A) scheme.

[0025] The thread model is directed to a resourceful but Probabilistic Polynomial Time (PPT) bounded attacker A. The attacker A has the following abilities: (i) passive attacks against output of cryptographic operations, (ii) active attacks including log interception/modification, and (iii) physically compromising logging machines (referred to as a "break-in") and extracting the cryptographic keys from the compromised logging machines.

[0026] The attacker A aims to produce an existential forgery against the forward-secure and aggregate signature of the accumulated data that that A obtains after a break-in. A may use any cryptographic key and data that is extracted from the compromised logging machines. Similarly, A may use extracted keys to attack the searchable encryption scheme for the searchable representations I.

[0027] The forward security in the systems presented below implements Quality of Forward Security (QoF). QoF is a performance-forward security quality trade-off, which is adjusted on a per-item or per-interval basis. On per-item basis, each data message Mj is encrypted and signed as soon as the message is collected. On a per-interval basis, a group of data items Mj' is encrypted and signed as a single data item for each time period tj, where Dj denotes all individual data items collected in tj.

[0028] In terms of the key evolving strategy, these two methods are the same. However, they enable users to establish a performance-security trade-off that can be decided according to the requirements of application. That is, per-item QoF provides the highest quality of forward security (i.e., forward-security of each data item individually), but it incurs high computational and storage overhead to the signers and verifiers. In contrast, per-interval QoF provides a low quality of forward security (i.e., only for across time periods), but it also incurs less computational and storage overhead to the signers and verifiers. The embodiments described below implement per-item QoF. As is known in the art, the logging machine described below that generates log messages and SR of the log messages first performs encryption and then generates authentication data of the encrypted messages using a MAC function in an encrypt-and-authenticate procedure.

[0029] FIG. 1 depicts an illustrative embodiment of a system 100 that enables auditing of encrypted log messages in one or more encrypted log files. The system 100 includes a Key Generation Center (KGC) 104, an auditor 108, and a logging machine 112. In the illustrative embodiment of FIG. 1, each of the KGC 104, auditor 108, and logging machine 112 depict a computing device with one or more digital processors that execute stored program instructions. In distributed embodiments, some or all of the KGC 104, auditor 108, and logging machine 112 are embodied as different hardware devices that are communicatively coupled via a data network or other communication channel. While FIG. 1 depicts a single logging machine 112, in many embodiments the system 100 includes multiple logging machines 112 that correspond to multiple computing devices in a networked computing system. The system 100 includes a single auditor 108 or a comparatively small number of auditors 108 for a larger number of the logging machines 112. In an embodiment with multiple logging machines, each logging machine 112 receives a unique set of cryptographic keys from the KGC 104 and the corresponding auditor 108 receives a shared secret key that is unique to each logging machine.

[0030] As used herein, the term "key generation center (KGC)" refers to one or a plurality of computing devices, such as the KGC 104, that collaborate to provide system-wide generation of key material, distribution, and optionally key escrow operations for the logging system 100, which includes generation and distribution of symmetric cryptographic keys. Operation of the system 100 relies on the KGC as part of the trusted computing base (TCB) and the threat models described herein rely on the inability of an attacker to compromise the KGC. In one embodiment, the KGC employs tamper resistant hardware and other security measures to prevent compromise. Another alternative is to distribute the trust for KGC by using threshold cryptography, in which the KGC is controlled by multiple entities and a set of entities (e.g., t-out-of-n, t < n) must collaborate to recover the cryptographic keys. The KGC generates the symmetric keys for the each logging machine and each auditor and distributes them before the deployment of the system. The KGC optionally stores the root keys in a tamper resistant manner as described, and then derive the keys for each logging machine or auditor for each time period properly.

[0031] As used herein, the term "logging machine" refers to a computing device, such as the logging machine 112, that generates and stores log messages related to events that occur during operation of the logging machine 112. In any modern computer system, there is an event logging mechanism which logs the important occurrences (e.g., who logs into the system, which user manipulated which file). In FIG. 1, the logging machine 112 stores searchable encrypted log data 116. As is known in the art, the logging machine 112 generates logs for a single computing device (a "local" log) or receives logs from one or more computing devices via a data network or other suitable communication channel (a "remote" logger). The logging machine refers to this logging mechanisms that can be part (or a process) of a computer or operating system. The log messages include, but are not limited to, information about activities performed by software programs that logging machine executes, network traffic information, sensor data, and, in particular, data corresponding to the activities of users including log message records that may indicate malicious activity by an attacker. Examples of malicious activity include, but are not limited to, records of network port scans, attempts to execute privileged operations in the logging machine, unsuccessful login attempts, and the like. As described in more detail below, the logging machine 112 uses forward-secure encryption and signature processes to protect the privacy and integrity of log messages that are recorded before a potential attacker gains control of the logging machine 112. The threat models described herein assume that the logging machine can be compromised by the attacker. That is, cryptographic keys used to compute cryptographic tags and ciphertext can be recovered by the attacker. The logging machine accumulates the log messages of important events and then being audited by the auditor periodically.

[0032] As used herein, the term "auditor" refers to a computing device, such as the auditor 108, that is responsible for verifying the log messages generated by the logging machine 112. The auditor periodically obtains log messages from the logging machine, and cryptographically verifies their authenticity and integrity. The auditor may also conduct encrypted searches on those log messages, and also may be given a right to decrypt log messages if the system design permits. In the embodiment of FIG. 1, the auditor 108 is granted access to search on encrypted log messages for a given keyword w, and identify the ciphertexts containing keyword w. However, due to confidentiality and privacy requirements, the auditor 108 is not given the secret key which is used to encrypt log messages.

[0033] In general, the auditor 108 has search access to perform keyword searches on encrypted and digitally signed searchable representations (SRs) that include a predetermined dictionary of keywords that may be present in one or more log messages. The auditor can perform keyword searches to identify log entries that include one or more keywords, but by default the auditor does not have full access to the plaintext of any of the log entries in the logging machine. In some circumstances, the KGC provides limited access to the auditor to view the plaintext log messages for a portion of the log messages that the logging machine generates during operation. For example, during an investigation into a potential compromise of the logging machine 112, the auditor 108 receives permission to view the plaintext of selected log messages that match a keyword search. The KGC 104 provides either the decryption keys or the decrypted plaintext to the auditor 108. Alternatively, the auditor 108 contacts a trusted third party authorized by law, that can decrypt the encrypted log messages containing one or more keywords wand send them to the auditor, which prevents exposure of any secret keys to the auditor 108. This trusted third party can be the KGC 104 or the KGC 104 may delegate the authentication credentials to an external entity, which is also authorized and stores cryptographic keys in a tamper resistant manner.

[0034] In many configurations the KGC 104, auditor 108, and logging machine 112 are formed from at least three distinct computing devices that are often separated geographically, although in some embodiments a single computing device could implement the functionality of all three components using, for example, virtual machines, containers, or other partitioning techniques that are known to the art to provide secure separation and communicative coupling between the operation of the logging machine, KGC, and the auditor. Each of the logging machine, KGC, and auditor includes at least one digital processor, at least one memory device, and network interface devices that transmit and receive data through data networks such as local or wide area networks. The auditor also includes input and output (I/O) devices that present the results of search queries and, in some configurations, the plaintext of selected log messages from the logging machine 112. Examples of I/O devices include keyboards, mice, touchscreen interfaces, visual display devices, audio input and output devices, printers, and the like. The memory devices including both volatile random access memory (RAM) and non-volatile data storage devices such as magnetic drives or solid state storage devices.

