Luis Fernández Couñago

Luis Fernández Couñago

Cybersecurity Engineer-Researcher (GRADIANT)

Immutable Audit Log for Certificate Management

Development of an Immutable Database for the Audit Log of a Certificate Management Application

Dates:

CompanyFundingConsortiumType
GRADIANTNot disclosed-Product

Abstract

This project focuses on the design and implementation of an immutable audit logging system for a certificate management application, with the goal of guaranteeing the integrity, traceability, and non-repudiation of critical security events.

Developed as a Bachelor’s Thesis, the work goes beyond a theoretical proof of concept, resulting in a solution fully integrated into IDHub, a real-world production-grade digital identity and certificate management platform.

Details

I carried out this project as my Bachelor’s Thesis, focusing on the secure design of an immutable audit log for IDHub. The objective was to ensure that all security-relevant events—such as certificate operations and administrative actions—could be recorded in a way that is tamper-evident and cryptographically verifiable.

The work began with a comprehensive state-of-the-art review of audit logging mechanisms based on Cryptographic Ledger Technologies (CLT) and Distributed Ledger Technologies (DLT), analyzing their applicability, limitations, and performance trade-offs in enterprise environments.

Based on this analysis, I designed and implemented a solution using Merkle trees and chained cryptographic hashing, enabling the detection of any unauthorized modification of audit records. The system ensures strong integrity guarantees while maintaining compatibility with existing infrastructure and meeting performance requirements for high-volume logging.

A key aspect of the project was its full integration into IDHub, transforming the solution from an academic exercise into a production-ready component used in an operational security platform. This integration validated both the practicality and robustness of the proposed approach in a real-world context.

Technologies

  • Databases: Immutable data structures for audit logging

  • Cryptography: Cryptographic hashing, Merkle trees, chained hash structures

  • Security Concepts: Secure audit logging, data integrity, non-repudiation, tamper-evident systems

  • Domains: Digital certificates, PKI, enterprise security auditing