Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

Time Stamping Authority

It is safe to say that everything has gone digital. In an age where people are farming virtual farms and tending to online fish tanks, why wouldn’t the need for a “virtual signature” become apparent? When it comes to replacing your “John Hancock” with a time stamp, the risk of a security compromise becomes heightened. Luckily, there are protective security measures that can easily minimize risk.

What is a time stamp?
A time stamp is the time at which an event is recorded by a computer, not the time of the event itself. Time stamps are used in log files or on filesystems where it is employed for the creation or modification of a file or directory.

Trusted Time Stamping
Trusted Time Stamping is a process that keeps track of the creation and modification of data. This data can be a document or a program. This process is done in a secure manner and recorded so that no one can change the data, including the owner, without being noticed. It guaranties the integrity to the data.

Why do we need this?
When signing a legal document, in almost all cases a notary is present to witness the signing event. The notary makes sure that he or she has validated the date and the signer’s identity. The notary also signs the document and provides a time stamp (date/time). A record (log) is kept by the notary of the event for audit purposes.

Companies that want to use or are using digital signatures (PKI) for signing data (i.e. PDF document) assume that there is full non-repudiation in place.

Unfortunately this assumption can prove costly and have negative legal consequences.

When you digitally sign, for instance a PDF document, in the signature field, you will see the person(s) who signed it as well as the date and time when the signature was added (signed) to the document. This date and time is the time stamp (2011.05.25 at 18:23.21) of the signed document.

When we verify this digital signature in Adobe Acrobat we notice something interesting.

(Time stamped with local computer clock)

“Signature date/time are from the clock on the Signer’s computer” This means that at the time the signature was created the time stamp came from the signer’s local computer. There is nothing wrong with that. But there is a major concern in a legal sense.

Fraud
It is 5pm and we would like to sign a document. Unfortunately our signing certificate has expired or revoked 10 mins ago. We can fix this by changing the computer clock to 4pm. Our certificate will be valid again and we are able to sign it.

To prevent this clock change we could disable the clock settings on the signer’s computer but this is not the ideal solution as it not address the issue of tampering with the date and time.

Solution
A better solution is making the use of a Time Stamping Authority (TSA), also known as Time Stamp Server (TSS). It uses the Time Stamp Protocol (TSP) (RFC 3161) or even better (ANSI ASC X9.95 Standard). The American National Standard X9.95-2005 Trusted Time Stamps was developed based on RFC 3161 and ISO/IEC 18014.

A TSS is a network-attached computer that keeps accurate time and creates time stamps. When digitally signing a PDF document and using a TSS everyone, including the signer, is prevented from tampering with the time stamp. Even if the computer’s clock is changed before the signing event, the time (stamp) is still provided by the TSS and has the accurate time and date.

(Time stamped signature)

Conclusion
By using a TSS, we are able to digitally sign data and provide full non-repudiation. In addition the authenticity of the document is protected and cannot be tampered with. Essentially it functions as a computerized notary.