Is there a way to digitally sign documents to prove they existed at a certain point in time

Question

I'm curious if there is way to digitally sign documents (technically any piece of data), such as contracts or photos, so that 10 years from now, it can be proven that they are from this time, not forged 9 years from now.

For example, I could write a prediction of the future and sign it with convential means to prove that I wrote it, then timestamp-sign it so that when it comes true, I can prove I predicted it.

One way I thought of is that there could be a timestamping authority. You send them the data, they make a hash of the data + timestamp and encrypt the hash with RSA using their private key. A signed document thus exists of: data, timestamp, encrypted hash.

10 years from now, I hash the data + supposed timestamp, and check if it matches with the encrypted hash that I decrypt using the authority's public RSA key (which I trust). If it does, I known the timestamp is valid.

I can see 2 problems with that though:

• An external authority is needed
• The authority's private key would need to be kept extremely secret, because if it's revealed, all documents signed with it turn invalid.

Can you think of a solution without (one of) these problems?

Answer 1

This is called timestamping. The most widely used mechanism is defined in TSP specification (RFC 3161) and some others. The alternative method is used in MS Authenticode, but it's not documented and is not compatible with TSP.

TSP is used as a supplementary function in several encryption and digital signature standards, such as PDF, XAdES, CAdES, PAdES (AdES stands for "Advanced encryption standard"). PDF, XAdES and PAdES standards are applied to certain type(s) of data. CAdES is univeral format (as it can be applied for any generic data).

RFC 5544 offers a way to apply TSP to any generic data without signing this data.

TSP specification makes heavy use of PKI and X.509 certificates.

Timestamping services are provided by certificate authorities as a supplementary service. There also exist independent timestamping services.

You can run your own timestamping service, however timestamping requires use of special certificate (its key usage extensions are to be set in a specific way), so regular SSL or code signing certificates won't work.

Talking about "timestamping authorities" - you send them a hash (calculated during signing) and they sign this hash using their certificate. It's their business to keep the private key protected, and they usually charge for it.

The idea about third-party authority is that it certifies time. If you sign the data, you can put any time to the signature, and there's no way to check if it's correct or you have forged it. Only trusted third-party authority can be a proof of correctness of the timestamp.