From: Petter Reinholdtsen Date: Tue, 25 Mar 2014 11:44:42 +0000 (+0000) Subject: New post. X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/commitdiff_plain/10c74d08c77bbf95e56607381904ace1cb6a2811?ds=sidebyside New post. --- diff --git a/blog/data/2014-03-25-trusted-timestamping.txt b/blog/data/2014-03-25-trusted-timestamping.txt new file mode 100644 index 0000000000..8169b1b92a --- /dev/null +++ b/blog/data/2014-03-25-trusted-timestamping.txt @@ -0,0 +1,89 @@ +Title: Public Trusted Timestamping services for you +Tags: english, sikkerhet +Date: 2014-03-25 12:50 + +

Did you ever need to store logs or other files in a way that would +allow it to be used as evidence in court, and needed a way to +demonstrate without reasonable doubt that the file had not been +changed since it was created? Or, did you ever need to document that +a given document was received at some point in time, like some +archived document or the answer to an exam, and not changed after it +was received? The problem in these settings is to remove the need to +trust yourself and your computers, while still being able to prove +that a file is the same as it was at some given time in the past.

+ +

A solution to these problems is to have a trusted third party +"stamp" the document and verify that at some given time the document +looked a given way. Such +notarius service +have been around for thousands of years, and its digital equivalent is +called a +trusted +timestamping service. The Internet +Engineering Task Force standardised how such service could work a +few years ago as RFC +3161. The mechanism is simple. Create a hash of the file in +question, send it to a trusted third party which add a time stamp to +the hash and sign the result with its private key, and send back the +signed hash + timestamp. Anyone with the document and the signature +can then verify that the document matches the signature by creating +their own hash and checking the signature using the trusted third +party public key. There are several commercial services around +providing such timestamping. A quick search for +"rfc 3161 +service" pointed me to at least +DigiStamp, +Quo +Vadis, +Global Sign +and Global +Trust Finder. The system work as long as the private key of the +trusted third party is not compromised.

+ +

But as far as I can tell, there are very few public trusted +timestamp services available for everyone. I've been looking for one +for a while now. But yesterday I found one over at +Deutches +Forschungsnetzmentioned in +a +blog by David Müller. I then found a good recipe on how to use +over at the +University +of Greifswald. The OpenSSL library contain both server and tools +to use and set up your own signing service. See the ts(1SSL), +tsget(1SSL) manual pages for more details. The following shell script +demonstrate how to extract a signed timestamp for any file on the disk +in a Debian environment: + +

+#!/bin/sh
+set -e
+url="http://zeitstempel.dfn.de"
+caurl="https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt"
+reqfile=$(mktemp -t tmp.XXXXXXXXXX.tsq)
+resfile=$(mktemp -t tmp.XXXXXXXXXX.tsr)
+cafile=chain.txt
+if [ ! -f $cafile ] ; then
+    wget -O $cafile "$caurl"
+fi
+openssl ts -query -data "$1" -cert | tee "$reqfile" \
+    | /usr/lib/ssl/misc/tsget -h "$url" -o "$resfile"
+openssl ts -reply -in "$resfile" -text 1>&2
+openssl ts -verify -data "$1" -in "$resfile" -CAfile "$cafile" 1>&2
+base64 < "$resfile"
+rm "$reqfile" "$resfile"
+

+ +

The argument to the script is the file to timestamp, and the output +is a base64 encoded version of the signature to STDOUT and details +about the signature to STDERR. Note that due to +a bug +in the tsget script, you might need to modify the included script +and remove the last line. Or just write your own HTTP uploader using +curl. :) Now you too can prove and verify that files have not been +changed.

+ +

But the Internet need more public trusted timestamp services. +Perhaps something for Uninett or +my work place the University of Oslo +to set up?