digital time stamping

7/29/2019 Digital Time Stamping

1/22

INTRODUCTION

Definition: A digital signature or e-signature for short (not to be confused with a digital

certificate) is an electronic signature that can be utilized to authenticate the identity of the

sender of a message or the signer of a document, and certainly to ensure that the original

content of the message or document that has been sent is the same or unchanged. Digital

signatures are easily transportable, cannot be imitated by someone else, and can be

automatically time-stamped. Meaning to say, its very efficient in view of transacting

legal matters. The ability to ensure that the original signed message arrived means that

the sender cannot easily repudiate it later.

A digital signature can be used with any kind of message, transactions and the like,

whether it is encrypted or not, simply so that the receiver can be sure of the senders

identity and that the message arrived intact. A digital certificate contains the digital

signature of the certificate-issuing authority so that anyone can verify that the certificate

is real. This indeed is so commonly observed now in internet transactions.

Consider two questions that may be asked by a computer user as he or she views a digital

document or on-line record:

Who is the author of this record - who wrote it, approved it, or consented to it?When was this record created or last modified?

In both cases, the question is about exactly this record - exactly this sequence of bits. An

answer to the first question tells who and what: Who approved exactly what is in this

record? An answer to the second question tells when and what: When exactly did the

contents of this record first exist?

Both of the above questions have good solutions. A system for answering the first

question is called a digital signature scheme. A system for answering the second question

is called a digital timestamping scheme.


2/22

Any system allowing users to answer these questions must include two procedures. First,

there must be a signing procedure with which :

(1) the author of a record can ``sign'' the record, or

(2) any user can fix a record in time.

The result of this procedure is a string of bytes that serves as the signature. Second, there

must be a verification procedure by which any user can check a record and its purported

signature to make sure it correctly answers

(1) who and what? or

(2) when and what? about the record in question.

The signing procedure of a digital timestamping system often works by mathematically

linking the bits of the record to a ``summary number'' that is widely witnessed by and

widely available to members of the public - including, of course, users of the system. The

computational methods employed ensure that only the record in question can be linked,

according to the ``instructions'' contained in its timestamp certificate, to this widely

witnessed summary number; this is how the particular record is tied to a particular

moment in time. The verification procedure takes a particular record and a putative

timestamp certificate for that record and a particular time, and uses this information to

validate whether that record was indeed certified at the time claimed by checking it

against the widely available summary number for that moment.

One nice thing about digital timestamps is that the document being timestamped does not

have to be released to anybody to create a timestamp. The originator of the document

computes the hash values himself, and sends them in to the timestamping service. The

document itself is only needed for verifying the timestamp. This is very useful for many

reasons (like protecting something that you might want to patent).

Two features of a digital timestamping system are particularly helpful in enhancing the

integrity of a digital signature system. First, a timestamping system cannot be

compromised by the disclosure of a key. This is because digital timestamping systems do


3/22

not rely on keys, or any other secret information, for that matter. Digital timestamp

certificates can be renewed so as to remain valid indefinitely.

With these features in mind, consider the following situations.

It sometimes happens that the connection between a person and his or her public

signature key must be revoked. For example, the user's private key may accidentally be

compromised, or the key may belong to a job or role in an organization that the person no

longer holds. Therefore the person-key connection must have time limits, and the

signature verification procedure should check that the record was signed at a time when

the signer's public key was indeed in effect. And thus when a user signs a record that may

be checked some time later - perhaps after the user's key is no longer in effect - the

combination of the record and its signature should be certified with a secure digital

timestamping service.

There is another situation in which a user's public key may be revoked. Consider the case

of the signer of a particularly important document who later wishes to repudiate his

signature. By dishonestly reporting the compromise of his private key, so that all his

signatures are called into question, the user is able to disavow the signature he regrets.

However, if the document in question was digitally timestamped together with its

signature (and key-revocation reports are timestamped as well), then the signature cannot

be disavowed in this way. This is the recommended procedure, therefore, in order to

preserve the non-reputability desired of digital signatures for important documents.

