Skip to content
/ securelog Public

Forward-secure Go library for tamper-evident audit logs, implementing Ma–Tsudik’s dual-MAC private-verifiable scheme.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

karasz/securelog

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
doc
doc
 
 
proto
proto
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
cspell.json
cspell.json
 
 
example_dual_mac.go
example_dual_mac.go
 
 
example_folder_deploy.go
example_folder_deploy.go
 
 
example_protobuf.go
example_protobuf.go
 
 
example_storage.go
example_storage.go
 
 
file_store.go
file_store.go
 
 
filestore_test.go
filestore_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
logger.go
logger.go
 
 
logger_test.go
logger_test.go
 
 
proto_convert.go
proto_convert.go
 
 
proto_convert_test.go
proto_convert_test.go
 
 
proto_transport.go
proto_transport.go
 
 
proto_transport_test.go
proto_transport_test.go
 
 
protocol.go
protocol.go
 
 
protocol_test.go
protocol_test.go
 
 
revive.toml
revive.toml
 
 
securelog_test.go
securelog_test.go
 
 
server.go
server.go
 
 
server_proto_test.go
server_proto_test.go
 
 
server_test.go
server_test.go
 
 
sqlite_store.go
sqlite_store.go
 
 
sqlite_test.go
sqlite_test.go
 
 
transport.go
transport.go
 
 
transport_test.go
transport_test.go
 
 
verifier.go
verifier.go
 
 
verifier_test.go
verifier_test.go
 
 
verify.go
verify.go
 
 
verify_test.go
verify_test.go
 
 

Repository files navigation

securelog — Dual MAC Private-Verifiable Secure Logger (Go)

Go Reference Go Report Card License: MIT

SecureLog is a production-focused implementation of the Dual MAC private-verifiable logging protocol. It keeps audit trails append-only, forward-secure, and verifiable by both semi-trusted auditors and a trusted authority. For the full academic background, see doc/ACADEMICS.md.

Highlights

  • Dual MAC chains (μ_V, μ_T) to catch tampering by compromised verifiers.
  • Forward-secure key evolution with per-entry key rotation.
  • Pluggable transports (folder, HTTP, local) and storage backends (POSIX files, SQLite).
  • Pure Go, no CGO requirements in the default configuration.

Quick Start

package main

import (
	"log"
	"time"

	"github.com/karasz/securelog"
)

func main() {
	store, _ := securelog.OpenFileStore("/var/log/securelog")
	logger, _ := securelog.New(securelog.Config{AnchorEvery: 100}, store)

	commit, openMsg, _ := logger.InitProtocol("app-log-001")

	// transmit commit/openMsg to the trusted server here
	_ = commit
	_ = openMsg

	logger.Append([]byte("user login: alice"), time.Now())
	logger.Append([]byte("file access: /etc/passwd"), time.Now())

	closeMsg, _ := logger.CloseProtocol("app-log-001")
	log.Printf("final tag: %x", closeMsg.FinalTagT)
}

For end-to-end examples (including transports) check the example_*.go files.

Storage Backends

  • File store (default) — append-only binary format with POSIX locks; ideal for production.
  • SQLite store — ACID semantics and ad-hoc queries via SQLite (modernc.org/sqlite).

Both implement the same Store interface, so swapping backends is a one-line change.

Transports

  • Folder transport for local/offline workflows.
  • HTTP transport for remote trusted servers.
  • Local transport for in-process testing.

Detailed diagrams and usage notes live in doc/TRANSPORT.md.

Documentation

  • doc/ACADEMICS.md — paper references and detailed research context.
  • doc/TRANSPORT.md — transport layer protocol and folder layout.
  • example_*.go — runnable snippets that stitch storage, transports, and verifiers together.

Development

make fmt        # gofmt on the tree
make lint       # revive + staticcheck + gosec
make test       # go test -race -cover ./...
make check      # run the full battery (fmt, vet, lint, spell, test)

Go 1.21 or newer is recommended.

About

Forward-secure Go library for tamper-evident audit logs, implementing Ma–Tsudik’s dual-MAC private-verifiable scheme.

Topics

golang cryptography secure-logging compliance audit-logging tamper-detection forward-security log-integrity

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

SecureLog v0.1.0 Latest
Oct 26, 2025

Packages

No packages published

Languages