{"id":1097,"date":"2013-02-18T14:13:15","date_gmt":"2013-02-18T12:13:15","guid":{"rendered":"http:\/\/saisa.eu\/blogs\/Guidance\/?p=1097"},"modified":"2013-02-19T14:25:48","modified_gmt":"2013-02-19T12:25:48","slug":"protecting-your-work-by-timestamping-your-file-fingerprints","status":"publish","type":"post","link":"https:\/\/saisa.eu\/blogs\/Guidance\/?p=1097","title":{"rendered":"Protecting your work by timestamping your file fingerprints"},"content":{"rendered":"

Are you sharing or producing photos, images, music, videos, programs, documents or anything else and you are concerned on how to proof that your work is yours<\/strong>?<\/p>\n

First of all, you need to be able to show that you really possessed the file or files at a certain time. The typical way of doing that is to create a fingerprint (mathematical hash<\/a> ) of your file, and get that fingerprint (hash) timestamped by a trusted third party.<\/p>\n

Fingerprint (hash) is unique and shows that only a file with certain contents (sequence of bits) can have produced this fingerprint value. And since you have no control over the third party’s time, nor over their signed<\/a> timestamp, then you have no ways to modify the timestamp after it has ben created for your file. Therefore you can show that you really had the certain file<\/strong> in your possession at certain time<\/strong>.<\/p>\n

It is possible to run your own timestamp server and provide signing service with timestamp to your organization, but that is another story. In this blog, the focus is photographers and musicians who wish to protect their own work.<\/p>\n

\n

Wikipedia:<\/p>\n

According to the RFC 3161<\/a> standard, Trusted timestamp<\/a> is a timestamp issued by a trusted third party (TTP) acting as a Time Stamping Authority (TSA). It is used to prove the existence of certain data before a certain point (e.g. contracts, research data, medical records,…) without the possibility that the owner can backdate the timestamps.<\/p>\n<\/blockquote>\n

Free service example 1, protecting single vulnerable file “sparky2012.png”<\/strong><\/p>\n

Case: The photo, file “sparky2012.png”, is shared online (see below).<\/p>\n

\n

\"sparky2012\"<\/p>\n<\/blockquote>\n

Step 1: Calculate hash<\/p>\n

The SHA-512 hash is calculated with FileVerifier++ tool (see earlier blog<\/a> ). The result is shown below.<\/p>\n

\n
\n; Created with FileVerifier++ v0.6.3.5830\n8af92ce071d76cb8ff8d3a6c4f1be537bc249261aafa215ee8dce1669e7f386d28efdcdf285263f11bc453c4049b9defc11f3045aacd0c59a87609a81a62ace2 *C:\\blog\\sparky2012.png\n<\/pre>\n<\/div>\n
Step 2: Ask for signed timestamp<\/p>\n
In this example, www.trustedtimestamping.com<\/a> is used as trusted third party. On their site, there is a form, where one can fill in 2 different hash values, a comment field, and a return address there to receive the signed timestamp (see below).<\/p>\n
\"trustedtimestamping\"<\/a><\/p>\n
In few minutes, the signed email is sent to your email box.<\/p>\n
Step 3: Archive the proofs<\/p>\n
Many online tools has limitations with signed emails. Therefore it is better to access those emails via a desktop client like Thunderbird<\/a>.<\/p>\n
Since the trustedtimestamping.com has certificate from COMODO, then one need to define COMODO as trusted Authority if one would like Thurderbird to show “sing verification ok” for the email. The COMODO certificate is available via web link<\/a>. One can save this into a file, and then import into Thurderbird.<\/p>\n
If wished, one can import the COMODO certificate via following menu choises: Tools -> Options -> Advanced -> Certificates -> View Certificates -> Authorities -> Import<\/p>\n
After this “the envelope seal” looks fine in the email reading mode, see below.<\/p>\n
\"singed-hash-verified\"<\/a><\/p>\n
By clicking on the envelope, then more details are visible. ie. email is signed by “Trusted timestamping” and certificate that they are using originates from COMODO. The details also show that “message has not been altered”.<\/p>\n
\"singed-hash-message-is-signed\"<\/p>\n
One can save the received signed email into a local file (*.eml).<\/p>\n
For the proof, one need to archive following files:<\/p>\n