Login/Register
Is there a way to digitally sign documents to prove they existed at a certain point in time
Asked Answered
Solved securityencryptiontimestampsigningtrusted-timestamp
D

11

28

I'm curious if there is way to digitally sign documents (technically any piece of data), such as contracts or photos, so that 10 years from now, it can be proven that they are from this time, not forged 9 years from now.

For example, I could write a prediction of the future and sign it with convential means to prove that I wrote it, then timestamp-sign it so that when it comes true, I can prove I predicted it.

One way I thought of is that there could be a timestamping authority. You send them the data, they make a hash of the data + timestamp and encrypt the hash with RSA using their private key. A signed document thus exists of: data, timestamp, encrypted hash.

10 years from now, I hash the data + supposed timestamp, and check if it matches with the encrypted hash that I decrypt using the authority's public RSA key (which I trust). If it does, I known the timestamp is valid.

I can see 2 problems with that though:

  • An external authority is needed
  • The authority's private key would need to be kept extremely secret, because if it's revealed, all documents signed with it turn invalid.

Can you think of a solution without (one of) these problems?

Digitalis answered 17/7, 2011 at 19:55 Comment(2)
Take a look at any signed windows DLL. Most of them are signed by the vendor and countersigned by a timestamping authority. That way when the vendor's certificate expires you can still check that the certificate was valid when the DLL was signed.Longitude
Here's a decentralized anonymous timestamp service that uses the bitcoin blockchain: proofofexistence.com - disclaimer: I created the serviceMaribeth
D
13

This is called timestamping. The most widely used mechanism is defined in TSP specification (RFC 3161) and some others. The alternative method is used in MS Authenticode, but it's not documented and is not compatible with TSP.

TSP is used as a supplementary function in several encryption and digital signature standards, such as PDF, XAdES, CAdES, PAdES (AdES stands for "Advanced encryption standard"). PDF, XAdES and PAdES standards are applied to certain type(s) of data. CAdES is univeral format (as it can be applied for any generic data).

RFC 5544 offers a way to apply TSP to any generic data without signing this data.

TSP specification makes heavy use of PKI and X.509 certificates.

Timestamping services are provided by certificate authorities as a supplementary service. There also exist independent timestamping services.

You can run your own timestamping service, however timestamping requires use of special certificate (its key usage extensions are to be set in a specific way), so regular SSL or code signing certificates won't work.

Talking about "timestamping authorities" - you send them a hash (calculated during signing) and they sign this hash using their certificate. It's their business to keep the private key protected, and they usually charge for it.

The idea about third-party authority is that it certifies time. If you sign the data, you can put any time to the signature, and there's no way to check if it's correct or you have forged it. Only trusted third-party authority can be a proof of correctness of the timestamp.

Drumlin answered 17/7, 2011 at 21:32 Comment(7)
Is there a reason they use a persistent private key that has to be kept secret? It seems to be that it would be ideal to use a new private key every hour (or every minute), keep it only in volatile memory, and publish the full list of public keys but securely delete the private keys. This way the non-storage of the private key would provide a much stronger proof of when the signature took place.Varipapa
@R.. TSA's certificates do expire, but the problem is that once the certificate expires, the timestamp becomes "expired" as well. As for destroying private keys and creating new certificates - maybe some TSAs do exactly this, who knows. I don't remember any statements in the standards that would prevent such approach.Jejunum
I wasn't talking about expiring the certificates. I was talking about using a certificate that doesn't expire but for which the private key is never stored and ceases to exist after the time period for which it's used.Varipapa
@R.. Expiring is the only reliable way to guarantee to the outside world, that the certificate (and the private key) are not used anymore. In the scheme you describe destruction of the private key can not be guaranteed. It would be only the claim of the key holder, which can not be proven.Jejunum
Expiring does not guarantee whatsoever that they are not used anymore. For example if I have a copy of the private key, I can generate a forged signature using it that was valid at the time of the timestamp. If you want to disregard/distrust such signatures based on expired keys then you make timestamping useless.Varipapa
@R.. You miss the point. When the timestamping certificate expires, the timestamp can not be trusted anymore. So if you use the key to forge a timestamping signature, your signature won't be trusted. That IS the problem for long-term archiving purposes, indeed, but that's the way PKI works.Jejunum
@R..GitHubSTOPHELPINGICE If you don't use a persistent private key, you need to somehow continue to publish your public keys. How would you do this? You might publish these on a HTTPS website, and then you'll need a private key for that HTTPS certifcate, and we are back to square one, right?Canaliculus
T
8

Yes, you can do this with ProofOfExistence.com or Poex.io, which puts a hash of your document on the Bitcoin blockchain.

(cf. this)

Telemark answered 7/5, 2017 at 3:36 Comment(0)
P
3

Yes, there are commercial services that would securely timestamp documents or software.

There's an article in Wikipedia explaining this. Google quickly revealed one such service (I am not affiliated), I'm sure there are many more. There used to be a free one as well, but it's all a question of trust (i.e. whether the courts would trust "someone on the internet" vs. VeriSign).