The statement that private keys cannot be derived from public keys is an over-

simplification of a more complicated situation. In fact, this claim depends on the

computational difficulty of certain mathematical problems. As the state of the art

advances - both the current state of algorithmic knowledge, as well as the computational

speed and memory available in currently available computers - the maintainers of a

digital signature system will have to make sure that signers use longer and longer keys.

But what is to become of documents that were signed using key lengths that are no longer

considered secure? If the signed document is digitally timestamped, then its integrity can

be maintained even after a particular key length is no longer considered secure.

Of course, digital timestamp certificates also depend for their security on the difficulty of

certain computational tasks concerned with hash functions (see Question 2.1.6). (All


4/22

practical digital signature systems depend on these functions as well.) The maintainers of

a secure digital timestamping service will have to remain abreast of the state of the art in

building and in attacking one-way hash functions. Over time, they will need to upgrade

their implementation of these functions, as part of the process of renewal . This will allow

timestamp certificates to remain valid indefinitely.


5/22

HISTORY

The idea of timestamping information is actually centuries old. For example, when

Robert Hooke discovered Hooke's law in 1660, he did not want to publish it yet, but

wanted to be able to claim priority. So he published the anagramceiiinosssttuv and later

published the translation ut tensio sic vis (Latin for "as is the extension, so is the force").

Similarly, Galileo first published his discovery of the phases of Venus in the anagram

form.

A modern example is the case of an industrial research organization that may later need

to prove, for patent purposes, that they made a particular discovery on a particular date;since magnetic media can be altered easily, this may be a nontrivial issue. One possible

solution is for a researcher to compute and record in a hardcopy laboratory notebook a

cryptographic hash of the relevant data file. In the future, should there be a need to prove

the version of this file retrieved from a backup tape has not been altered, the hash

function could be recomputed and compared with the hash value recorded in that paper

notebook.
http://en.wikipedia.org/wiki/Robert_Hookehttp://en.wikipedia.org/wiki/Hooke's_lawhttp://en.wikipedia.org/wiki/Anagramhttp://en.wikipedia.org/wiki/Galileo_Galileihttp://en.wikipedia.org/wiki/Robert_Hookehttp://en.wikipedia.org/wiki/Hooke's_lawhttp://en.wikipedia.org/wiki/Anagramhttp://en.wikipedia.org/wiki/Galileo_Galilei


6/22

FEATURES

Two features of a digital timestamping system are particularly helpful in enhancing the

integrity of a digital signature system:-

1. First, a timestamping system cannot be compromised by the disclosure of a key.

This is because digital timestamping systems do not rely on keys, or

2. any other secret information, for that matter. Digital timestamp certificates can be

renewed so as to remain valid indefinitely.


7/22

WORKING

A trusted digital timestamp gives you strong legal evidence that the contents of your

work existed at a point-in-time and have not changed since that time. The procedures

maintain complete privacy of your documents themselves.

The result is simple, secure, independent and portable proof of electronic record integrity.

By using digital signature technology and audited security our service provides an

external witness (a timestamp signature) to the existence of your data, like an electronic

or digital notary. We never see your actual data; it is that simple and here is how it works:

The trusted TimeStamp process consists of two parts:

1. Software on your computer records the fingerprint of your file. You can use our

web application, download our software for free, or use Adobe Acrobat, e-Lock,

and more.

2. The Internet links you to the DigiStamp web-based security service. We return to

you a signed electronic timestamp certificate that contains your file's fingerprint.


8/22

This method of creating a timestamp was published in public standards and laws; how to

create a timestamp was not invented by DigiStamp. The digital timestamp was defined as

part of the technology called Digital Signatures, or PKI (Public Key Insfrastructure).

DigiStamp uses this accepted method and then adds an external audit and certified

hardware to create a web-based security service that you can trust and afford.

A fingerprint of your computer file is created by our free software

When you timestamp a file, your computer creates a unique identifier, or fingerprint, for

the file (a SHA Hash). The fingerprint is a unique number calculated from the file's

contents. Mathematicians call this a hash function. If the file's contents were to change by

even one character, a different number would be calculated. This accepted technique

provides a design whereby it is computationally infeasible to find two different messages

which produce the same number. Your data remains private in this process: Only the

evidence (a document fingerprint) is transmitted to DigiStamp, and we never see your

actual document. None of the content of your data can be determined from the

fingerprint, so reverse engineering of the fingerprint into the document is not possible.

