Local log with deletion protection. How to do?

M

MishaBrazhnikov2020-04-21 13:40:39

Burglary protection

MishaBrazhnikov, 2020-04-21 13:40:39

Hello!

There is a software and hardware complex based on a regular PC under windows/linux, which is supplied to the client. A log with protection from changes should be written on it. The question arose - how to do it?
I don't see any point in writing on the main screw - the user can delete it.
So far, there is only one thought - a sealed box with an HDD and a single-board PC. Of course, it will be possible to connect to the interface and add logs, but it will not be possible to delete existing ones.

Can you suggest a good solution to this problem?
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alex, 2021-12-05
@asilonos

You can use a hardware key like FIDO U2F or a PC with a built-in TPM + add a digital signature and something like a blockchain to the log data structure, so that you can check the integrity and consistency of all signatures. To crack this, you will need to reverse and write a complex code.
To create the first block in such a log, it will be necessary for the PC operator to create a PIN code or press the U2F button of the key with a finger to generate the first signature (which cannot be faked purely programmatically).
Or You can simplify all of the above - you can write a log to an external source, but for each block of records, write down the previous hash (which is stored on the PC) and also the new hash. As a result, the data cannot be changed. since the previous hash will always be stored on the PC itself, which must match the one on the log storage.