-
Notifications
You must be signed in to change notification settings - Fork 0
Home
SK’s qualified Time-Stamping Service certifies the existence of specific data at a certain point of time. It is, therefore, widely used in digital signing or archiving documents.
Time-Stamping Service uses PKI and trusted time sources to provide secure and reliable information that is compatible with international standards (RFC 3161). Our PKI-based Time-Stamping Service is protected using digital signature, meaning that no one is able to change the data once it is recorded and confirmed with SK's time stamp.
For overall service information refer to SK website
It is critical to identify date and time for events as they happen. It reduces the relevancy of the information when the exact time for an event under observation when the correct time information of its happening can't be identified. In other words, correct time and date is an important property of an event. Adding the correct time on electronic documents is called timestamping. Timestamping follows the standard RFC3161 (with updates standardised in RFC5816).
The key questions of acquiring a timestamp are as follows:
- What is the source of time and how trustworthy is it?
- Will the acquired timestamp be forgeable in the future?
SK Timestamping service uses dedicated hardware for clocks to ensure that time used is correct. Different means to ensure that the accurate time sources are available are being used, including but not limited to GPS and PZF. The time between the timestamping server's time and the accurate time source are checked and monitored regularly. There are mechanisms that kick in when the time drift situation happens.
Nowadays, jotting down the time on a paper document is replaced by adding time to your electronic document. In terms of forging, altering an electronic document is easier than changing a paper document. Therefore it is important that any timestamp created is not forgeable, ie it cannot be changed in the future. To achieve this, digital signatures are used to ensure that any content and timestamp changes are easy to detect. The digital signature of the timestamp identifies the creator of the timestamp.
Timestamp server is usually a software application, although it can also be implemented as a dedicated hardware appliance (which still runs a software app that responds to the requests). Timestamp service works as a typical client-server type of setup. Clients of the service are usually business applications or special-purpose apps which are signing documents or transactions. The former can be PDF, Word documents, the latter are usually JSON, XML or similar type of data that describe transactions in machine-readable format. The timestamp server responds to timestamp requests from client applications and the flow of the communications is like this:
- The Client processes the document that needs a timestamp. The hash (e.g. SHA-256) of the document is calculated and a request in the format described in RFC3161 standard is formed and sent to the Server. The request contains:
- Timestamp version
- The hash of the content to be timestamped
- Optional data that may be timestamp policy, nonce, extension information.
- The Server receives the incoming request and verifies it first. When verification and input checks pass, the Server generates a response compliant to the RFC3161 standard, containing:
- Status identifier to communicate the success or failure of the operation
- The input hash
- The time of the creation of the response
- Timestamp signer's name
- Timestamp name
- Extensions (if applicable)
- Digital signature of the response
RFS 3161 Timestamping request and response in ASN.1 format
Request
TimeStampReq ::= SEQUENCE {
version INTEGER { v1(1) },
messageImprint MessageImprint,
reqPolicy TSAPolicyId OPTIONAL,
nonce INTEGER OPTIONAL,
certReq BOOLEAN DEFAULT FALSE,
extensions [0] IMPLICIT Extensions OPTIONAL }
MessageImprint ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
hashedMessage OCTET STRING }
TSAPolicyId ::= OBJECT IDENTIFIER
Response
TimeStampResp ::= SEQUENCE {
status PKIStatusInfo,
timeStampToken TimeStampToken OPTIONAL }
PKIStatusInfo ::= SEQUENCE {
status PKIStatus,
statusString PKIFreeText OPTIONAL,
failInfo PKIFailureInfo OPTIONAL }
PKIStatus ::= INTEGER {
granted (0),
grantedWithMods (1),
rejection (2),
waiting (3),
revocationWarning (4),
revocationNotification (5) }
PKIFailureInfo ::= BIT STRING {
badAlg (0),
badRequest (2),
badDataFormat (5),
timeNotAvailable (14),
unacceptedPolicy (15),
unacceptedExtension (16),
addInfoNotAvailable (17),
systemFailure (25) }
TimeStampToken ::= ContentInfo
-- contentType is id-signedData ([CMS])
-- content is SignedData ([CMS])
TSTInfo ::= SEQUENCE {
version INTEGER { v1(1) },
policy TSAPolicyId,
messageImprint MessageImprint,
serialNumber INTEGER,
genTime GeneralizedTime,
accuracy Accuracy OPTIONAL,
ordering BOOLEAN DEFAULT FALSE,
nonce INTEGER OPTIONAL,
tsa [0] GeneralName OPTIONAL,
extensions [1] IMPLICIT Extensions OPTIONAL }