Read more about the SHA hash at wikipedia or the "U.S. Federal Information Processing

Standard" here.

The Internet links you to DigiStamp for the timestamp

DigiStamp is a TimeStamp Authority (TSA). By using the Internet, you electronically

send the file's fingerprint to the DigiStamp computer. At the DigiStamp computer, we put

the file's fingerprint and the current time into an envelope and add our digital signature.

The result is a digital timestamp certificate that is returned and stored in your computer

software. The process is safe; your file is never sent across the Internet, only the file's

smaller fingerprint.


9/22


10/22

Your certificates are stored on your computer for easy verification

Each certificate can be used later to verify that the contents of your file existed at a point-

in-time. The content and the format of a digital timestamp are defined by common

standards and therefore can be verifed using a variety of vendor's software.

The process is safe, your file is never sent across the Internet. The process is reliable, the

timestamp certificate proves that your file and its contents existed at a point-in-time.


11/22

Strong Legal Evidence for Authenticating Your Data

Simply put, you need proof of what you've done and when you did it. Our service

provides strong evidence for both.

In fact, we provide uniquely strong evidence.

No one can use our service to produce a false timestamp. Even we can't produce false

timestamps. If someone offered us a million dollars, we still couldn't produce a false

timestamp.

Why not? A DigiStamp timestamp offers you three layers of security:

1. An audit trail from two independent authorities proving that our equipment does

exactly what we say it does

2. State-of-the-art software that meets the highest established standards

3. Uniquely customized hardware that cannot be tampered with

We use secure hardware that's uniquely certified.

Our software works within our IBM 4758 Coprocessor, specially customized using an

agreement with IBM to do nothing but generate our timestamps with absolute security.

The coprocessor is certified at levels 3 and 4 of the rigorous National Institute of

Standards and Technology (NIST) using the Security Requirements for Cryptographic

Modules.

Software-based timestamps are only as sound as the hardware running the program.

Software-based solutions leave you vulnerable to charges of manipulating the hardware.

An adversary can always claim you paid the system administrator (even the administrator

of an outside firm) to set the hardware to generate a false timestamp.

No one can set our systems to generate false timestamps

No one can hack our equipment, because our 4758 has no external interfaces except the

timestamp generator. There's simply no way in. Period. And any attempt to tamper with

our equipmenteven by usstops it dead in its tracks. All old data is safe, but no new

data can be created. Period.

When we install, compile, and initialize our machines, we use two professional auditors:

a representative of Computer Forensic Services, Inc. and a representative of @Sec


12/22

Information Security Corporation. (The Auditors hold multiple legal and professional

certifications.) In a rigorous eight-hour process, these independent professionals witness

the initialization and lock-down of the 4758 timestamping machine.

The result of our multi-layered process provides you with stronger evidence than a

notarized paper trail

Notaries can make mistakes, written signatures can be forged, paper trails can be

modified after notarization. Our rigorous, fully-automated system provides solid,

unalterable evidence of your files' integrity.

A DigiStamp timestamp provides a fully-automated chain of evidence.

1. There is an overview of how a timestamp is created and its content here.

2. Below are more details about the Audit Process.

DIGISTAMP CREATES A TIMESTAMP ROBOT

Machines cant be tempted with money, and they dont care whether they lose their jobs.

The same cant be said for programmers, system administrators, and bureaucrats,

unfortunately.

Thats why we set ourselves the task of creating, in essence, a timestamp robot, a fully-

automated process immune from human frailty.

Secure hardware. The backbone of our system is specially-customized hardware. The

IBM 4758 Coprocessor is certified at levels 3 and 4 of the rigorous National Institute of

Standards and Technology (NIST) using the Security Requirements for Cryptographic

Modules

In early 1999, under a custom development agreement with IBM, the 4758 was

customized to eliminate all external interfaces except the timestamp function.

The co-processor has its own unique keys for creating timestamps and auditing its own

work. These are created automatically by the co-processor when its installed and

initialized, and they cannot be changed or extracted.

Everything that happens in the 4758 is logged and signed by the co-processor.


