Share via

3.1.4 Security Model for Audit-Related Methods

  • Article

The domain's key pair is used to encrypt (RSA, 2048-bit) and sign (RSA signature, 2048-bit) communications between the client and the management server. For each account and management domain pair on the client, the client generates a secret (symmetric) key (MARC4, 192-bit) when it first communicates with the management server. The client sends the secret key to the management server encrypted with the encryption public key from the domain's certificate. All subsequent client-to-management-server communications are encrypted with this secret key. The management server signs all responses it sends to clients using the signature key from the domain's private key file. The client verifies the signature using the corresponding public key from the domain's certificate.

The management domain's key pair (RSA, 2048-bit) is used to encrypt all audit log data. For performance reasons, the audit log is encrypted with a per-session secret (symmetric) key (Advanced Encryption Standard (AES), 192-bit) that is in turn encrypted with the encryption key from the management domain's certificate. The encryption is done using the AES CTR mode. The management server uses the management domain's encryption private key to decrypt each log session's secret key and then uses that key to decrypt the log. The encryption public key from the management domain's certificate is also used to encrypt tokens for encrypted binary files and the Audit Service secret key (see following).

The Audit Service secret key (AES, 192-bit) is used to lock-on a client to a management server. When the Audit Service first runs on a device it generates this secret (symmetric) key, which it stores in a file that can only be accessed by administrators. The service transmits this key, encrypted with the management server key, along with the device URL with every log upload. The management server, at log decryption time, tests to see if that Audit Service secret key is already associated with a device URL. If it does exist and matches the current pair then the decryption proceeds. If it does not match, an error is generated. If it doesn't exist, the management server adds the pair (that is locks-on). The Audit Service secret key is also used to MAC the log to prevent rogue devices from uploading logs purported to be from a different device.

To encrypt the audit log, when a new client session begins, the Audit Service generates a new symmetric encryption key (AES, 192-bit) for the session. Next the Audit Service encrypts the symmetric with the encryption key from the management server's public key and writes the encrypted symmetric key in the log in a "begin session" entry. The Audit Service saves the unencrypted symmetric key in memory and uses it to encrypt the subsequent log entries.

Before every upload, the ranges of the entries in the log that are to be uploaded are MACed using the Audit Service secret key. MACing the log file allows the management server to verify that separate uploads originates from the same device. The Audit Service secret key is transmitted to the management server via a lock-on message.