Hash escrow

17 points by Boxer 15 years ago | 15 comments

spinron 15 years ago |

What's actually needed is a secure time stamping service. You can read about those at:

http://en.wikipedia.org/wiki/Trusted_timestamping

A personal favorite which I highly recommend is the following:

http://www.itconsult.co.uk/stamper.htm

Under normal circumstances, one would need an expert witness to authenticate the signature, but in several jurisdictions which enacted digital signature laws statues, that may not be necessary depending on the evidentiary status of e-signatures.

JulianTosh 15 years ago | |

ah ya beat me to it. double vote for bamf right here.

kijinbear 15 years ago |

These guys did exactly what's being proposed in the article.

http://www.win.tue.nl/hashclash/Nostradamus/

In November 2007, they posted the MD5 hash of a PDF file containing the name of the winner of the 2008 election. That of course doesn't prove that they knew who would win the election, because they prepared 12 different PDFs with 12 different names in it, all of which were crafted to generate the same MD5 hash. I don't think the hypothetical jury is going to like it.

Okay, let's try again with SHA256...

drv 15 years ago | |

The article mentions hashing the same data with multiple hashing algorithms; I would think this would be effective at preventing collisions (presumably different hashing algorithms are not vulnerable to the same collision attacks).

zxer 15 years ago |

Isn't this whole timestamping thing overcomplicated? Just set up a twitter account and post the hash codes. The code in itself is useless, so it does not have to be kept secret, and you will have a way to proof that you had the document generating it at that time.

bcl 15 years ago | |

This would work if you could search all of your tweets. I don't think that is currently possible, is it?

It also assumes that twitter is going to be around when you finally need the timestamped hashes, and that you can prove that twitter (or any other service for that matter) can't have back-dated hashes inserted.

Posting to a usenet group, like alt.test, where independent systems store and timestamp the message would be a better idea.

mthoms 15 years ago | | |

Why not just use multiple webmail services?

ErrantX 15 years ago |

In criminal cases I can see it often being necessary to within a day or two

Oh, if only. Digital evidence is seeing a lot more acceptance in recent years - but just recently there has been a sudden resistance to it, partly, I think, because of all the noise being made in the media about the ease of faking such things and the prevalence of viruses.

Oftentimes an audio recording tagged to within a couple of days will be fine.

But don't rely on that - it could easily be rejected out of hand by a judge who is not convinced.

Any sort of ambiguity in digital evidence and timestamps is being frowned on at the moment - at least here in the UK.

thereticent 15 years ago |

Is there anything wrong with the idea in the first blog comment? I would think sending the hashes to one or more webmail accounts in your own name would accomplish the feat of proof, and it would not require you to rely on other people to safeguard the data or give testimony.

JoachimSchipper 15 years ago | |

How do you prove the e-mail wasn't changed? At least gmail allows you to upload pretty much anything (which is useful when migrating mail), and may not be able/willing to turn over (old) logs.

DennisP 15 years ago | | |

If they were simply unwilling, a subpoena would fix that.

nodata 15 years ago |

http://www.registeredcommons.org/