13/22

The 4758 has its own internal clock, which cannot be adjusted more than 120 seconds in

any twenty-four hour periodand every adjustment is logged by the co-processor.

When you send us a request for a timestamp, our system uses the 4758, with its internal

clock and keys, to create a timestampa unique hash mark signaturewhich it then

sends to you. You store your original file and its timestamp as proof that the contents of

your work existed at a point-in-time.

In The Electronic Signatures in Global and National Commerce Act (2000), federal law

gives electronic signatures, contracts and records the same validity as their handwritten

and hard copy counterparts.

In the United States, the Uniform Rules of Evidence Code ("UETA"), specify what

makes electronic evidence admissible. The fundamental test is a process or system that

produces an accurate result.

DigiStamps service meets this test. In fact, no one has ever even tried to challenge a

DigiStamp timestamp. More details here.

Your data remains private in this process. Only the evidence, a SHA fingerprint, is

transmitted to DigiStamp and we never see your actual document.

The Birth and Life of an Autonomous Robot

When we code, compile, and initialize one of our systems, two external auditors witnessthe birth ceremony and document the chain of evidence.

1. Computer Forensic Services, Inc auditor: Certified Computer Examiner,

International Society of Forensic Computer Examiners. Licensed Private

Investigator Private Security Board. Certificate from Dallas Texas Bar

Association Electronic Discovery and Digital Evidence.


14/22

2. ATSEC Information Security Corporation auditor: Certified Information Systems

Security Professional (CISSP). Certified Software Development Professional

(CSDP), IEEE Computer Society

In an well defined process, the external auditors provide the evidence that the code we

put into the 4758 card is of a known source and build, and that the 4758 card has had its

external interface disabled, except the unique timestamp functions.

Security statements for the Audit ceremony:

1. The IBM 4758 Cryptographic Card is configured and initialized to a specific set

of limited functions. Multiple parties witness and document the content of the

software, the compilation and the initialization of the 4758 card.

2. An AUDIT key-pair is created inside the 4758. The private key portion of the

AUDIT key-pair cannot ever be extracted from the tamper detecting hardware.

The timestamp public key certificates are then signed by this AUDIT key to prove

that timestamp key is reliably created and contained within this card.

3. The timestamp private key can only be used only to create timestamps.

4. Private keys cannot be export/extracted from the 4758 hardware.

5. The clock in the 4758 hardware cannot be adjusted more than +/- 120 seconds in

any 24-hour period. All adjustments are recorded and signed by an audit trail that

is internal to the 4758.

6. No person can modify the cards security state without disabling the ability to

create timestamps. Attempts to access the private keys or clock in 4758 hardware

will reliably destroy the timestamp and AUDIT private keys.

When the system initializes, it creates an Audit key, which will henceforth sign and log

everything that happens in the co-processor. No one and nothing can change or extract

this Audit key.

The system will now accept only two kinds of inputs --- clock adjustments (all logged

and signed by the Audit Key, automatically) and user requests for timestamps. Try to

tamper, and the card stops. Its old work - your existing timestamps - are still valid, but it

cant do anything new.


15/22

How Digital Signatures works: Assume you were going to send the draft of a certain

contract to your lawyer in another town. You want to give your lawyer the assurance that

it was unchanged from what you sent and that it is really from you.

Here then would be the process:

1. You copy-and-paste the contract (its a short one!) into an e-mail note.

2. Using special software, you obtain a message hash (mathematical summary) of the

contract.

3. You then use a private key that you have previously obtained from a public-private

key authority to encrypt the hash.

4. The encrypted hash becomes your digital signature of the message. (Note that it will

be different each time you send a message.)


16/22

ADVANTAGES

1. Performs highly accurate time stamping for PKI-enabled applications, electronic

records, and code signingtransforming electronic records into strong evidence.

2. Delivers superior time accuracy and auditability, with time stamps auditable to

UTC.

3. Protects the time stamping process and keys through independently certified,

tamper-resistant hardware.

4. Integrates easily with business applications to time stamp digitally signed

documents (e.g. PDFs), application code, or other electronic records.


17/22

DISADVANTAGES

The Disadvantages of using digital signatures involve the primary avenue for any

business: money. This is because the business may have to spend more money than usualto work with digital signatures including buying certificates from certification authorities

and getting the verification software.