[0035] During operation, the system 100 performs a key generation process, searchable encryption process, and an auditing process: (K0, x0, y0) ←FASE.Kg(1κ). The KGC 104 generates secret keys z1ε.Gen(1κ) and

and sets K0 ← (z1, z2). The KGC gives (K0, x0, y0) and (z2, x0, y0) to the logging machine 112 and auditor 108, respectively. The terms x0, y0, z1, and z2 each correspond to a symmetric cryptographic key. As discussed below, the key z1 is used for encryption and decryption of the text in messages, the key z2 is used to generate and access the encrypted SRs of keywords corresponding to each message, the key x0 is used to generate a cryptographic signature of the message text (either plaintext or ciphertext), and the key y0 is used to generate a cryptographic signature of the encrypted SR. Additionally, the logging machine 112 and auditor 108 generate updated versions of the keys x0, y0, z1, and z2 using a one-way function, such as a cryptographically secure hash function, to maintain forward security during operation. The old versions of keys are deleted from the memory of the logging machine 112 shortly after generation of the updated keys. Consequently, if an attacker compromises the logging machine 112, the attacker cannot view previously generated log messages or encrypted SRs. Additionally, the attacker cannot modify the encrypted log messages or SRs in a manner that is undetectable by the auditor 108 since any tampering with the encrypted log data invalidates the cryptographic signatures and the attacker is unable to generate new cryptographic signatures for old log messages and SRs.

[0036] The logging process includes generation of log data in the logging machine 112 for various events that occur in one or more computing systems, including events that are of relevance to a security audit. The logging machine 112 logs the events, and generates cryptographic tags and searchable encrypted ciphertext vectors corresponding to the log messages as follows: (I,σ,c,s0,l) ← FASE.FSEK0,x0,y0(M). During a first time period t0, the logging machine 112 records the first log message M0 and obtains the first SR and ciphertext. The logging machine 112 also computes signatures σFy0(I0) and s0Fx0(M0), and updates the keys K1 (including the two separate symmetric keys z1 and z2) via K1Upd2(K0) to generate updated keys K1 = (z1', z2'). The signature σ is a cryptographic signature of the encrypted SR I0 for the particular log message M0 and the signature s0 is a cryptographic signature of the contents of the message M0. The logging machine 112 uses the first key z1 to generate the signature s0 for the contents of the log message M0 based on either the plaintext or ciphertext of the log message. The logging machines 112 uses the second key z2 to generate the signature σ for the encrypted SR I0. In one embodiment, the logging machine uses the keys z1 and z2 during a predetermined time period and updates both encryption keys z1 and z2 at the end of each time period to provide forward security for the logging messages and SRs that were generated during previous time periods. The logging machine 112 optionally groups all of the encrypted log messages, SRs, and corresponding cryptographic signatures for a single time period together for transmission to one or both of the auditor 108 and the KGC 104. In another embodiment, the logging machine 112 updates the keys z1 and z2 after encrypting and signing the log message text and SR for each log message or for a predetermined number of consecutive log messages. In the time period embodiment, the logging machine 112 continues to process groups of log messages during subsequent time periods t1 ... tw-1. The logging machine 112 continues to generate log messages M1 ... Ml-1 and continues to compute cryptographic tags, SRs, and ciphertexts. During a subsequent time period tw the logging machine performs the following operational sequence:
  1. a. (lw, cl) ← SSE.AddKw(lw-1,Ml)
  2. b. σwFyw(Iw)
  3. c. slFxl(cl), s0,lFxl(sls0,l-1)
  4. d. KW+1Upd2(Kw)
  5. e. At the end of tw, the logging machine 112 generates the following output: ⟨I= (l0,...,Iw,), σ = (σ0,..,σw,), c = (c0..., cl,)j s0,l


[0037] The auditor 108 receives the output data (I, σ, c, s0,l) from the logging machine 112 and performs searches for keywords w in the encrypted log messages from the logging machine 112, although the auditor 108 does not have full access to the plaintext contents of the log messages. The auditing process to search for a keyword w in the output from the logging machine is described by the following expression: (M, b) ← FASE. FAVSz2,x0,y0( (I,σ,c,s0,l,w). In more detail, the auditor 108 verifies the authenticity and integrity of data from the logging machine 112 and then searches for the keyword w as set forth below:
  1. a.



    and xjUpd1(xj-1) for j = 1, ... , l where

    Fx0(c0). If

    then set b=1 and continue or else set b=0 and abort, which indicates a failure to verify the cryptographic signature for at least one log message and that at least one log message over the series of log messages 0 - l has been modified, potentially by an attacker.
  2. b. If σj = Fyj(I'j) where yjUpd1(yj-1),j = 1,..., n, then set b = 1 and continue, else set b = 0 and abort, which indicates that at least one of the SRs for the log data have been modified, potentially by an attacker.
  3. c. Search for the keyword w as (cn, b) ← SSE. Searchz2 (I, w). If b = 0 then abort, else cn is the set of ciphertext data that include keyword w that are generated during a single time period tn.
  4. d. The auditor 108 optionally requests decryption of the data cn that include the keyword w. If the KGC 104 authorizes the request, the auditor 108 receives Kn to decrypt the ciphertext cn, or alternatively the auditor 108 sends cn to a trusted third party that is responsible for the decryption.


[0038] FIG. 2 depicts a process 200 that is an exemplary implementation the foregoing processes for secure log generation and auditing. In the discussion of FIG. 2, a reference to the process 200 performing a function or action refers to the operation of one or more processors to execute stored program instructions to perform the function or action in association with other components in a logging system. The process 200 is described in conjunction with the system 100 of FIG. 1 for illustrative purposes.

[0039] Process 200 begins as the KGC 104 generates and distributes the first cryptographic key (z1) and the second cryptographic key (z2) to the logging machine 112 and the KGC 104 distributes only the second secret key to the auditor 108 (block 204). The first and second keys are symmetric cryptographic keys that form a shared secret between the KGC 104 and the logging machine 112 (for both the first and second keys) and between the KGC 104, logging machine 112, and the auditor (for only the second key). In some embodiments, the KGC 104 also generates the signing key for the cryptographic messages (key x0) and the signing key for the encrypted SRs (key y0). The KGC 104 distributes the keys x0 and y0 to at least the logging machine 112 and distributes the key y0 and optionally they key x0 to the auditor 108. The KGC 104 uses an existing secure key distribution mechanism that enables transmission of the first and second keys over a network in a manner where an attacker cannot observe or manipulate the keys during transmission. As described above, the logging machine 112 receives the first key to encrypt and sign logged messages M and the second key to generate and sign the data structures for the searchable representation (SR) I that corresponds to the keywords in each message M.

[0040] Process 200 continues as the logging machine 112 generates a log message (block 208) and identifies keywords in the log message (block 212). The logging machine 112 generates the logging message in response to an event that occurs during operation of the logging machine 112. In many instances, the logging machine 112 is a server, personal computer, or other computing device that performs some activity in a larger computing system. A logging program (e.g. syslog or equivalent) generates a log entry in response to an event that occurs during the execution of one or more programs in the logging machine. The logging machines uses, for example, a parsing and tokenization process to identify keywords that correspond to a predetermined dictionary of keywords that are expected to be found in log messages.

[0041] During process 200, the logging machine 112 encrypts and signs the log message (block 216) and generates a cryptographically signed encrypted SR that includes entries for all of the identified keywords in the message (block 220). In the system 100, the logging machine 112 encrypts the log message with the first key (z1) and signs either the plaintext or ciphertext of the log message with the signing key x0. The logging machine 112 also generates the encrypted SR using the second key (z2) and generates the cryptographic signature for the encrypted SR using the signing key y0. The logging machine 112 performs the processing of blocks 216 and 220 in any order or concurrently during process 200. The logging machine 112 stores the encrypted and message data c with the cryptographic signature s and the encrypted SR I with the signature σ for the message in a memory (block 224).

[0042] During process 200, the logging machine 112 updates the symmetric cryptographic keys x0, y0, z1, and z2 to preserve forward security on the logging machine. As described above, in one embodiment, the logging machine applies the update functions Upd1 and Upd2 to generate updated versions of each of the keys x0, y0, z1, and z2 using a one-way cryptographically secure hash function. The logging machine 112 then deletes the old versions of the cryptographic keys from memory so that even if an attacker gains control of the logging machine, the previously stored encrypted and signed log messages and the stored signed encrypted SRs cannot be altered by the attacker in a manner that is undetectable to the auditor 108. During the process 200, the logging machine identifies if either the expiration of a predetermined time period or if the logging machine has used the keys x0, y0, z1, and z2 for a predetermined number of log messages (e.g. one log message) (block 228). The logging machine 112 then performs the update process to generate updated versions of the cryptographic keys and deletes the old cryptographic keys (block 232). The process 200 returns to the block 208 for generation and processing of the next log message after the generation of the updated keys in block 232 or in situations where then logging machine 112 does not perform the key update process (block 228).

