lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 10 Jul 2007 23:25:04 -0500 (CDT)
From: "J.A. Terranson" <measl@....org>
To: full-disclosure@...ts.grok.org.uk
Subject: [Humor] [archivists] National Archives timestamp
	(fwd)


The Great Unwashed Masses discover SHA-256!

-- 
Yours,
J.A. Terranson
sysadmin_at_mfn.org
0xBD4A95BF

"The real point is that you cannot harbor malice toward others and then
cry foul when someone displays intolerance against you. Prejudice
tolerated is intolerance encouraged. Rise up in righteousness when you
witness the words and deeds of hate, but only if you are willing to rise
up against them all, including your own. Otherwise suffer the slings and
arrows of disrespect silently."

Harvey Fierstein is an actor and playwright.

---------- Forwarded message ----------
Date: Tue, 10 Jul 2007 13:52:18 -0500
From: Brad Jensen <brad@...tore.com>
To: 'Bill Cribbs' <cribbswh@...oo.com>, archivists@...oogroups.com
Subject: [archivists] National Archives timestamp

For those who are not aware, there is a computational procedure
you can do for any digital file, that creates a unique number,
called a hash, that only matches that exact file.

There is a Federal standard for one hashing algorithm, called
SHA-1. That is a 160-biit number. More commonly used today is the
SHA-256 hash, that generates a 256 bit number. 

Another term for this is 'digital thumbprint'.

In the following discussion I am referring implicitly to the use
of the SHA-256 hash.

If you take a digital file 'A', and you change the order of two
characters in the file, the hash becomes completely different.

No two digital files will have the same thumbprint. You cannot
predict what the thumbprint will be for a file.  You cannot forge
or modify a file to match an existing thumbprint. 

There are digital time stamping services on the internet that
register these 'thumbprints' to prove a particular file existed
at a particular date and time, and it has not changed.

The US Postal Service offers a time stamping service for a small
fee that they call an 'Electronic Postmark' but it only is kept
for seven years. They also require the user to have a digital
certificate to establish identity of the person time stamping the
file. 

I propose something simpler. 

I propose that the National Archives create and offer a free time
stamping service that does not require a digital certificate. The
purpose of this is to store and retrieve unique file identifiers
that will establish that a file existed at a certain date and
time, and has not changed.

Then files can be archived in multiple locations across a
distributed network, and their identity and authenticity will
remain unquestionable.

This service would be a public good, similar to the digital time
source offered by the Navy, for example.

The National Archives will keep these timestamps in perpetuity.
They would basically be entries in a database, with a 32-byte
thumbprint, date and time. They would be a public record, so
anyone can look up a thumbprint and now the date and time it was
registered.

Can others see the value of this idea?

I can write the basic software for this. One part would be a
database for the National Archives with a web XML interface for
registering and retrieving the thumbprints. 

It would include a feature to thumbprint each day's database
entries, to eliminate any possibility of human interference in
the process.  You don't have to trust anybody or even the
institution, since the thumbprints are impossible to forge.

The second thing would be a program, downloadable from a web
page, to calculate and submit the thumbprint. I can write it in
Windows, publish the source, and others could do the same for
Linux, etc.

What could it be used for? Scanned images, photographs, text
documents, backup files, sound recordings, web pages, newspapers,
anything that can be digitized.

Since the only submission is the thumbprint and not the file,
files can remain private yet still be authenticated later. 

And the processing load on the server is tiny. 

The other alternative to have someone like the National Archives
do it, is to do it ourselves as a distributed database with
replication across many sites and servers.

I can do it myself, but this needs institutional support to last
forever.

That institution can be a formal body like the National Archives,
or an ad hoc self-organizing one. Perhaps the latter makes sense
in this global internet world.

I think of this as the 'Forever Project' since it is the first
thing designed to last forever. 

Brad Jensen
President
LaserVault LLC
www.laservault.com













_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