18/22

CONCLUSION

Time Stamp Server from Thales e-Security is a turnkey, network-attached appliance that

keeps accurate time and creates secure time stamps to record creation time, filing time, orthe timing of other events associated with electronic records and applications. By

deploying a highly accurate and tamper-resistant time stamping solution, organizations

can verify the accuracy of time stamps used for digital records and improve the integrity

and auditability of a broad range of critical processes. Ideal for organizations that need

electronic document signing with proof of time for legal and compliance purposes, Time

Stamp Servers other common applications include financial transactions, lotteries and

gaming, security logs, approval workflows, long-term archives, electronic lab books, and

code signing.

Unlike software-based systems in which administrators can easily manipulate time

values, Time Stamp Server protects time stamping keys in independently certified,

tamper-resistant hardware.

In addition, Time Stamp Server offers superior time accuracy and auditability, delivering

secure time traceability to national atomic clocks and Universal Coordinated time (UTC)

if required. Time Stamp Server was the first solution of its kind to support Microsoft

Authenticode, the code-signing standard for Windows platforms. The products time

stamping component is validated to FIPS 140-2 Level 3 and Common Criteria EAL4+.

As a conclusion, you must try in using digital or e signature with your internet

transactions so that you will experience more convenience in terms of doing various

business and money matters. This way you will not worry and go with the hassles and

problems of the traditional transactions that use signatures.


19/22

FUTURE SCOPE

Anyone trusting the timestamper can then verify that the document was notcreated after

the date that the timestamper vouches. It can also no longer be repudiated that the

requester of the timestamp was in possession of the original data at the time given by the

timestamp. To prove this the hash of the original data is calculated, the timestamp given

by the TSA is appended to it and the hash of the result of this concatenation is calculated,

call this hash A.

Then the digital signature of the TSA needs to be validated. This can be done by

checking that the signed hash provided by the TSA was indeed signed with their private

key by digital signature verification. The hash A is compared with the hash B inside the

signed TSA message to confirm they are equal, proving that the timestamp and message

is unaltered and was issued by the TSA. If not, then either the timestamp was altered or

the timestamp was not issued by the TSA.
http://en.wikipedia.org/wiki/Hashhttp://en.wikipedia.org/wiki/Digital_signaturehttp://en.wikipedia.org/wiki/Digital_signaturehttp://en.wikipedia.org/wiki/Hashhttp://en.wikipedia.org/wiki/Digital_signaturehttp://en.wikipedia.org/wiki/Digital_signature


20/22

REFERENCES

http://methodofsolutions.com/2010/07/18/definition-advantages-and-disadvantages-of-

digital-signatures/http://www.thales-esecurity.com/products-and-services/products-and-services/time-

stamping-appliances/time-stamp-server

http://www.digistamp.com/technical/how-a-digital-time-stamp-works/
http://methodofsolutions.com/2010/07/18/definition-advantages-and-disadvantages-of-digital-signatures/http://methodofsolutions.com/2010/07/18/definition-advantages-and-disadvantages-of-digital-signatures/http://www.thales-esecurity.com/products-and-services/products-and-services/time-stamping-appliances/time-stamp-serverhttp://www.thales-esecurity.com/products-and-services/products-and-services/time-stamping-appliances/time-stamp-serverhttp://www.digistamp.com/technical/how-a-digital-time-stamp-works/http://methodofsolutions.com/2010/07/18/definition-advantages-and-disadvantages-of-digital-signatures/http://methodofsolutions.com/2010/07/18/definition-advantages-and-disadvantages-of-digital-signatures/http://www.thales-esecurity.com/products-and-services/products-and-services/time-stamping-appliances/time-stamp-serverhttp://www.thales-esecurity.com/products-and-services/products-and-services/time-stamping-appliances/time-stamp-serverhttp://www.digistamp.com/technical/how-a-digital-time-stamp-works/


21/22

CONTENTS

Introduction

History

Features

Working

Advantages

Disadvantages

Conclusion

Future Scope

References


22/22

A

Seminar Report

On

DIGITAL TIME

STAMPING

digital time stamping

Documents