--- /dev/null
+Title: Public Trusted Timestamping services for you
+Tags: english, sikkerhet
+Date: 2014-03-25 12:50
+
+<p>Did you ever need to store logs or other files in a way that would
+allow it to be used as evidence in court, and needed a way to
+demonstrate without reasonable doubt that the file had not been
+changed since it was created? Or, did you ever need to document that
+a given document was received at some point in time, like some
+archived document or the answer to an exam, and not changed after it
+was received? The problem in these settings is to remove the need to
+trust yourself and your computers, while still being able to prove
+that a file is the same as it was at some given time in the past.</p>
+
+<p>A solution to these problems is to have a trusted third party
+"stamp" the document and verify that at some given time the document
+looked a given way. Such
+<a href="https://en.wikipedia.org/wiki/Notarius">notarius</a> service
+have been around for thousands of years, and its digital equivalent is
+called a
+<a href="http://en.wikipedia.org/wiki/Trusted_timestamping">trusted
+timestamping service</a>. <a href="http://www.ietf.org/">The Internet
+Engineering Task Force</a> standardised how such service could work a
+few years ago as <a href="http://tools.ietf.org/html/rfc3161">RFC
+3161</a>. The mechanism is simple. Create a hash of the file in
+question, send it to a trusted third party which add a time stamp to
+the hash and sign the result with its private key, and send back the
+signed hash + timestamp. Anyone with the document and the signature
+can then verify that the document matches the signature by creating
+their own hash and checking the signature using the trusted third
+party public key. There are several commercial services around
+providing such timestamping. A quick search for
+"<a href="https://duckduckgo.com/?q=rfc+3161+service">rfc 3161
+service</a>" pointed me to at least
+<a href="https://www.digistamp.com/technical/how-a-digital-time-stamp-works/">DigiStamp</a>,
+<a href="http://www.quovadisglobal.co.uk/CertificateServices/SigningServices/TimeStamp.aspx">Quo
+Vadis</a>,
+<a href="https://www.globalsign.com/timestamp-service/">Global Sign</a>
+and <a href="http://www.globaltrustfinder.com/TSADefault.aspx">Global
+Trust Finder</a>. The system work as long as the private key of the
+trusted third party is not compromised.</p>
+
+<p>But as far as I can tell, there are very few public trusted
+timestamp services available for everyone. I've been looking for one
+for a while now. But yesterday I found one over at
+<a href="https://www.pki.dfn.de/zeitstempeldienst/">Deutches
+Forschungsnetz</a>mentioned in
+<ahref="http://www.d-mueller.de/blog/dealing-with-trusted-timestamps-in-php-rfc-3161/">a
+blog by David Müller</a>. I then found a good recipe on how to use
+over at the
+<a href="http://www.rz.uni-greifswald.de/support/dfn-pki-zertifikate/zeitstempeldienst.html">University
+of Greifswald</a>. The OpenSSL library contain both server and tools
+to use and set up your own signing service. See the ts(1SSL),
+tsget(1SSL) manual pages for more details. The following shell script
+demonstrate how to extract a signed timestamp for any file on the disk
+in a Debian environment:
+
+<p><blockquote><pre>
+#!/bin/sh
+set -e
+url="http://zeitstempel.dfn.de"
+caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
+reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
+resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
+cafile=chain.txt
+if [ ! -f $cafile ] ; then
+ wget -O $cafile "$caurl"
+fi
+openssl ts -query -data "$1" -cert | tee "$reqfile" \
+ | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
+openssl ts -reply -in "$resfile" -text 1>&2
+openssl ts -verify -data "$1" -in "$resfile" -CAfile "$cafile" 1>&2
+base64 < "$resfile"
+rm "$reqfile" "$resfile"
+</pre></blockquote></p>
+
+<p>The argument to the script is the file to timestamp, and the output
+is a base64 encoded version of the signature to STDOUT and details
+about the signature to STDERR. Note that due to
+<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742553">a bug
+in the tsget script</a>, you might need to modify the included script
+and remove the last line. Or just write your own HTTP uploader using
+curl. :) Now you too can prove and verify that files have not been
+changed.</p>
+
+<p>But the Internet need more public trusted timestamp services.
+Perhaps something for <a href="http://www.uninett.no/">Uninett</a> or
+my work place the <a href="http://www.uio.no/">University of Oslo</a>
+to set up?</p>
projects / homepage.git / commitdiff