[0043] During process 200, the logging machine 112 continues operation as described in the processing of blocks 208 - 228. During the process 200, the logging machine 112 also transmits data to the auditor 108 and the auditor 108 receives the transmitted data from the logging machine 112 (block 236). The transmitted data include at least the encrypted SRs and the signatures for the encrypted SRs, and in some configurations the logging machine 112 also transmits the encrypted logging messages and the corresponding message signatures.

[0044] The auditor 108 performs a synchronization operation to perform any necessary update operations on the keys x0, y0, and z2 to ensure that the auditor 108 uses the same set shared symmetric keys for data verification and to access the encrypted SR that the logging machine used to generate the encrypted SR and produce signatures for the message and the encrypted SR (block 240). As described above, in some embodiments the logging machine generates a set of encrypted SRs and optionally messages during a predetermined time period when the logging machine 112 uses a single set of keys for encrypting and signing the relevant data that are transmitted to the auditor 108. The auditor 108 receives a timestamp corresponding to the encrypted data, which the auditor 108 uses to perform any necessary update operations on the copy of the cryptographic keys x0, y0, and z2 that the auditor 108 uses for signature verification (keys x0 and y0) and access to the encrypted SR (key z2) in the data from the logging machine 112. In another embodiment, the auditor 108 requests one or more encrypted SRs from the logging machine 112 and receives the signed encrypted SRs with an index number. The auditor 108 uses the index number to identify the number of updates that the auditor 108 performs to generate the appropriately updated versions of the keys x0, y0, and z2.

[0045] Process 200 continues as the auditor 108 verifies the integrity of the encrypted SRs that are received from the logging machine 112 and performs a search operation for one or more search keywords (block 244). Each encrypted SR includes entries that specify the presence or absence of keywords in the original log message. The auditor uses the appropriately updated version of the signature verification cryptographic key y0 to verify the signature of the encrypted SRs from the logging machine 112. If the verification succeeds, then the auditor 108 uses the appropriate version of the second cryptographic key z2 to access the encrypted SRs for one or more of the log messages to identify the presence or absences of the keywords from the encrypted log messages corresponding to the encrypted SRs. However, as noted above the auditor 108 does not gain full access to the plaintext of the encrypted log messages, but instead merely identifies the encrypted log messages that include the keyword or keywords in the search query. In many configurations, the auditor 108 is only granted permission to identify the encrypted log entries that include the search term (block 248) and the auditor 108 generates an output that specifies the encrypted log messages that match the search keywords without specifying the plaintext contents of the matching log messages (block 260).

[0046] In some configurations of the process 200, the KGC 104 enables the auditor 108 to decrypt a portion of the encrypted log messages from the logging machine 112 (block 248). The auditor 108 either receives at least one version of the symmetric cryptographic key z1 from the logging machine 112 or the KGC decrypts the encrypted messages and transmits the plaintext contents of the encrypted messages to the auditor 108 without divulging the symmetric key z1 to the auditor 108 (block 252). For example, in some situations the auditor 108 is granted access to the plaintext of log messages that match the terms of the keyword search query. If the auditor 108 receives the cryptographic key z1 then the auditor technically has the ability to reconstruct all future versions of the key z1 using the update functions, but the auditor 108 cannot not generate any earlier versions of the key z1. The KGC 104 optionally generates a new key z1 for the logging device to prevent the auditor 108 from accessing future encrypted log messages. In the configuration in which the KGC 104 receives the encrypted messages from the logging machine 112 and transmits the plaintext data to the auditor 108, the KGC 104 optionally uses a secondary form of encryption and authentication to preserve the privacy and integrity of the plaintext log messages during transmission through the data network without divulging the contents of the key z1 to the auditor 108.

[0047] In either configuration, the KGC 104 or the auditor 108 verifies the cryptographic signatures from the logging machine 112 using the appropriately updated versions of the key x0 to ensure that the contents of the log messages have not been altered by an attacker. During process 200, the auditor 108 generates an output that includes both an identification of the log messages that matched the keyword search and the plaintext contents of the log messages in response to a successful verification of the authenticity of the log messages (block 256). Of course, the system 100 can be configured to generate a warning or alert in the event that the cryptographic signatures corresponding to one or more log messages fail to match the contents of the log messages, which indicates the possibility that an attacker altered the log messages. Thus, during process 200, the system 100 prevents an attacker who gains control of the logging machine 112 from accessing the data of previously generated log messages and encrypted SRs, and prevents the attacker from modifying the previously generated log messages and encrypted SRs in a manner that is undetectable by the auditor 108.

[0048] It will be appreciated that variants of the above-described and other features and functions, or alternatives thereof, may be desirably combined into many other different systems, applications or methods.


Claims

1. A method for searching encrypted log data comprising:

generating (208) with a logging machine (112) a first log message including first plaintext content;

identifying (212) with the logging machine (112) at least one keyword in the first log message;

encrypting (216) with the logging machine (112) the first log message using a first cryptographic key to produce a first encrypted log message;

generating (220) with the logging machine (112) a first encrypted searchable representation of the first log message including the at least one keyword using a second cryptographic key, the second cryptographic key being different than the first cryptographic key;

transmitting (236) with the logging machine (112) the first encrypted searchable representation to an auditor (108);

performing (244) with the auditor (108) a search to identify at least one search keyword in the first encrypted searchable representation, the auditor (108) using the second cryptographic key to access the first encrypted searchable representation;

generating (260) with the auditor (108) a first output indicating presence or absence of the at least one search keyword from the first log message, the first output not including the first plaintext content of the first log message;

applying with the logging machine (112) a one-way function to the first cryptographic key to generate an updated first cryptographic key, the updated first cryptographic key being different than the first cryptographic key;

applying with the logging machine (112) the one-way function to the second cryptographic key to generate an updated second cryptographic key, the updated second cryptographic key being different than the second cryptographic key;

generating with the logging machine (112) a second log message including second plaintext content;

identifying with the logging machine (112) at least one keyword in the second log message;

generating with the logging machine (112) a second encrypted searchable representation of the second log message including the at least one keyword using the updated second cryptographic key;

encrypting with the logging machine (112) the second log message using the updated first cryptographic key to produce a second encrypted log message;

transmitting with the logging machine (112) the second encrypted searchable representation to the auditor (108);

applying with the auditor (108) the one-way function to the second cryptographic key to generate the updated second cryptographic key;

performing with the auditor (108) another search to identify the at least one search keyword in the second encrypted searchable representation, the auditor (108) using the updated second cryptographic key to access the second encrypted searchable representation; and

generating with the auditor (108) a second output indicating presence or absence of the at least one search keyword from the second log message, the second output not including the second plaintext content of the second log message.


 
2. The method of claim 1, wherein the logging machine (112) generates the updated first cryptographic key and the updated second cryptographic key in response to expiration of a predetermined time period, the second log message being generated after expiration of the predetermined time period; and/or, wherein the logging machine (112) generates the updated first cryptographic key and the updated second cryptographic key in response to use of the first cryptographic key to generate the first encrypted log message and the use of the second cryptographic key to generate the first searchable encrypted representation; and/or the method further comprising:

deleting with the logging machine (112) the first cryptographic key in response to the generation of the updated first cryptographic key to preserve forward security of the first encrypted log message; and

deleting with the logging machine (112) the second cryptographic key in response to the generation of the updated second cryptographic key to preserve forward security of the first encrypted searchable representation.


 
3. The method of claim 1 further comprising:

generating with the logging machine (112) a first cryptographic signature corresponding to the first encrypted searchable representation using a third cryptographic key;

transmitting with the logging machine (112) the first cryptographic signature to the auditor (108) in association with the first encrypted searchable representation; and

performing with the auditor (108) a search to identify at least one search keyword in the first encrypted searchable representation only in response to verification of the first cryptographic signature using the third cryptographic key.


