With the November 2024 infrastructure update, Authentic8 now supports the use of standard encryption keys generated using the OpenSSL toolset — the standard encryption can be set as the default option for new and existing customers looking to encrypt their log data. This feature provides flexibility and compatibility with commonly-used cryptographic tools, ensuring seamless integration into existing workflows
Important: Existing configurations utilizing the SECCURE toolset will continue to be supported to prevent any service interruptions
Technical Specifications
Our implementation utilizes the ECIS-P256-AES256GCM-SHA384:96 algorithm:
Elliptic Curve Cryptography (ECC) using the industry-standard P-256 curve for secure key exchange
AES-256 in Galois/Counter Mode (GCM) for robust encryption and data integrity
SHA-384 for strong and reliable key derivation
Our Log Extract API returns encrypted log data as a serialized JSON object. From there, the encrypted log data is returned as a key-value pair with “enc” as the key, and the encrypted base64 encoded log data as the value
Sample output:
{
"create_ts": 1407887060.423214,
"enc": "Af2lb83WyDW+C/CRnOJJ0uWSknOadVSbo7qWCWKMmuBPQU3H1L62x2U+Pj0eKRPi+ImKbZEsCmi24fY08IwcKUg8bhpYv7Kon+p3U1wMPLaw8IMosPXr0Gcq2XHaNVax3nAV6hA1TpwCZa7mNbFHd3VRbgsrL9hS2f+eR2rFdoNTiXnQ2Oizy2Z2nw5rxhfWuqUmABN94yRdU0ynWgQi+ZD0v3kiJrE+nzty+DKNjXTE4es10hlFdS5VpWORn18t2rHhTsoBXKIOQN7Lqw==",
"encryption_type": "Standard",
"key_name": "SiloLogs",
"seq_id": 11258234,
"type": "ENC"
}
Extracting and Decrypting Logs
Important: Please contact Support to obtain our Python Log Extract toolset. Our Python Log Extract package can be used as either a turn-key solution, or as source code reference for your custom solution needs
Kindly refer to Log Extract API Reference for basic examples of extracting encrypted log data
Customers can use their preferred programming tools using our Python source code as reference. Below are the steps involved with the log decryption workflow:
Extract Data: Parse the encrypted data into the initialization vector (IV), ephemeral public key, authentication tag, and encrypted payload
Load Public Key: De-serialize the ephemeral public key included in the data
Generate Shared Secret: Use your private key and the ephemeral public key to compute a shared secret using ECDH key exchange
Derive Symmetric Key: Use a Key Derivation Function (KDF) like HKDF with SHA-384 to derive the decryption key from the shared secret
Initialize Decryption Cipher: Configure an AES-256-GCM cipher with the derived key, IV, and authentication tag
Decrypt: Decrypt the payload and verify its integrity
For Splunk, the Authentic8 Technical Add-on provides a seamless integration and supports both standard and legacy encryption methods.
Decrypting Logs (Legacy)
Decrypting logs that are encrypted using legacy keys require the use of the open source SECCURE encryption toolset under the GNU Lesser General Public License v3 (LGPL).
SECCURE source packages and documentations are available at: http://point-at-infinity.org/seccure/
Also see installation instructions for the Python SECCURE library at: https://github.com/bwesterb/py-seccure
The Log Extract output is base64 encoded so the enc ciphertext value needs to be decoded before decryption:
base64 -D -i <enc_ciphertext> -o <enc_ciphertext_decoded>
Decrypt the encrypted log data using your private key:
seccure-decrypt -c p256 -m 80 -i <enc_ciphertext_decoded> -o <output_file> -F <private_key.txt>
Please contact Support for any additional questions