This invention relates to devices (1) to authenticated time to a computer or other user; and (2) to assure that a specified digital document did in fact originate with a particular person and was stamped at a particular time and in a particular order by a particular authentication device.
In recent years there have been many articles in the trade and popular press describing incidents in which computer records have been erased or altered illegally.
Computer records are particularly liable to such alteration; they can be less secure in this respect than are paper records because an altered paper record may reveal erasures. Even if a paper record is created from scratch, the age of the paper or ink on a single sheet of paper, or progression in a bound notebook, may reveal the forgery. Such aging does not occur for computer records. And, of course, handwriting or other forensic analysis may reveal that a paper document was signed by other than the nominal author.
Even permanent records on such WORM devices as optical disks may be read and re-written, possibly with falsified dates, on a fresh disk after making desired alterations.
This, and many other falsification techniques available, for example, to a superuser or other "owner" of a computer system would be made more difficult if all computers were required by hardware to access an authenticated source of time in order to set the system clock.
From a positive point of view, it would be desirable if computer records could take the place of paper records for legal purposes, thus minimizing the large volume of stored paper.
As another use, a person keeping a diary would like to be sure that the record, once committed to the permanent computer recording device, cannot be undetectably altered even by himself.
In these cases it may be important that archived records be traceable to the person who actually created them, that the records be unaltered, unalterably time-stamped and sequenced, that it be clear which physical device actually performed the time stamping and authentication, and that access to the records be controlled by passwords and other means.
It would also be desirable if paper copies of the original digital records could be certified as authentic; i.e. that it could be verified that each copy was archived by a particular person on a particular machine at the indicated time. It would also be desirable that it could be shown that no documents are missing from a nominally complete file of the paper records.
A publication presented at a conference, "Advances in Cryptology--Crypto '90," Springer-Verlag, LNCS by Stuart Haber and W. Scott Stornetta entitled "How to Time-Stamp a Digital Document" discloses two techniques for time-stamping documents.
In their first technique, Haber and Stornetta employ a central Time Stamping Service (TSS) to achieve the time stamping by computing a digital encrypted authentication code from a fixed length encrypted code derived from the document and commonly called a "hash", plus the users ID, plus the time, plus a sequence number assigned by the TSS, plus information linking this request to the previous user (the time, ID, and hash of the previous user). Haber and Stornetta discuss cryptographically secure one-way hash functions and provide a reference to a practical source of such functions. The TSS also eventually provides the user with the IDs of one or more subsequent users. The time information is thus constrained to be approximately authenticated by the fact that the user, or some other verifier, could later consult the previous and subsequent users of TSS to verify that the document in question was authenticated between the times recorded by the previous and subsequent users.
The second technique of Haber and Stornetta does not employ any TSS; the user simply sends the hash out to a carefully randomly selected set of authenticators; they append the time from their own clocks and return a set of encrypted authentication codes.
Both of Haber and Stornetta's approaches are vulnerable to collusion on the part of a set of users; especially, for example, in the case where the network of users is all in a single institution under a single system manager, e.g. a single large manufacturer, or government agency, or insurance firm.
Also, since they require timely access to a communication system and to one or more cooperating and reliable computer systems, the approaches of Haber and Stornetta are unsuitable for an isolated system such as the typical personal computer or portable "diary" or to "secure" users which would prefer to have no contact with outside users.