0

Is there any computer/server which would allow me to get "guaranteed read access history" for files?

For example, suppose I made a file with my plaintext passwords and simply wanted to make sure that those bits have not been read by anyone. In principle, a hard disk controller could log every read operation and have the ability to create a "DSA-signed timestamped history report" for any bit. But, to be strict, I also want the hard disk hardware to be configured in such a way that no software or firmware change could fool me. I realize that a harware change could always fool me, and therefore my "guaranteed" definition stops as close to that limit as possible.

I think the above approach results in a TPM with an added "un-resetable logging" feature, but am guessing such a TPM does not exist. If there's an alternative method available now, please let me know...maybe I'm over-engineering this. I basically want to know with high certainty that no one has looked at my passwords, but still have the option to look in case I forget one.

bobuhito
  • 230
  • 1
  • 8
  • As an analogy, I want a safe with no key (the door freely opens), but it clearly displays the time that it was last opened. – bobuhito Dec 02 '15 at 06:27
  • 2
    Detect access to a particular file without using software in any way? Are you going to make a filesystem parser out of logic gates? – user253751 Dec 02 '15 at 10:40

5 Answers5

2

You mean something like a wax seal on an envelope? Not to protect its contents, but to make it plain if the seal was ever broken?

There is special purpose technology that does exactly that, but requires specialized hardware. Essentially there is a cryptographic key kept in a chip that erases itself when it is used, or if the hardware loses power or the assembly is tampered with. The memory and control logic for the whole thing has to be wrapped up inside special containment.

I have never heard of any sort of application of this technology to the problem of password storage. Passwords don't need to be in a tamper-evident container, they need to be kept confidential, which is an entirely different problem.

John Wu
  • 9,101
  • 1
  • 28
  • 39
  • Your envelope analogy is ok. Your "specialized hardware" works but I don't really want the self-destruction. The semantics of "password" is causing some confusion, so maybe you should consider this to instead be a "group access code" to be looked at only in case of emergency. – bobuhito Dec 02 '15 at 09:23
0

I basically want to know with high certainty that no one has looked at my passwords, but still have the option to look in case I forget one.

In that case you should simply use an application like KeePass.

OzNetNerd
  • 111
  • 2
  • KeePass needs a master key, so my question then becomes: Where can I save my master key (in case I forget it) and make sure no one reads it? – bobuhito Dec 02 '15 at 05:56
  • You could use a Key File instead of or in conjunction with a password - http://keepass.info/help/base/keys.html - then keep multiple copies of your key file e.g on a USB drive, on your PC and perhaps in a couple of cloud locations (dropbox, OneDrive, e-mail, etc). If you use the two together you could store the password in some locations and the key file in other locations. If you're going to ask me what to do if you forget these locations though, unfortunately I don't have an answer :) – OzNetNerd Dec 02 '15 at 05:59
  • Maybe I should have replaced "in case I forget one" with "in case I die and someone needs to read my file". With your options, when I'm alive, I won't know if my file (or even the key file) has been read. – bobuhito Dec 02 '15 at 06:23
0

Is there any computer/server which would allow me to get "guaranteed read access history" for files?

There is no specific use case in this requirement, so I will concentrate in my answer on the more specific requirement you have given:

I basically want to know with high certainty that no one has looked at my passwords, but still have the option to look in case I forget one.

Software based security has its limits and it might be better to use physical security in this case. Thus Write the password down, put it into a safe and remove it from the computer. If you don't trust the computer OS, BIOS, firmware... destroy the computer. If it was networked maybe you need to destroy all the other computers too. There is no absolute security but if you distrust your computer that much then using the computer to even entering the password is a bad idea.

Maybe having a password is a bad idea in your (not fully known) use case anyway. You might want to have a closer look at smartcards or similar devices for authentication where no password is exchanged but only the proof that you are in possession (physical!) of the smartcard. The secret contained in the smartcard can not be read and that smartcard can also not be cloned (or only by very advanced attackers).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I'd say a smartcard is effectively a TPM, so a smartcard with the added "un-resetable logging" feature would work. So, do any smartcards have an untamperable way to find out when they were last used? – bobuhito Dec 02 '15 at 09:37
  • @bobuhito: No. A smart card is a piece of physical security which you should protect in a way that nobody else could use it (put it in a safe...). I think you need to make your actual use case more clear, i.e. what you want to protect and not how you want to protect something. It might be simpler to know when a authentication was last successful instead of when somebody has read your password. And as long as nobody uses the password - why care if it was read? – Steffen Ullrich Dec 02 '15 at 10:54
0

I take it something like this would be what you want:

  • Use inotifywait. inotifywait -e /path/to will print a line /path/to/ ACCESS file when someone reads file. This interface won't tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).

  • LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses
    through that view. To configure it, see LoggedFS configuration file
    syntax.

  • You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical
    distributions). To start watching a particular file:

    auditctl -w /path/to/file

    If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.

https://unix.stackexchange.com/questions/12247/linux-file-access-monitoring

But that it fails your requirement that it be a relatively-hack-proof hardware module instead of software systems. Would your requirements be more-or-less met if it logged to a hardware device like a printer or a cd? Theoretically, if you logged to a write-only device they'd have to have physical access to destroy or tamper with the log.