 
4. The method of claim 1 further comprising:

generating with a key generation center, KGC, the first cryptographic key, the second cryptographic key, a third cryptographic key;

distributing with the KGC the first cryptographic key, the second cryptographic key, the third cryptographic key, and a fourth cryptographic key to the logging machine (112) prior to the generation of the first encrypted log message and the first encrypted searchable representation;

distributing with the KGC only the second cryptographic key, the third cryptographic key, and the fourth cryptographic key to the auditor (108) prior to performing the search to identify the at least one search keyword.


 
5. The method of claim 1 further comprising:

transmitting with the logging machine (112) the first encrypted log message to the auditor (108);

distributing with the KGC the first cryptographic key to the auditor (108);

decrypting with the auditor (108) the first encrypted log message using the first cryptographic key; and the method further comprising:

generating with the logging machine (112) a cryptographic signature of the first encrypted log message using the third cryptographic key;

transmitting with the logging machine (112) the cryptographic signature to the auditor (108) in association with the first encrypted log message; and

generating with the auditor (108) the second output including the first plaintext content of the first encrypted log message only in response to verification of the cryptographic signature using the third cryptographic key.


 
6. The method of claim 1 further comprising:

generating with a key generation center, KGC, the first cryptographic key, the second cryptographic key, a third cryptographic key;

distributing with the KGC the first cryptographic key, the second cryptographic key, the third cryptographic key, and a fourth cryptographic key to the logging machine (112) prior to the generation of the first encrypted log message and the first encrypted searchable representation;

distributing with the KGC only the second cryptographic key, the third cryptographic key, and the fourth cryptographic key to the auditor (108) prior to performing the search to identify the at least one search keyword; and/or

transmitting with the logging machine (112) the first encrypted log message to the KGC;

decrypting with the KGC the first encrypted log message using the first cryptographic key;

transmitting with the KGC the first plaintext content of the first log message to the auditor (108); and

generating with the auditor (108) a second output including the first plaintext content of the first encrypted log message.


 
7. An encrypted log generation and audit system (100) comprising:

a logging machine (112) communicatively coupled to an auditor (108), the logging machine (112) being configured to:

generate (208) a first log message including first plaintext content;

identify (212) at least one keyword in the first log message;

encrypt (216) the first log message using a first cryptographic key to produce a first encrypted log message;

generate (220) a first encrypted searchable representation of the first log message including the at least one keyword using a second cryptographic key, the second cryptographic key being different than the first cryptographic key; and

transmit (236) the first encrypted searchable representation to the auditor (108); and

the auditor (108) being configured to:

perform (244) a search to identify at least one search keyword in the first encrypted searchable representation, the auditor (108) using the second cryptographic key to access the first encrypted searchable representation;

generate (260) a first output indicating presence or absence of the at least one search keyword from the first log message, the first output not including the first plaintext content of the first log message;

wherein the logging machine is further configured to:

apply a one-way function to the first cryptographic key to generate an updated first cryptographic key, the updated first cryptographic key being different than the first cryptographic key;

apply the one-way function to the second cryptographic key to generate an updated second cryptographic key, the updated second cryptographic key being different than the second cryptographic key;

generate a second log message including second plaintext content;

identify at least one keyword in the second log message;

generate a second encrypted searchable representation of the second log message including the at least one keyword using the updated second cryptographic key;

encrypt the second log message using the updated first cryptographic key to produce a second encrypted log message; and

transmit the second encrypted searchable representation to the auditor (108); and

the auditor (108) being further configured to:

apply the one-way function to the second cryptographic key to generate the updated second cryptographic key;

perform another search to identify the at least one search keyword in the second encrypted searchable representation, the auditor (108) using the updated second cryptographic key to access the second encrypted searchable representation; and

generate a second output indicating presence or absence of the at least one search keyword from the second log message, the second output not including the second plaintext content of the second log message.


 
8. The system of claim 7, the logging machine being further configured to:
generate the updated first cryptographic key and the updated second cryptographic key in response to expiration of a predetermined time period, the second log message being generated after expiration of the predetermined time period.
 
9. The system of claim 7, the logging machine being further configured to:
generate the updated first cryptographic key and the updated second cryptographic key in response to use of the first cryptographic key to generate the first encrypted log message and the use of the second cryptographic key to generate the first searchable encrypted representation.
 
10. The system of claim 7, the logging machine being further configured to:

delete the first cryptographic key in response to the generation of the updated first cryptographic key to preserve forward security of the first encrypted log message; and

delete the second cryptographic key in response to the generation of the updated second cryptographic key to preserve forward security of the first encrypted searchable representation.


 
11. The system of claim 7, the logging machine being further configured to:

generate a first cryptographic signature corresponding to the first encrypted searchable representation using a third cryptographic key; and

transmit the first cryptographic signature to the auditor (108) in association with the first encrypted searchable representation; and

the auditor (108) being further configured to:
perform a search to identify at least one search keyword in the first encrypted searchable representation only in response to verification of the first cryptographic signature using the third cryptographic key.


 
12. The system of claim 7 further comprising:
a key generation center, KGC, communicatively coupled to the logging machine and the auditor (108), the KGC being configured to:

generate the first cryptographic key, the second cryptographic key, and a third cryptographic key;

distribute the first cryptographic key, the second cryptographic key, and the third cryptographic key to the logging machine prior to the generation of the first encrypted log message and the first encrypted searchable representation;

distribute only the second cryptographic key and the third cryptographic key to the auditor (108) prior to performing the search to identify the at least one search keyword.


 
13. The system of claim 12, the logging machine being further configured to:
transmit the first encrypted log message to the auditor (108);
the KGC being further configured to:
distribute the first cryptographic key to the auditor (108); and
the auditor (108) being further configured to:

decrypt the first encrypted log message using the first cryptographic key; and

generate a second output including the first plaintext content of the first encrypted log message; and/or the logging machine being further configured to:

generate a cryptographic signature of the first encrypted log message using the third cryptographic key; and

transmit the cryptographic signature to the auditor (108) in association with the first encrypted log message; and

the auditor (108) being further configured to:
generate the second output including the first plaintext content of the first encrypted log message only in response to verification of the cryptographic signature using the third cryptographic key.
 
14. The system of claim 12, the logging machine being further configured to:
transmit the first encrypted log message to the KGC;
the KGC being further configured to:

decrypt the first encrypted log message using the first cryptographic key; and

transmit the first plaintext content of the first log message to the auditor (108); and

the auditor (108) being further configured to:
generate a second output including the first plaintext content of the first encrypted log message.
 


Ansprüche

1. Verfahren zum Durchsuchen verschlüsselter Protokolldaten, das Folgendes umfasst:

Erzeugen (208) mit einer Protokollierungsmaschine (112) einer ersten Protokollnachricht, die ersten Klartextinhalt enthält;

Identifizieren (212) mit der Protokollierungsmaschine (112) mindestens eines Schlüsselworts in der ersten Protokollnachricht;

Verschlüsseln (216) mit der Protokollierungsmaschine (112) der ersten Protokollnachricht unter Verwendung eines ersten kryptographischen Schlüssels, um eine erste verschlüsselte Protokollnachricht zu erstellen;

Erzeugen (220) mit der Protokollierungsmaschine (112) einer ersten verschlüsselten durchsuchbaren Darstellung der ersten Protokollnachricht, die das mindestens eine Schlüsselwort enthält, unter Verwendung eines zweiten kryptographischen Schlüssels, der vom ersten kryptographischen Schlüssel verschieden ist;

Senden (236) mit der Protokollierungsmaschine (112) der ersten verschlüsselten durchsuchbaren Darstellung zu einem Prüfer (108);

Ausführen (244) mit dem Prüfer (108) einer Suche, um mindestens ein Suchschlüsselwort in der ersten verschlüsselten durchsuchbaren Darstellung zu identifizieren, wobei der Prüfer (108) den zweiten kryptographischen Schlüssel verwendet, um auf die erste verschlüsselte durchsuchbare Darstellung zuzugreifen;

