Escolar Documentos
Profissional Documentos
Cultura Documentos
Karel Wouters
Overview
Definition Conventional needs for time-stamping events and documents The use of time-stamps in cryptography Simple time-stamps Linked time-stamps Recent developments
Definition
Time-stamp: proof that a certain piece of information existed, prior to the time, indicated by the timestamp. Examples:
A postmarked, unopened letter (registered mail) A statement/document, signed and dated by a notary An electronic/digital time-stamp
Research and patents: proof that you were first. > research diary, periodically signed by a notary Credibility of business documents within a company Credibility of photographs, video, audio
Time-stamps in cryptography
Long-term protection of digital signatures against key compromise, certificate expiry and algorithm weakening: time-stamps can indicate that the signature was generated before compromise/expiry/algorithm break time-stamps on random data can be used as a nonce: they indicate their own freshness.
Simple time-stamps
Essentially: SignTSA(Time,Hash(Document))
TSA:Time Stamping Authority
Simple time-stamps - 2
Pro:
Easy to compute, compact Independent of other time-stamps Single-step protocol Time-stamps of different TSAs can be compared
Contra:
TSA has to be trusted completely, a malicious TSA can issue back-dated time-stamps. All time-stamps become useless when the TSA private key is compromised.
Simple time-stamps - 3
TSA
{StatusInfo} {Signature} TSTInfo version policy hashAlgorithm hashedMessage serialNumber genTime accuracy ordering nonce tsa
Simple time-stamps - 4
AuthentiDate US Postal Services Electronic Postmark OpenTSA Open source and free time stamping authority client and server application Several other small businesses/countries
Linked time-stamps
Basic idea: make the next time-stamp depend on the previously issued time-stamps, in a one-way fashion, using a hash function. Publish intermediate values in a widely-witnessed medium. First approach: linear linking scheme (Haber&Stornetta) s = sigTSA(n,tn,IDn,Hn,Ln) Ln = (tn-1,IDn-1,Hn-1,H(Ln-1))
Linked time-stamps - 2
Main concern: the number of steps needed to compare two stamps depends on the number of stamps between them. Partial solution: Aggregation - collect time-stamp requests and bundle them in a Merkle tree: L11=H(H5,H6) L14=H(L11,L12) L15=H(L13,L14)
Linked time-stamps - 3
aggregation collect hash values na hash values get the same time-stamp linking link to the previous link value(s), return a partial time-stamp (head) until the linking round is over (time/#requests) publishing publish the n-th round value, complete time-stamps from n-th round (tail) TSA cannot cheat anymore
note1: the gap between linking and publishing can be covered by classical crypto (signature) note2: the time-stamp doesn't necessarily contain a time value. We have relative temporal authentication
Linked time-stamps - 4
Limiting the time-stamp/verification chain size Idea: use simply connected authentication graphs:
Directed acyclic graphs with numbered vertices, topologically sorted: (v,w)E v<w if v1<v2, there exists a directed path from v1 to v2 Vertices are labelled with hash values: Lv=h(LE-1(v))
Linked time-stamps - 5
Linked time-stamps - 6
Add extra vertices to Merkle authentication tree Optimal in time-stamp size: d+3 hash values
Linked time-stamps - 7
Pro:
Security independent of the TSA's private key Back-dating impossible Verification: fast
Contra:
Hard to compare time-stamps of different TSAs Difficult protocol Re-time-stamping??
Linked time-stamping - 8
Surety: founded by Haber&Stornetta Services: AbsoluteProofTM: digital notary (inventions) and data integrity, based on a linear linking scheme; intermediate values in NYTimes. Cybernetica (Estonia): Time-stamping service, using aggregation and linking. Software open source. ISO/IEC 18014-3
Recent developments
(time-stamping is not dead)
Providing time-stamping services to mobile devices, D. Cotroneo, C. di Flora, A. Mazzeo, L. Romano, S. Russo, G. P.
Saggese, Words 2003.
Efficient relative time-stamping scheme based on the ternary link, Igarashi Y, Kuwakado H, Tanaka H, IEICE Trans on
Fundamentals of Electronics, Communications and Computer Sciences, 2003
OASIS: Digital Signature Services XML format for a time-stamp service (WIP)
References
How to Time-Stamp a Digital Document (Stuart Haber and W. Scott Stornetta, Journal of Cryptology, Vol. 3, No. 2, pp. 99-111 (1991)) Time-Stamping With Binary Linking Schemes (Ahto Buldas, Peeter Laud, Helger Lipmaa, Jan Villemson, Crypto '98) Optimally Efficient Accountable Time-Stamping (Ahto Buldas, Helger Lipmaa, Berry Schoenmakers, PKC '2000 Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP) (RFC 3161) http://www.ieft.org ISO/IEC 18014-1,2,3: Information technology - Security techniques - Time-stamping services -- Part 1,2&3 OpenTSA http://www.opentsa.org Cybernetica Time-stamp service. http://www.timestamp.cyber.ee Surety http://www.surety.com OASIS Digital Signature Services TC http://www.oasis-open.org
Q?
Time flies like an arrow. Fruit flies like a banana. Lisa Grossman