Community
  • 1
J Kimball
  • 2,137
  • 1
  • 13
  • 19
  • Yes, as you realize, this approach is too hackable. Writing to a printout/CD somehow needs to be guaranteed, but already a hacker could just replace the printout/CD with an old copy. – bobuhito Dec 03 '15 at 01:45
  • I think this is about as good as you are going to get with OTS hardware and OS. How much money do you have? You could try to dig up some old TCSEC "A" rated systems, but good luck. – J Kimball Dec 03 '15 at 15:19
0

From your hint that you're trying to secure "group access code", may I ignore your question altogether and suggest something else?

Check if secret splitting would fit to your scenario. A secret splitting algorithm like Shamir's Secret Sharing would split a secret into N parts and requires at least M parts to recover the original secret.

Secret splitting can be used to secure backup passwords code such that even if a single person lost their access key, the secret will still be recoverable but no single party can unlock the secret unilaterally.

If you really need an audit logging, then you need to use a tamper resistant cryptoprocessor/smartcard. A tamper resistant smartcard is really just a really small, low power embedded computer in a tamper resistant packaging. The card can be designed so that any tampering would either destroy the data or to just be evident. The smartcard can be programmed so that, through its public interface, you can use the secret and the card will log the last N uses, and you can also view the audit logs. Some payment cards and transport cards does this for example. Note that as a smartcard is a computer, you do not necessarily need to ever transfer the secret out of the card to use the secret. You can just do all the cryptographic operations you need in the card itself to authorize the operations you need to do. This way, you can prevent the secret from ever getting out.

Or just keep it simple, put the secret in a USB drive and seal it in a tamper evident envelope/box with a hot wax and a signet ring, like the Romans.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • I was aware of secret splitting, but am avoiding it (there are some cases where I don't know the group in advance; I know everyone wants more details of my use case, but that honestly distracts from this simpler interesting problem). Also, if logging is done via a "public interface", this solution seems software-hackable (e.g., by a virus on the computer with the smartcard port). By the way, sealing the USB drive in a tamper-evident box is the best solution so far, but I would prefer to be able to add more data to that box over time. – bobuhito Dec 03 '15 at 04:51
  • @bobuhito: a virus on the computer won't be able to run on the smartcard, so it won't be able to modify the logs. Anything outside the smartcard can only indirectly modify the log by successfully entering the decrypt/unlock code. If you want to add more data, that's simple. Keep in the USB/smartcard, a private key from a PKI key pair, and the public key you keep outside. If you want to add more data to your stash, you encrypt the data using the public key. The encrypted stream would not be decryptable without breaking the tamper seal. – Lie Ryan Dec 03 '15 at 10:43
  • @bobuhito: note that the smartcard should log successful access and failed access attempts separately, to prevent a failed access attempts from overwriting the log for a successful access. The advantage of using a smartcard/crypto processor over simple USB/dumb cards like SD Card, is that if you are generating a PKI key, the key pair can be generated by the card themselves, so the private key has never been anywhere but the card. – Lie Ryan Dec 03 '15 at 11:01
  • Oh, I didn't realize some smartcards keep a secure log on the card (I know it's possible in principle, and that actually caused me to ask my original question). That's perfect! If you have a specific smartcard model number example, please let me know. It would be great to even see screenshots of the computer interface to read the log and an explanation of the security here...but that's probably too much to ask for. – bobuhito Dec 04 '15 at 01:23
  • On second thought, I was mistakenly thinking the log was a log for data reads (for some data stored on the smartcard), but now see that the log is a log for logins. So, ignore my last comment - This solution does not work for my original question. – bobuhito Dec 05 '15 at 11:07
  • @bobuhito: smartcard is essentially a nano computer, you can program it to do anything you want. Many models will run JavaCard program, essentially a stripped down Java. For keeping audit logs, you need a smartcard with writable storage, which is common feature in smartcard; if you want to generate cryptographic keys in the smart card, many smartcard also supports hardware RNG and cryptographic libraries. If you want it to log secrets being read, then the card can be programmed to do so, although IMO keeping secrets in the card itself is more secure than allowing the secret to be exported. – Lie Ryan Dec 05 '15 at 11:42
  • OK, I didn't know smartcards were so programmable. I'll mark yours as the answer though I still need to play with a few smartcards to make sure they truly meet my "guaranteed read access logging" requirement. For example, I will need a smartcard that cannot be reset to its original manufactured state by a stranger (but still can be read by the stranger, resulting in a guaranteed log change). – bobuhito Dec 06 '15 at 11:49
  • @bobuhito: There are a wide variety of smartcard, from simple dumb memory card (the cheapest type of card) to card with full microprocessor and card operating system that can run multiple applications that doesn't necessarily trust each other. Make sure you shop for the right type of card that fits your particular application. – Lie Ryan Dec 06 '15 at 13:06