-
Notifications
You must be signed in to change notification settings - Fork 0
Home
SK’s qualified Time-Stamping Service certifies the existence of specific data at a certain point of time. It is, therefore, widely used in digital signing or archiving documents.
Time-Stamping Service uses PKI and trusted time sources to provide secure and reliable information that is compatible with international standards (RFC 3161). Our PKI-based Time-Stamping Service is protected using digital signature, meaning that no one is able to change the data once it is recorded and confirmed with SK's time stamp.
For overall service information, please refer to SK website
- Create a file to be timestamped like this (or use an existing one) as document to be timestamped
touch file.txt
- Issue a command (or more like a series of piped commands) that generates timestamping request on the hash of the input file (or any other, adjust the file name as needed); the response will be written into response.tsr file.
openssl ts -query -data file.txt -cert -sha256| tee request.tsq | curl -s -S -H 'Content-Type: application/timestamp-query' --data-binary @- http://tsa.demo.sk.ee/tsa -o response.tsr
- Parse the received timestamp server response and display it
openssl ts -reply -in response.tsr -text
The output will look like this:
openssl ts -reply -in response.tsr -text
Status info:
Status: Granted.
Status description: Operation Okay
Failure info: unspecified
TST info:
Version: 1
Policy OID: 0.4.0.2023.1.1
Hash Algorithm: sha256
Message data:
0000 - 9c b3 3d ba ec 9d 74 a2-b0 0d d7 5a 33 02 dc c9 ..=...t....Z3...
0010 - eb 52 89 4e 99 df d7 89-2c 45 88 a9 fc 6f b6 41 .R.N....,E...o.A
Serial number: 0x446C992776632C88
Time stamp: Feb 16 11:08:37 2024 GMT
Accuracy: 0x01 seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0xF2E3F6842E9A72A5
TSA: DirName:/CN=DEMO SK TIMESTAMPING AUTHORITY 2023E/2.5.4.97=NTREE-10747013/O=SK ID Solutions AS/C=EE
Extensions:
It is critical to identify date and time for events as they happen. It reduces the relevancy of the information when the exact time for an event under observation when the correct time information of its happening can't be identified. In other words, correct time and date is an important property of an event. Adding the correct time on electronic documents is called timestamping. Timestamping follows the standard RFC3161 (with updates standardised in RFC5816).
The key questions of acquiring a timestamp are as follows:
- What is the source of time and how trustworthy is it?
- Will the acquired timestamp be forgeable in the future?
SK Timestamping service uses dedicated hardware for clocks to ensure that time used is correct. Different means to ensure that the accurate time sources are available are being used, including but not limited to GPS and PZF. The time between the timestamping server's time and the accurate time source are checked and monitored regularly. There are mechanisms that kick in when the time drift situation happens.
Nowadays, jotting down the time on a paper document is replaced by adding time to your electronic document. In terms of forging, altering an electronic document is easier than changing a paper document. Therefore it is important that any timestamp created is not forgeable, ie it cannot be changed in the future. To achieve this, digital signatures are used to ensure that any content and timestamp changes are easy to detect. The digital signature of the timestamp identifies the creator of the timestamp.
Timestamp server is usually a software application, although it can also be implemented as a dedicated hardware appliance (which still runs a software app that responds to the requests). Timestamp service works as a typical client-server type of setup. Clients of the service are usually business applications or special-purpose apps which are signing documents or transactions. The former can be PDF, Word documents, the latter are usually JSON, XML or similar type of data that describe transactions in machine-readable format. The timestamp server responds to timestamp requests from client applications and the flow of the communications is like this:
- The Client processes the document that needs a timestamp. The hash (e.g. SHA-256) of the document is calculated and a request in the format described in RFC3161 standard is formed and sent to the Server. The request contains:
- Timestamp version
- The hash of the content to be timestamped
- Optional data that may be timestamp policy, nonce, extension information.
- The Server receives the incoming request and verifies it first. When verification and input checks pass, the Server generates a response compliant to the RFC3161 standard, containing:
- Status identifier to communicate the success or failure of the operation
- The input hash
- The time of the creation of the response
- Timestamp signer's name
- Timestamp name
- Extensions (if applicable)
- Digital signature of the response
RFS 3161 Timestamping request and response in ASN.1 format
Request
TimeStampReq ::= SEQUENCE {
version INTEGER { v1(1) },
messageImprint MessageImprint,
reqPolicy TSAPolicyId OPTIONAL,
nonce INTEGER OPTIONAL,
certReq BOOLEAN DEFAULT FALSE,
extensions [0] IMPLICIT Extensions OPTIONAL }
MessageImprint ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
hashedMessage OCTET STRING }
TSAPolicyId ::= OBJECT IDENTIFIER
Response
TimeStampResp ::= SEQUENCE {
status PKIStatusInfo,
timeStampToken TimeStampToken OPTIONAL }
PKIStatusInfo ::= SEQUENCE {
status PKIStatus,
statusString PKIFreeText OPTIONAL,
failInfo PKIFailureInfo OPTIONAL }
PKIStatus ::= INTEGER {
granted (0),
grantedWithMods (1),
rejection (2),
waiting (3),
revocationWarning (4),
revocationNotification (5) }
PKIFailureInfo ::= BIT STRING {
badAlg (0),
badRequest (2),
badDataFormat (5),
timeNotAvailable (14),
unacceptedPolicy (15),
unacceptedExtension (16),
addInfoNotAvailable (17),
systemFailure (25) }
TimeStampToken ::= ContentInfo
-- contentType is id-signedData ([CMS])
-- content is SignedData ([CMS])
TSTInfo ::= SEQUENCE {
version INTEGER { v1(1) },
policy TSAPolicyId,
messageImprint MessageImprint,
serialNumber INTEGER,
genTime GeneralizedTime,
accuracy Accuracy OPTIONAL,
ordering BOOLEAN DEFAULT FALSE,
nonce INTEGER OPTIONAL,
tsa [0] GeneralName OPTIONAL,
extensions [1] IMPLICIT Extensions OPTIONAL }