Introduction
As of the November 2024 release, Authentic8 now supports the use of standard encryption keys generated using the OpenSSL toolset as the default and sole option for organizations that want to encrypt their logs. This feature provides flexibility and compatibility with widely-used cryptographic tools, ensuring seamless integration into an existing workflow.
Existing configurations utilizing the SECCURE toolset will continue to be supported to provide uninterrupted service for the current setups.
Technical Specifications
Our implementation utilizes ECIS-P256-AES256GCM-SHA384:96 algorithm:
Elliptic Curve Cryptography (ECC) using the industry-standard P-256 curve for secure key exchange.
AES-256 in Galois/Counter Mode (GCM) for robust encryption and data integrity.
SHA-384 for strong and reliable key derivation.
The Authentic8 API returns encrypted log data as a serialized JSON object. And the encrypted log data is returned as a key-value pair with “enc” as the key and the encrypted, base64 encoded log data as the value.
Sample output:
{
"create_ts": 1407887060.423214,
"enc": "Af2lb83WyDW+C/CRnOJJ0uWSknOadVSbo7qWCWKMmuBPQU3H1L62x2U+Pj0eKRPi+ImKbZEsCmi24fY08IwcKUg8bhpYv7Kon+p3U1wMPLaw8IMosPXr0Gcq2XHaNVax3nAV6hA1TpwCZa7mNbFHd3VRbgsrL9hS2f+eR2rFdoNTiXnQ2Oizy2Z2nw5rxhfWuqUmABN94yRdU0ynWgQi+ZD0v3kiJrE+nzty+DKNjXTE4es10hlFdS5VpWORn18t2rHhTsoBXKIOQN7Lqw==",
"encryption_type": "Standard",
"key_name": "SiloLogs",
"seq_id": 11258234,
"type": "ENC"
}
Steps To Decrypt Logs
Refer to the details in Authentic8 API Log Extraction Reference Scripts for extracting encrypted logs using the Authentic8 API.
It is recommended to use the Authentic8 Log Extraction Package that is provided as a reference and demonstrates extracting logs, handling encryption keys and decrypting.
Customers can use their preferred programming language and tools, following the logic in the provided reference Python code. Below are the steps involved in the decryption:
Extract Data: Parse the encrypted data into the initialization vector (IV), ephemeral public key, authentication tag, and encrypted payload.
Load Public Key: Deserialize the ephemeral public key included in the data.
Generate Shared Secret: Use your private key and the ephemeral public key to compute a shared secret using ECDH key exchange.
Derive Symmetric Key: Use a Key Derivation Function (KDF) like HKDF with SHA-384 to derive the decryption key from the shared secret.
Initialize Decryption Cipher: Configure an AES-256-GCM cipher with the derived key, IV, and authentication tag.
Decrypt: Decrypt the payload and verify its integrity.
For Splunk, the Authentic8 add-on provides a seamless integration and support to both the standard and legacy encryption methods.
Decrypt Logs (SECCURE)
Decrypting logs that are encrypted using legacy keys requires using the open source SECCURE ECC public key encryption toolset under the GNU Lesser General Public License v3 (LGPL).
Source packages and documentations can be found at: http://point-at-infinity.org/seccure/
See the installation instructions for the Python SECCURE library at: https://github.com/bwesterb/py-seccure
The output is base64 encoded so the “enc” value needs to be decoded before decryption:
base64 -D -i <inputfile> -o <outputfile>
Decrypt the encrypted log data using your private key:
seccure-decrypt -c p256 -m 80 -i <inputfile> -o <outputfile> -F <private_key.txt>
Please contact Support if you have any additional questions.