Erzeugen (260) mit dem Prüfer (108) einer ersten Ausgabe, die die Anwesenheit oder die Abwesenheit des mindestens eines Suchschlüsselworts in der ersten Protokollnachricht angibt, wobei die erste Ausgabe den ersten Klartextinhalt der ersten Protokollnachricht nicht enthält;

Anwenden mit der Protokollierungsmaschine (112) einer Einwegfunktion auf den ersten kryptographischen Schlüssel, um einen aktualisierten ersten kryptographischen Schlüssel zu erzeugen, wobei der aktualisierte erste kryptographische Schlüssel vom ersten kryptographischen Schlüssel verschieden ist;

Anwenden mit der Protokollierungsmaschine (112) der Einwegfunktion auf den zweiten kryptographischen Schlüssel, um einen aktualisierten zweiten kryptographischen Schlüssel zu erzeugen, wobei der aktualisierte zweite kryptographische Schlüssel vom zweiten kryptographischen Schlüssel verschieden ist;

Erzeugen mit der Protokollierungsmaschine (112) einer zweiten Protokollnachricht, die den zweiten Klartextinhalt enthält;

Identifizieren mit der Protokollierungsmaschine (112) mindestens eines Schlüsselworts in der zweiten Protokollnachricht;

Erzeugen mit der Protokollierungsmaschine (112) einer zweiten verschlüsselten durchsuchbaren Darstellung der zweiten Protokollnachricht, die das mindestens eine Schlüsselwort enthält, unter Verwendung des aktualisierten zweiten kryptographischen Schlüssels;

Verschlüsseln mit der Protokollierungsmaschine (112) der zweiten Protokollnachricht unter Verwendung des aktualisierten ersten kryptographischen Schlüssels, um eine zweite verschlüsselte Protokollnachricht zu erstellen;

Senden mit der Protokollierungsmaschine (112) der zweiten verschlüsselten durchsuchbaren Darstellung zum Prüfer (108) ;

Anwenden mit dem Prüfer (108) der Einwegfunktion an den zweiten kryptographischen Schlüssel, um den aktualisierten zweiten kryptographischen Schlüssel zu erzeugen;

Ausführen mit dem Prüfer (108) einer weiteren Suche, um das mindestens eine Suchschlüsselwort in der zweiten verschlüsselten durchsuchbaren Darstellung zu identifizieren, wobei der Prüfer (108) den aktualisierten zweiten kryptographischen Schlüssel verwendet, um auf die zweite verschlüsselte durchsuchbare Darstellung zuzugreifen; und

Erzeugen mit dem Prüfer (108) einer zweiten Ausgabe, die die Anwesenheit oder die Abwesenheit des mindestens eines Suchschlüsselworts in der zweiten Protokollnachricht angibt, wobei die zweite Ausgabe den zweiten Klartextinhalt der zweiten Protokollnachricht nicht enthält.


 
2. Verfahren nach Anspruch 1, wobei die Protokollierungsmaschine (112) den aktualisierten ersten kryptographischen Schlüssel und den aktualisierten zweiten kryptographischen Schlüssel als Antwort auf ein Ablaufen eines vorgegebenen Zeitraums erzeugt, wobei die zweite Protokollnachricht nach Ablauf des vorgegebenen Zeitraums erzeugt wird; und/oder wobei die Protokollierungsmaschine (112) den aktualisierten ersten kryptographischen Schlüssel und den aktualisierten zweiten kryptographischen Schlüssel als Antwort auf die Verwendung des ersten kryptographischen Schlüssels, um die erste verschlüsselte Protokollnachricht zu erzeugen, und die Verwendung des zweiten kryptographischen Schlüssels, um die erste durchsuchbare verschlüsselte Darstellung zu erzeugen, erzeugt; und/oder das Verfahren ferner Folgendes umfasst:

Löschen mit der Protokollierungsmaschine (112) des ersten kryptographischen Schlüssels als Antwort auf die Erzeugung des aktualisierten ersten kryptographischen Schlüssels, um eine vorwärts gerichtete Sicherheit der ersten verschlüsselten Protokollnachricht zu bewahren; und

Löschen mit der Protokollierungsmaschine (112) des zweiten kryptographischen Schlüssels als Antwort auf die Erzeugung des aktualisierten zweiten kryptographischen Schlüssels, um eine vorwärts gerichtete Sicherheit der ersten verschlüsselten durchsuchbaren Darstellung zu bewahren.


 
3. Verfahren nach Anspruch 1, das ferner Folgendes umfasst:

Erzeugen mit der Protokollierungsmaschine (112) einer ersten kryptographischen Signatur, die der ersten verschlüsselten durchsuchbaren Darstellung entspricht, unter Verwendung eines dritten kryptographischen Schlüssels;

Senden mit der Protokollierungsmaschine (112) der ersten kryptographischen Signatur zum Prüfer (108) in Verbindung mit der ersten verschlüsselten durchsuchbaren Darstellung; und

Ausführen mit dem Prüfer (108) einer Suche, um mindestens ein Suchschlüsselwort in der ersten verschlüsselten durchsuchbaren Darstellung zu identifizieren, lediglich als Antwort auf eine Prüfung der ersten kryptographischen Signatur unter Verwendung des dritten kryptographischen Schlüssels.


 
4. Verfahren nach Anspruch 1, das ferner Folgendes umfasst:

Erzeugen mit einem Schlüsselerzeugungszentrum, KGC, des ersten kryptographischen Schlüssels, des zweiten kryptographischen Schlüssels und eines dritten kryptographischen Schlüssels;

Verteilen mit dem KGC des ersten kryptographischen Schlüssels, des zweiten kryptographischen Schlüssels, des dritten kryptographischen Schlüssels und eines vierten kryptographischen Schlüssels an die Protokollierungsmaschine (112) vor der Erzeugung der ersten verschlüsselten Protokollnachricht und der ersten verschlüsselten durchsuchbaren Darstellung; und

Verteilen mit dem KGC lediglich des zweiten kryptographischen Schlüssels, des dritten kryptographischen Schlüssels und des vierten kryptographischen Schlüssels zum Prüfer (108) vor dem Ausführen der Suche, um das mindestens eine Suchschlüsselwort zu identifizieren.


 
5. Verfahren nach Anspruch 1, das ferner Folgendes umfasst:

Senden mit der Protokollierungsmaschine (112) der ersten verschlüsselten Protokollnachricht zum Prüfer (108);

Verteilen mit dem KGC des ersten kryptographischen Schlüssels zum Prüfer (108); und

Entschlüsseln mit dem Prüfer (108) der ersten verschlüsselten Protokollnachricht unter Verwendung des ersten kryptographischen Schlüssels; wobei das Verfahren ferner Folgendes umfasst:

Erzeugen mit der Protokollierungsmaschine (112) einer kryptographischen Signatur der ersten verschlüsselten Protokollnachricht unter Verwendung des dritten kryptographischen Schlüssels;

Senden mit der Protokollierungsmaschine (112) der kryptographischen Signatur zum Prüfer (108) in Verbindung mit der ersten verschlüsselten Protokollnachricht; und

Erzeugen mit dem Prüfer (108) der zweiten Ausgabe, die den ersten Klartextinhalt der ersten verschlüsselten Protokollnachricht enthält, lediglich als Antwort auf eine Prüfung der kryptographischen Signatur unter Verwendung des dritten kryptographischen Schlüssels.