Paddlefish answered 17/7, 2011 at 20:8 Comment(0)
C
3

Here is a timestamping service that has been in continuous operation since 1995.

http://www.itconsult.co.uk/stamper/stampinf.htm

You send your data (or a hash of your data) by email, and get back a signature of your data plus a timestamp with a serial number. The detached signatures (but not the data itself) are posted publicly, and anyone can archive them for themselves, so that if the site operators ever tried to tamper with the timestamp record, people would know. So in principle, you don't have to place much trust in the service itself.

Cowling answered 2/5, 2014 at 5:13 Comment(0)
Q
1

In times past, I would have said 'lookup PublicTimeStamp.org', but it has had a somewhat chequered past. It still seems to be running - but the website is only barely working. If you got to http://PublicTimeStamp.org/ptb you will find recent values (today). But other parts of the system are not visible.

Quietism answered 17/7, 2011 at 20:56 Comment(0)
E
1

RFC3161 is not the only way of secure timestamping.

A current area of research is to develop schemes where you have to put less trust in the third-party authority issuing the time stamps. With RFC3161-based timestamps you are more or less required to completely trust the authority. This presentation gives an overview of alternatives, most based on linking schemes. The idea is quite attractive because the timestamps would be under public scrutiny and there's no secret key involved that could possibly be leaked, thus providing inherently better security than today's standard RFC 3161 timestamps.

Echt answered 18/7, 2011 at 7:36 Comment(0)
M
1

Check out easytimestamping.com. Timestamps (based on RFC3161) are issued by a Qualified Certification Authority accredited in the European Union, so that, in most EU countries, the timestamp has a guaranteed legal validity.

The authority's private key would need to be kept extremely secret, because if it's revealed, all documents signed with it turn invalid.

Qualified CA's are certified to comply (at least) with the standard ETSI TS 102 023 that imposes a variety of physical and software security measures for guaranteeing the protection of the private key.

PS: I am affiliated with easytimestamping.com

Magnetomotive answered 30/8, 2011 at 16:39 Comment(3)
I'm not saying your site is shady, but both there and on securo.it it's hard to find which "Qualified Certification Authority accredited in the EU" you use. Why?Digitalis
We don't say it simply because it does not matter. At least in Italy, as long as the CA is in the trusted list of accredited CA the issued timestamp has the same legal validity. It should be the same in other EU Countries for favoring interoperability, as required by the EU directive on digital signatures (1999/93/EC). Anyway, we are not hiding anything, just apply a timestamp and find it out!Magnetomotive
Well, if you were curious, others will too. So I added the name of our current Qualified CA provider here. Thanks for the feedback :)Magnetomotive
L
0

I guess that depends on your controls. An external authority would work, but it's the same thing as certifying it internally, technically speaking. It just depends on who you trust. Are you looking at preventing users from falsely certifying documents, or your developers?

Liegeman answered 17/7, 2011 at 19:59 Comment(1)
I'm just curious, I don't have an actual use case.Digitalis
N
0

Back in the day, people kept unopened sent documents sent through certified mail and called it a "poor man's copyright". I imagine you could do the same with any major, respected email site. Send yourself a copy of the document via Gmail or Hotmail or whatever, and keep the copy in your account -- the date/timestamp on the email should come from the service provider (not from your computer), so that would be pretty solid evidence I imagine.

Nuss answered 17/7, 2011 at 20:3 Comment(4)
The "mail it to yourself" trick is what made me think up this question :)Digitalis
It does occur to me that if, for example, you were trying to win the JREF million dollar challenge by making predictions, they would point out that you could have just made like a million predictions and only shown them the ones that turned out right. Not sure if there's any way around that.Nuss
-1 The method didn't work back then, and your email method does not work today (unless you are willing to let someone to log in your email). Both are easy to fake.Psycholinguistics
@QuoraFeans I can’t speak for physical mail, but e-mail should come with DKIM and SPF headers showing its authenticity. You can send people a raw copy of the e-mail later, including the authentication headers, without letting them access your e-mail account.Motch
O
0

So long as you aren't looking for something that lasts a really long time:

Encrypt the document and post it to one of the Usenet binary groups. Anyone can check the headers and see when it was received, you can decrypt the file (or provide the key as the case may be) and prove that it really is the data in question.

Since you don't control the file once it's posted games like only revealing the prediction that worked aren't possible.

Oliver answered 14/6, 2014 at 18:17 Comment(0)
R
0

RFC 3161 compliant timestamp service can be used, it is a standard and must give enough evidence that a particular document existed at a certain time. Better idea would be to change a document to PDF and then digitally sign and timestamp it, in a PDF anyone can clearly see the timestamp and other properties of a signature or timestamp. Check tecxoft tsa, you can also test pdf digital signatures here.

Roxannroxanna answered 31/1, 2016 at 7:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.