Introduction
With the November 2024 infrastructure update, Authentic8 now supports the use of standard encryption keys generated using the OpenSSL toolset -- the standard encryption can be set as the default option for new and existing customers looking to encrypt their log data. This feature provides flexibility and compatibility with commonly-used cryptographic tools, ensuring seamless integration into existing workflows.
Important: Existing configurations utilizing the SECCURE toolset will continue to be supported to prevent any service interruptions.
Technical Specifications
Our implementation utilizes the ECIS-P256-AES256GCM-SHA384:96 algorithm:
Elliptic Curve Cryptography (ECC) using the industry-standard P-256 curve for secure key exchange.
AES-256 in Galois/Counter Mode (GCM) for robust encryption and data integrity.
SHA-384 for strong and reliable key derivation.
Our Log Extract API returns encrypted log data as a serialized JSON object. From there, the encrypted log data is returned as a key-value pair with “enc” as the key, and the encrypted base64 encoded log data as the value.
Sample output:
{
"create_ts": 1407887060.423214,
"enc": "Af2lb83WyDW+C/CRnOJJ0uWSknOadVSbo7qWCWKMmuBPQU3H1L62x2U+Pj0eKRPi+ImKbZEsCmi24fY08IwcKUg8bhpYv7Kon+p3U1wMPLaw8IMosPXr0Gcq2XHaNVax3nAV6hA1TpwCZa7mNbFHd3VRbgsrL9hS2f+eR2rFdoNTiXnQ2Oizy2Z2nw5rxhfWuqUmABN94yRdU0ynWgQi+ZD0v3kiJrE+nzty+DKNjXTE4es10hlFdS5VpWORn18t2rHhTsoBXKIOQN7Lqw==",
"encryption_type": "Standard",
"key_name": "SiloLogs",
"seq_id": 11258234,
"type": "ENC"
}
Extracting and Decrypting Logs
Important: Please contact Support to obtain our Python Log Extract toolset. Our Python Log Extract package can be used as either a turn-key solution, or as source code reference for your custom solution needs.
Kindly refer to Log Extract API Reference for basic examples of extracting encrypted log data.
Customers can use their preferred programming tools using our Python source code as reference. Below are the steps involved with the log decryption workflow:
Extract Data: Parse the encrypted data into the initialization vector (IV), ephemeral public key, authentication tag, and encrypted payload.
Load Public Key: De-serialize the ephemeral public key included in the data.
Generate Shared Secret: Use your private key and the ephemeral public key to compute a shared secret using ECDH key exchange.
Derive Symmetric Key: Use a Key Derivation Function (KDF) like HKDF with SHA-384 to derive the decryption key from the shared secret.
Initialize Decryption Cipher: Configure an AES-256-GCM cipher with the derived key, IV, and authentication tag.
Decrypt: Decrypt the payload and verify its integrity.
For Splunk, the Authentic8 Technical Add-on provides a seamless integration and supports both standard and legacy encryption methods.
Decrypting Logs (Legacy)
Decrypting logs that are encrypted using legacy keys require the use of the open source SECCURE encryption toolset under the GNU Lesser General Public License v3 (LGPL).
SECCURE source packages and documentations are available at: http://point-at-infinity.org/seccure/
Also see installation instructions for the Python SECCURE library at: https://github.com/bwesterb/py-seccure
The Log Extract output is base64 encoded so the enc ciphertext value needs to be decoded before decryption:
base64 -D -i <enc_ciphertext> -o <enc_ciphertext_decoded>
Decrypt the encrypted log data using your private key:
seccure-decrypt -c p256 -m 80 -i <enc_ciphertext_decoded> -o <output_file> -F <private_key.txt>
Please contact Support for any questions, or if you require additional information.