How can I prove to an outside party that a data file hasn't been tampered with?

Question

We have a C#-based web service that receives documents from political organizations which are legally binding documents.

Currently, we provide a receipt to the filer which contains a checksum of the file received, so we can prove to the filer at a later point in time that the file stored in our system matches their original submission. The receipt is sent as an e-mail to the filer.

However, we can't prove to a third-party auditor that the file and checksum stored in our system have never changed (i.e. a malicious DBA could change the checksum value to match the content of some bogus replacement document).

I'm currently thinking in terms of a write-only "log file" hosted out in the cloud somewhere (presumably with a provider that the third-party auditor would find reasonably trustworthy, like AWS) that we can record each filing id and checksum as they happen. Ideally this remote log file would behave like an old-school accounting journal -- you only write in pen, so you can never erase a previous entry!

Another option might be to send those e-mail receipts to a third-party e-mail archive provider? (the volume of our message history is so small, this may not be worth the conversation with an archive provider)

Does anyone have a suggestion?

Answer 1

The safest solution for both parties would be to have your clients to sign their submissions with a valid cryptographic certificate, so that they can verify beyond any reasonable doubt that the submissions haven't been tampered with.

There are also ways to procedurally sign and verify those in C#, this could give you an idea about it: http://blogs.msdn.com/b/alejacma/archive/2008/06/25/how-to-sign-and-verify-the-signature-with-net-and-a-certificate-c.aspx?PageIndex=1

Answer 2

The good news is that this problem (and may like it) can be solved with public key crytography. The bad news is that designing the protocol is a job for experts. The last time I had one of these I asked a guy called Bruce Schneier to help, but there are plenty of other experts around.

Essentially what you do is something like this. First you prepare a crytographic digest of the document. This is a kind of checksum, but guaranteed to be unique and unbreakable. No-one can create another document with the same digest.

Then you and the filer each encrypt this digest with your own public key and exchange the encrypted keys (and of course keep the original digest on file). If there is a challenge you produce the filer's encrypted digest and require him to decrypt it using his private key. If it decrypts correctly and matches the digest you have on file then it is correct and cannot be repudiated. He can do the same to you.

A certificate is just a special kind of public key for which various tools exist. You can use a certificate, or just the keys and a set of tools like PGP.

This is a very simplistic version. There are far more sophisticated systems around, but I think it will cost you some money to get one working.