|Previous||Table of Contents||Next|
This protocol makes it very difficult for Alice and Trent to collude and produce a document stamped with a different time than the actual one. Trent cannot forward-date a document for Alice, since that would require knowing in advance what document request came before it. Even if he could fake that, he would have to know what document request came before that, and so on. He cannot back-date a document, because the timestamp must be embedded in the timestamps of the document issued immediately after, and that document has already been issued. The only possible way to break this scheme is to invent a fictitious chain of documents both before and after Alices document, long enough to exhaust the patience of anyone challenging the timestamp.
People die; timestamps get lost. Many things could happen between the timestamping and the challenge to make it impossible for Alice to get a copy of In - 1 s timestamp. This problem could be alleviated by embedding the previous 10 peoples timestamps into Alices, and then sending Alice the identities of the next 10 people. Alice has a greater chance of finding people who still have their timestamps.
Along a similar line, the following protocol does away with Trent altogether.
The cryptographically secure pseudo-random-number generator in step (1) prevents Alice from deliberately choosing corrupt Is as verifiers. Even if she makes trivial changes in her document in an attempt to construct a set of corrupt Is, her chances of getting away with this are negligible. The hash function randomizes the Is; Alice cannot force them.
This protocol works because the only way for Alice to fake a timestamp would be to convince all of the k people to cooperate. Since she chose them at random in step (1), the odds against this are very high. The more corrupt society is, the higher a number k should be.
Additionally, there should be some mechanism for dealing with people who cant promptly return the timestamp. Some subset of k is all that would be required for a valid timestamp. The details depend on the implementation.
Further improvements to timestamping protocols are presented in . The authors use binary trees to increase the number of timestamps that depend on a given timestamp, reducing even further the possibility that someone could create a chain of fictitious timestamps. They also recommend publishing a hash of the days timestamps in a public place, such as a newspaper. This serves a function similar to sending the hash to random people in the distributed protocol. In fact, a timestamp has appeared in every Sundays New York Times since 1992.
These timestamping protocols are patented [684, 685, 686]. A Bellcore spin-off company called Surety Technologies owns the patents and markets a Digital Notary System to support these protocols. In their first version, clients send certify requests to a central coordinating server. Following Merkles technique of using hash functions to build trees , the server builds a tree of hash values whose leaves are all the requests received during a given second, and sends back to each requester the list of hash values hanging off the path from its leaf to the root of the tree. The client software stores this locally, and can issue a Digital Notary certificate for any file that has been certified. The sequence of roots of these trees comprises the Universal Validation Record that will be available electronically at multiple repository sites (and also published on CD-ROM). The client software also includes a validate function, allowing the user to test whether a file has been certified in exactly its current form (by querying a repository for the appropriate tree root and comparing it against a hash value appropriately recomputed from the file and its certificate). For information contact Surety Technologies, 1 Main St., Chatham, NJ, 07928; (201) 701-0600; Fax: (201) 701-0601.
Alice and Bob have been arrested and are going to prison. Hes going to the mens prison and shes going to the womens prison. Walter, the warden, is willing to let Alice and Bob exchange messages, but he wont allow them to be encrypted. Walter expects them to coordinate an escape plan, so he wants to be able to read everything they say.
Walter also hopes to deceive either Alice or Bob. He wants one of them to accept a fraudulent message as a genuine message from the other. Alice and Bob go along with this risk of deception, otherwise they cannot communicate at all, and they have to coordinate their plans. To do this they have to deceive the warden and find a way of communicating secretly. They have to set up a subliminal channel, a covert communications channel between them in full view of Walter, even though the messages themselves contain no secret information. Through the exchange of perfectly innocuous signed messages they will pass secret information back and forth and fool Walter, even though Walter is watching all the communications.
An easy subliminal channel might be the number of words in a sentence. An odd number of words in a sentence might correspond to 1, while an even number of words might correspond to 0. So, while you read this seemingly innocent paragraph, I have sent my operatives in the field the message 101. The problem with this technique is that it is mere steganography (see Section 1.2); there is no key and security depends on the secrecy of the algorithm.
Gustavus Simmons invented the concept of a subliminal channel in a conventional digital signature algorithm [1458, 1473]. Since the subliminal messages are hidden in what looks like normal digital signatures, this is a form of obfuscation. Walter sees signed innocuous messages pass back and forth, but he completely misses the information being sent over the subliminal channel. In fact, the subliminal-channel signature algorithm is indistinguishable from a normal signature algorithm, at least to Walter. Walter not only cannot read the subliminal message, but he also has no idea that one is even present.
|Previous||Table of Contents||Next|