Cryptography Reference
In-Depth Information
6.6.1 Timestamps
I'm sure I don't have to explain that the age allocated to a file by the operating
system is helpful, but proves nothing. For practical purposes, however, it is
often necessary to have timestamps that have evidential value. This means:
•
The timestamp cannot be changed stealthily in arrears.
•
The document cannot be changed stealthily in arrears either.
•
The document cannot be fitted with another timestamp in arrears.
The first two requirements are no problem. Alice writes 'created on February
29, 1996, 17: 30' in plaintext on her document, adding her digital signature
to the document. If it is doubtlessly known that this document originates from
Alice, and a wrong time would only be damaging, and her public key is also
known, then this protocol is absolutely sufficient. Nobody other than Alice can
add a different timestamp to it and digitally sign it in Alice's name as long as
her signature is secure.
Unfortunately, this is not always enough. First of all, we could think of cases
where Alice herself has some fraudulent idea. Second, a governmental agency
that will receive ten thousand virtual documents per day in our golden elec-
tronic future cannot procure the public key of every user to check the time.
Third, it should generally be possible to check the authenticity of the docu-
ment - timestamp relationship, regardless of the author.
Notarized Timestamps
An intuitive solution to the problem is to use a trustworthy timestamp service.
Alice has to submit her document to this service, and will get it back with
timestamp and signature included. The public keys of the timestamp service
are published regularly in a daily newspaper.
To ensure that the transmission capacities on the Internet will suffice for
audio mail and cool images, Alice should only send the hash value to the
stamp service. The service would then return the signed 'timestamp - hash
value' pair. A short random character string appended to the timestamp by
the stamp service will remove all doubts about a potential ciphertext attack
(see Section 4.5.3).
This protocol is pretty good. Though minor drawbacks could be slight delays,
and that it will cost money, it would hardly be feasible without such minor
drawbacks.