 
6. Verfahren nach Anspruch 1, das ferner Folgendes umfasst:

Erzeugen mit einem Schlüsselerzeugungszentrum, KGC, des ersten kryptographischen Schlüssels, des zweiten kryptographischen Schlüssels und eines dritten kryptographischen Schlüssels;

Verteilen mit dem KGC des ersten kryptographischen Schlüssels, des zweiten kryptographischen Schlüssels, des eines dritten kryptographischen Schlüssels und eines vierten kryptographischen Schlüssels an die Protokollierungsmaschine (112) vor der Erzeugung der ersten verschlüsselten Protokollnachricht und der ersten verschlüsselten durchsuchbaren Darstellung;

Verteilen mit dem KGC lediglich des zweiten kryptographischen Schlüssels, des dritten kryptographischen Schlüssels und des vierten kryptographischen Schlüssels zum Prüfer (108) vor dem Ausführen der Suche, um das mindestens eine Suchschlüsselwort zu identifizieren; und/oder

Senden mit der Protokollierungsmaschine (112) der ersten verschlüsselten Protokollnachricht zum KGC;

Entschlüsseln mit dem KGC der ersten verschlüsselten Protokollnachricht unter Verwendung des ersten kryptographischen Schlüssels;

Senden mit dem KGC des ersten Klartextinhalts der ersten Protokollnachricht zum Prüfer (108); und

Erzeugen mit dem Prüfer (108) einer zweiten Ausgabe, die den ersten Klartextinhalt der ersten verschlüsselten Protokollnachricht enthält.


 
7. System (100) zur Erzeugung verschlüsselter Protokolle und zur Prüfung, das Folgendes umfasst:

eine Protokollierungsmaschine (112), die mit einem Prüfer (108) kommunikationstechnisch gekoppelt ist, wobei die Protokollierungsmaschine (112) konfiguriert ist zum

Erzeugen (208) einer ersten Protokollnachricht, die ersten Klartextinhalt enthält;

Identifizieren (212) mindestens eines Schlüsselworts in der ersten Protokollnachricht;

Verschlüsseln (216) der ersten Protokollnachricht unter Verwendung eines ersten kryptographischen Schlüssels, um eine erste verschlüsselte Protokollnachricht zu erstellen;

Erzeugen (220) einer ersten verschlüsselten durchsuchbaren Darstellung der ersten Protokollnachricht, die das mindestens eine Schlüsselwort enthält, unter Verwendung eines zweiten kryptographischen Schlüssels, wobei der zweite kryptographische Schlüssel vom ersten kryptographischen Schlüssel verschieden ist; und

Senden (236) der ersten verschlüsselten durchsuchbaren Darstellung zu einem Prüfer (108); und

der Prüfer (108) konfiguriert ist zum

Ausführen (244) einer Suche, um mindestens ein Suchschlüsselwort in der ersten verschlüsselten durchsuchbaren Darstellung zu identifizieren, wobei der Prüfer (108) den zweiten kryptographischen Schlüssel verwendet, um auf die erste verschlüsselte durchsuchbare Darstellung zuzugreifen;

Erzeugen (260) einer ersten Ausgabe, die die Anwesenheit oder die Abwesenheit des mindestens eines Suchschlüsselworts in der ersten Protokollnachricht angibt, wobei die erste Ausgabe den ersten Klartextinhalt der ersten Protokollnachricht nicht enthält; wobei

die Protokollierungsmaschine ferner konfiguriert ist zum

Anwenden einer Einwegfunktion auf den ersten kryptographischen Schlüssel, um einen aktualisierten ersten kryptographischen Schlüssel zu erzeugen, wobei der aktualisierte erste kryptographische Schlüssel vom ersten kryptographischen Schlüssel verschieden ist;

Anwenden der Einwegfunktion auf den zweiten kryptographischen Schlüssel, um einen aktualisierten zweiten kryptographischen Schlüssel zu erzeugen, wobei der aktualisierte zweite kryptographische Schlüssel vom zweiten kryptographischen Schlüssel verschieden ist;

Erzeugen einer zweiten Protokollnachricht, die den zweiten Klartextinhalt enthält;

Identifizieren mindestens eines Schlüsselworts in der zweiten Protokollnachricht;

Erzeugen einer zweiten verschlüsselten durchsuchbaren Darstellung der zweiten Protokollnachricht, die das mindestens eine Schlüsselwort enthält, unter Verwendung des aktualisierten zweiten kryptographischen Schlüssels;

Verschlüsseln der zweiten Protokollnachricht unter Verwendung des aktualisierten ersten kryptographischen Schlüssels, um eine zweite verschlüsselte Protokollnachricht zu erstellen; und

Senden der zweiten verschlüsselten durchsuchbaren Darstellung zum Prüfer (108); und

der Prüfer (108) ferner konfiguriert ist zum

Anwenden der Einwegfunktion an den zweiten kryptographischen Schlüssel, um den aktualisierten zweiten kryptographischen Schlüssel zu erzeugen;

Ausführen einer weiteren Suche, um das mindestens eine Suchschlüsselwort in der zweiten verschlüsselten durchsuchbaren Darstellung zu identifizieren, wobei der Prüfer (108) den aktualisierten zweiten kryptographischen Schlüssel verwendet, um auf die zweite verschlüsselte durchsuchbare Darstellung zuzugreifen; und

Erzeugen einer zweiten Ausgabe, die die Anwesenheit oder die Abwesenheit des mindestens eines Suchschlüsselworts in der zweiten Protokollnachricht angibt, wobei die zweite Ausgabe den zweiten Klartextinhalt der zweiten Protokollnachricht nicht enthält.


 
8. System nach Anspruch 7, wobei die Protokollierungsmaschine ferner konfiguriert ist zum
Erzeugen des aktualisierten ersten kryptographischen Schlüssels und des aktualisierten zweiten kryptographischen Schlüssels als Antwort auf ein Ablaufen eines vorgegebenen Zeitraums, wobei die zweite Protokollnachricht nach Ablauf des vorgegebenen Zeitraums erzeugt wird.
 
9. System nach Anspruch 7, wobei die Protokollierungsmaschine ferner konfiguriert ist zum
Erzeugen des aktualisierten ersten kryptographischen Schlüssels und des aktualisierten zweiten kryptographischen Schlüssels als Antwort auf die Verwendung des ersten kryptographischen Schlüssels, um die erste verschlüsselte Protokollnachricht zu erzeugen, und die Verwendung des zweiten kryptographischen Schlüssels, um die erste durchsuchbare verschlüsselte Darstellung zu erzeugen.
 
10. System nach Anspruch 7, wobei die Protokollierungsmaschine ferner konfiguriert ist zum
Löschen des ersten kryptographischen Schlüssels als Antwort auf die Erzeugung des aktualisierten ersten kryptographischen Schlüssels, um eine vorwärts gerichtete Sicherheit der ersten verschlüsselten Protokollnachricht zu bewahren; und
Löschen des zweiten kryptographischen Schlüssels als Antwort auf die Erzeugung des aktualisierten zweiten kryptographischen Schlüssels, um eine vorwärts gerichtete Sicherheit der ersten verschlüsselten durchsuchbaren Darstellung zu bewahren.
 
11. System nach Anspruch 7, wobei die Protokollierungsmaschine ferner konfiguriert ist zum Erzeugen einer ersten kryptographischen Signatur, die der ersten verschlüsselten durchsuchbaren Darstellung entspricht, unter Verwendung eines dritten kryptographischen Schlüssels; und
Senden der ersten kryptographischen Signatur zum Prüfer (108) in Verbindung mit der ersten verschlüsselten durchsuchbaren Darstellung; und
der Prüfer (108) ferner konfiguriert ist zum
Ausführen einer Suche, um mindestens ein Suchschlüsselwort in der ersten verschlüsselten durchsuchbaren Darstellung zu identifizieren, lediglich als Antwort auf eine Prüfung der ersten kryptographischen Signatur unter Verwendung des dritten kryptographischen Schlüssels.
 
12. System nach Anspruch 7, das ferner Folgendes umfasst:
ein Schlüsselerzeugungszentrum, KGC, das mit der Protokollierungsmaschine und dem Prüfer (108) kommunikationstechnisch gekoppelt ist, wobei das KGC konfiguriert ist zum

Erzeugen des ersten kryptographischen Schlüssels, des zweiten kryptographischen Schlüssels und eines dritten kryptographischen Schlüssels;

Verteilen des ersten kryptographischen Schlüssels, des zweiten kryptographischen Schlüssels und des dritten kryptographischen Schlüssels an die Protokollierungsmaschine vor der Erzeugung der ersten verschlüsselten Protokollnachricht und der ersten verschlüsselten durchsuchbaren Darstellung; und Verteilen lediglich des zweiten kryptographischen Schlüssels und des dritten kryptographischen Schlüssels zum Prüfer (108) vor dem Ausführen der Suche, um das mindestens eine Suchschlüsselwort zu identifizieren.


