As more and more services migrate to the Internet, the security of network-accessible applications has become increasingly important. Many security mechanisms applicable to such applications rely on tamper-proof sources of time. For example, timestamps may be used for operations such as creating and verifying tokens, correlating audit trail records, or preventing replay attacks. In some distributed computing environments, audit log records across different servers of a distributed application may be correlated using the records' timestamps in order to help debug hard-to-resolve, often timing-dependent problems. An attacker that can skew the audit log timestamps may make such debugging much harder. Time-sensitive financial documents such as tax returns or stock trading records may also use trusted timestamps as evidence of the timing of financial transactions or events. Timestamps may also be included in digital signatures to prove the validity of documents that may not necessarily be timing-sensitive but nevertheless need to be secured against possible attacks.
Some traditional solutions for tamper-proof time sources involve the use of high-end hardware security appliances. Such appliances are often designed primarily for governmental agencies concerned with very high levels of security, such as defense-related or intelligence-related agencies, and may be extremely expensive. Customers of such appliances may often have to buy not just one, but multiple expensive appliances, e.g., to comply with requirements for continuity of operations and/or disaster recovery. In addition, even if a customer is willing to pay the price of acquiring multiple appliances, the customer may still have to solve the problem of securing the communications of the timestamps generated by the appliances with the servers or devices at which the timestamps are used.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.