 
13. System nach Anspruch 12, wobei die Protokollierungsmaschine ferner konfiguriert ist zum
Senden der ersten verschlüsselten Protokollnachricht zum Prüfer (108); wobei
das KGC ferner konfiguriert ist zum
Verteilen des ersten kryptographischen Schlüssels zum Prüfer (108); und
der Prüfer (108) ferner konfiguriert ist zum

Entschlüsseln der ersten verschlüsselten Protokollnachricht unter Verwendung des ersten kryptographischen Schlüssels; und

Erzeugen einer zweiten Ausgabe, die den ersten Klartextinhalt der ersten verschlüsselten Protokollnachricht enthält; und/oder die Protokollierungsmaschine ferner konfiguriert ist zum

Erzeugen einer kryptographischen Signatur der ersten verschlüsselten Protokollnachricht unter Verwendung des dritten kryptographischen Schlüssels; und

Senden der kryptographischen Signatur zum Prüfer (108) in Verbindung mit der ersten verschlüsselten Protokollnachricht; und

der Prüfer (108) ferner konfiguriert ist zum
Erzeugen der zweiten Ausgabe, die den ersten Klartextinhalt der ersten verschlüsselten Protokollnachricht enthält, lediglich als Antwort auf eine Prüfung der kryptographischen Signatur unter Verwendung des dritten kryptographischen Schlüssels.
 
14. System nach Anspruch 12, wobei die Protokollierungsmaschine ferner konfiguriert ist zum
Senden der ersten verschlüsselten Protokollnachricht zum KGC; wobei
das KGC ferner konfiguriert ist zum

Entschlüsseln der ersten verschlüsselten Protokollnachricht unter Verwendung des ersten kryptographischen Schlüssels; und

Senden des ersten Klartextinhalts der ersten Protokollnachricht zum Prüfer (108); und

der Prüfer (108) ferner konfiguriert ist zum
Erzeugen einer zweiten Ausgabe, die den ersten Klartextinhalt der ersten verschlüsselten Protokollnachricht enthält.
 


Revendications

1. Procédé de consultation de données de journal cryptées comprenant des étapes consistant à:

créer (208) avec une machine d'enregistrement (112) un premier message de journal contenant un premier contenu de texte en clair,

identifier (212) avec la machine d'enregistrement (112) au moins un mot clé dans le premier message de journal,

crypter (216) avec la machine d'enregistrement (112) le premier message de journal en utilisant une première clé cryptographique pour obtenir un premier message de journal crypté,

créer (220) avec la machine d'enregistrement (112) une première représentation consultable cryptée du premier message de journal contenant le mot clé en utilisant une seconde clé cryptographique, la seconde clé cryptographique étant différente de la première clé cryptographique,

transmettre (236) avec la machine d'enregistrement (112) la première représentation consultable cryptée à un vérificateur (108),

effectuer (244) avec le vérificateur (108) une consultation pour identifier au moins un mot clé de consultation dans la première représentation consultable cryptée, le vérificateur (108) utilisant la seconde clé cryptographique pour avoir accès à la première représentation consultable cryptée,

créer (260) avec le vérificateur (108) une première sortie indiquant la présence ou l'absence du mot clé de consultation dans le premier message de journal, la première sortie ne contenant pas le premier contenu de texte en clair du premier message de journal,

appliquer avec la machine d'enregistrement (112) une fonction unidirectionnelle à la première clé cryptographique pour créer une première clé cryptographique mise à jour, la première clé cryptographique mise à jour étant différente de la première clé cryptographique,

appliquer avec la machine d'enregistrement (112) la fonction unidirectionnelle à la seconde clé cryptographique pour créer une seconde clé cryptographique mise à jour, la seconde clé cryptographique mise à jour étant différente de la seconde clé cryptographique,

créer avec la machine d'enregistrement (112) un second message de journal contenant un second contenu de texte en clair,

identifier avec la machine d'enregistrement (112), au moins un mot clé dans le second message de journal,

créer avec la machine d'enregistrement (112) une seconde représentation consultable cryptée du second message de journal contenant le mot clé en utilisant la seconde clé cryptographique mise à jour,

crypter avec la machine d'enregistrement (112) le second message de journal en utilisant la première clé cryptographique mise à jour pour obtenir un second message de journal crypté,

transmettre avec la machine d'enregistrement (112) la seconde représentation consultable cryptée au vérificateur (108),

appliquer avec le vérificateur (108) la fonction unidirectionnelle à la seconde clé cryptographique pour créer la seconde clé cryptographique mise à jour,

effectuer avec le vérificateur (108) une autre consultation pour identifier le mot clé de consultation dans la seconde représentation consultable cryptée, le vérificateur (108) utilisant la seconde clé cryptographique mise à jour pour avoir accès à la seconde représentation consultable cryptée, et

créer avec le vérificateur (108) une seconde sortie indiquant la présence ou l'absence du mot clé de consultation dans le second message de journal, la seconde sortie ne contenant pas le second contenu en texte clair du second message de journal.


 
2. Procédé conforme à la revendication 1, selon lequel la machine d'enregistrement (112) crée la première clé cryptographique mise à jour et la seconde clé cryptographique mise à jour en réponse à l'expiration d'une durée prédéfinie, le second message de journal étant créé après l'expiration de la durée prédéfinie et/ou la machine d'enregistrement (112) crée la première clé cryptographique mise à jour et la seconde clé cryptographique mise à jour en réponse à l'utilisation de la première clé cryptographique pour créer le premier message de journal crypté, et à l'utilisation de la seconde clé cryptographique pour créer la première représentation consultable cryptée et/ou le procédé comprenant en outre des étapes consistant à :

supprimer avec la machine d'enregistrement (112) la première clé cryptographique en réponse à la création de la première clé cryptographique mise à jour pour garantir la sécurité du premier message de journal crypté, et

supprimer avec la machine d'enregistrement (112) la seconde clé cryptographique en réponse à la création de la seconde clé cryptographique mise à jour pour garantir la sécurité de la première représentation consultable cryptée.


 
3. Procédé conforme à la revendication 1, comprenant en outre des étapes consistant à:

créer avec la machine d'enregistrement (112) une première signature cryptographique correspondant à la première représentation consultable cryptée en utilisant une troisième clé cryptographique,

transmettre avec la machine d'enregistrement (112) la première signature cryptographique au vérificateur (108) en association avec la première représentation consultable cryptée, et

effectuer avec le vérificateur (108) une consultation pour identifier au moins un mot clé de consultation dans la première représentation consultable cryptée uniquement en réponse au contrôle de la première signature cryptographique en utilisant la troisième clé cryptographique.


 
4. Procédé conforme à la revendication 1, comprenant en outre des étapes consistant à:

créer, avec un centre de création de clés KGC, la première clé cryptographique, la seconde clé cryptographique et une troisième clé cryptographique,

délivrer avec le KGC la première clé cryptographique, la seconde clé cryptographique, la troisième clé cryptographique et une quatrième clé cryptographique à la machine d'enregistrement (112) avant la création du premier message de journal crypté et de la première représentation consultable cryptée,

délivrer avec le KGC, uniquement la seconde clé cryptographique, la troisième clé cryptographique et la quatrième clé cryptographique au vérificateur (108) avant d'effectuer la consultation pour identifier le mot clé de consultation.


 
5. Procédé conforme à la revendication 1, comprenant en outre des étapes consistant à:

transmettre avec la machine d'enregistrement (112) le premier message de journal crypté au vérificateur (108),

délivrer avec le KGC la première clé cryptographique au vérificateur (108),

décrypter avec le vérificateur (108) le premier message de journal crypté en utilisant la première clé cryptographique, le procédé comprenant en outre des étapes consistant à:

créer avec la machine d'enregistrement (112) une signature cryptographique du premier message de journal crypté en utilisant la troisième clé cryptographique,

transmettre avec la machine d'enregistrement (112), la signature cryptographique au vérificateur (108) en association avec le premier message de journal crypté, et

créer avec le vérificateur (108) la seconde sortie contenant le premier contenu de texte en clair du premier message de journal crypté uniquement en réponse au contrôle de la signature cryptographique en utilisant la troisième clé cryptographique.


 
6. Procédé conforme à la revendication 1, comprenant en outre des étapes consistant à:

créer avec un centre de création de clés KGC, la première clé cryptographique, la seconde clé cryptographique et une troisième clé cryptographique,

délivrer avec le KGC la première clé cryptographique, la seconde clé cryptographique, la troisième clé cryptographique et une quatrième clé cryptographique à la machine d'enregistrement (112) avant la création du premier message de journal crypté et de la première représentation consultable cryptée,

délivrer avec le KGC, uniquement la seconde clé cryptographique, la troisième clé cryptographique et la quatrième clé cryptographique au vérificateur (108) avant d'effectuer la consultation pour identifier le mot clé de consultation, et/ou

transmettre avec la machine d'enregistrement (112) le premier message de journal crypté au KGC,

décrypter avec le KGC le premier message de journal crypté en utilisant la première clé cryptographique,

transmettre avec le KGC le premier contenu de texte en clair du premier message de journal au vérificateur (108), et

créer avec le vérificateur (108) une seconde sortie contenant le premier contenu de texte en clair du premier message de journal crypté.


 
7. Système de création de journal crypté et de vérification (100) comprenant:

une machine d'enregistrement (112) couplée de manière à pouvoir communiquer au vérificateur (108), la machine d'enregistrement (112) étant conformée pour permettre:

de créer (208) un premier message de journal contenant un premier contenu de texte en clair,

d'identifier (212) au moins un mot clé dans le premier message de journal,

de crypter (216) le premier message de journal en utilisant une première clé cryptographique pour obtenir un premier message de journal crypté,

de créer (220) une première représentation consultable cryptée du premier message de journal contenant le mot clé en utilisant une seconde clé cryptographique, la seconde clé cryptographique étant différente de la première clé cryptographique, et

de transmettre (236) la première représentation consultation cryptée au vérificateur (108), et

le vérificateur (108) étant conformé pour permettre :

d'effectuer (244) une consultation pour identifier au moins un mot clé de consultation dans la première représentation consultable cryptée, le vérificateur (108) utilisant la seconde clé cryptographique pour avoir accès à la première représentation consultable,

de créer (260) une première sortie indiquant la présence ou l'absence du mot clé de consultation dans le premier message de journal, la première sortie ne contenant pas le premier contenu de texte en clair du premier message de journal,

la machine d'enregistrement étant en outre conformée pour permettre:

d'appliquer une fonction unidirectionnelle à la première clé cryptographique pour créer une première clé cryptographique mise à jour, la première clé cryptographique mise à jour étant différente de la première clé cryptographique,

d'appliquer la fonction unidirectionnelle à la seconde clé cryptographique pour créer une seconde clé cryptographique mise à jour, la seconde clé cryptographique mise à jour étant différente de la seconde clé cryptographique,

de créer un second message de journal contenant un second contenu de texte en clair,

d'identifier au moins un mot clé dans le second message de journal,

de créer une seconde représentation consultable cryptée du second message de journal contenant le mot clé en utilisant la seconde clé cryptographique mise à jour,

de crypter le second message de journal en utilisant la première clé cryptographique mise à jour pour obtenir un second message de journal crypté, et

de transmettre la seconde représentation consultable cryptée au vérificateur (108), et

le vérificateur (108) étant en outre conformé pour permettre:

d'appliquer la fonction unidirectionnelle à la seconde clé cryptographique pour créer la seconde clé cryptographique mise à jour,

d'effectuer une autre consultation pour identifier le mot clé de consultation dans la seconde représentation consultable cryptée, le vérificateur (108) utilisant la seconde clé cryptographique mise à jour pour avoir accès à la seconde représentation consultable cryptée, et

de créer une seconde sortie indiquant la présence ou l'absence du mot clé de consultation dans le second message de journal, la seconde sortie ne contenant pas le second contenu de texte en clair du second message de journal.


 
8. Système conforme à la revendication 7, dans lequel la machine d'enregistrement est en outre conformée pour permettre:
de créer la première clé cryptographique mise à jour et la seconde clé cryptographique mise à jour en réponse à l'expiration d'une durée prédéfinie, le second message de journal étant créé après l'expiration de la durée prédéfinie.
 
9. Système conforme à la revendication 7, dans lequel la machine d'enregistrement est en outre conformée pour permettre:
de créer la première clé cryptographique mise à jour et la seconde clé cryptographique mise à jour en réponse à l'utilisation de la première clé cryptographique pour créer le premier message de journal crypté et à l'utilisation de la seconde clé cryptographique pour créer la première représentation consultable cryptée.
 
10. Système conforme à la revendication 7, dans lequel la machine d'enregistrement est en outre conformée pour permettre:

de supprimer la première clé cryptographique en réponse à la création de la première clé cryptographique mise à jour pour garantir la sécurité du premier message de journal crypté,

de supprimer la seconde clé cryptographique en réponse à la création de la seconde clé cryptographique mise à jour pour garantir la sécurité de la première représentation consultable cryptée.


 
11. Système conforme à la revendication 7, dans lequel la machine d'enregistrement est en outre conformée pour permettre:

de créer une première signature cryptographique correspondant à la première représentation consultable cryptée en utilisant une troisième clé cryptographique, et

de transmettre la première signature cryptographique au vérificateur (108) en association avec la première représentation consultable cryptée, et

le vérificateur (108) étant en outre conformé pour permettre:
d'effectuer une consultation pour identifier au moins un mot clé de consultation dans la première représentation consultable, cryptée uniquement en réponse au contrôle de la première signature cryptographique en utilisant la troisième clé cryptographique.


 
12. Système conforme à la revendication 7, comprenant en outre:
un centre de création de clés KGC couplé de façon à pouvoir communiquer avec la machine d'enregistrement et le vérificateur (108), le KGC étant conformé pour permettre:

de créer la première clé cryptographique, la seconde clé cryptographique et une troisième clé cryptographique,

de délivrer la première clé cryptographique, la seconde clé cryptographique et la troisième clé cryptographique à la machine d'enregistrement avant la création du premier message de journal crypté et de la première représentation consultable cryptée,

de délivrer uniquement la seconde clé cryptographique et la troisième clé cryptographique au vérificateur (108) avant d'effectuer la consultation pour identifier le mot clé de consultation.


 
13. Système conforme à la revendication 12, dans lequel la machine d'enregistrement est en outre conformée pour permettre:
de transmettre le premier message de journal crypté au vérificateur (108),
le KGC étant en outre conformé pour permettre:
de délivrer la première clé cryptographique au vérificateur (108), et
le vérificateur (108) étant en outre conformé pour permettre:
de décrypter le premier message de journal crypté en utilisant la première clé cryptographique, et
de créer une seconde sortie contenant le contenu de texte en clair du premier message de journal crypté et/ou la machine d'enregistrement étant en outre conformée pour permettre:

de créer une signature cryptographique du premier message de journal crypté en utilisant la troisième clé cryptographie, et

de transmettre la signature cryptographique au vérificateur (108) en association avec le premier message de journal crypté, et

le vérificateur (108) étant en outre conformé pour permettre:
de créer la seconde sortie contenant le premier contenu de texte en clair du premier message de journal crypté uniquement en réponse au contrôle de la signature cryptographique en utilisant la troisième clé cryptographique.
 
14. Système conforme à la revendication 12, dans lequel la machine d'enregistrement est en outre conformée pour permettre:
de transmettre le premier message de journal crypté au KGC,
le KGC étant en outre conformé pour permettre:

de décrypter le premier message de journal crypté en utilisant la première clé cryptographique, et

de transmettre le premier contenu de texte en clair du premier message de journal au vérificateur (108), et

le vérificateur (108) étant en outre conformé pour permettre:
de créer une seconde sortie contenant le premier contenu de texte en clair du premier message de journal crypté.
 




Drawing














Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description




Non-patent literature cited in the description