Authenticating Digital Evidence
Posted on July 25, 2018
While reading the paper on Sunday I noticed an interesting ad. A company called Surety, LLC had published two base64-encoded values. What is this? Is it the modern version of a coded “personals” ad from an Alan Furst novel, where it’s some spy’s job to read the ads every day and then to spring into action when the coded message finally appears? Is it some crank thing, like the ads for self-published physics books that appear in the book review?
I took a look at Surety’s website to find out. The basic idea is to apply what they call a “cryptographic timestamping service” to a digital file, which can later prove that the document hasn’t been tampered with. This may sound like a lot of applesauce, but it rests on a sound foundation. There are well-known cryptographic “hash functions,” which can quickly and easily map a series of values of any length (which is all that any digital data file is) into another series of values with a fixed, short length, called a “hash.” These hash functions have two wonderful properties. First, if you start with a digital file and produce a hash, it is very, very difficult to find another series of values that will result in the same hash. Second, it is very, very difficult to “reverse engineer” the original data file if you start with the hash. So if you have a data file and you have its hash, you can be pretty darn sure that the data file hasn’t been modified.
But of course there’s a little chicken-and-egg problem: how do you know that the hash is real? Suppose Surety published the hash of your file on its website. If I were a super-secret agent intent on fooling you, I might give you a false data file and then hack Surety’s website to show you a false hash. You would verify it and then conclude, wrongly, that you had the real file. This is why publishing the hash in a newspaper is smart. It’s much harder to alter a mass-printed document that everyone can find in the library than it is to hack a website. Of course, for this to matter, you have to be the kind of person who doesn’t simply rely on the website but takes the extra step to go to the library to check the printed hash …
Computer forensic firms do this kind of thing all the time when gathering evidence for use in litigation. When you take an “image” of a hard drive, you calculate its hash, so that when you later want to offer items found in the “image” in evidence, you can prove that they are identical to what was on the original hard drive.
I have just two quibbles about Surety’s service. First, its ad uses the word “notarized.” That’s a bad word in any context, but it’s particularly out of place here, since calculating a hash function is not a notarial act. Notaries take acknowledgements, administer oaths, and in some states perform other tasks like certifying copies. “Notarize” isn’t, and shouldn’t be, a generic synonym for “authenticate.”
Second, I would want more details about the word “timestamp” as used in the ad. There are Internet standards that specify a method for a trusted third party to include information about the date and time in a hash. This could be important in legal contexts, e.g., in determining the date of an electronic signature. But these standards require trust in the third party, and it doesn’t seem that you can use a newspaper ad to show that the clock on the computer that created the hash was correct.
In another post, I might give some background into blockchain, a technology that can address the timestamping problem and also authenticate documents without having to put an ad in the paper. But I do like the old-fashioned, John le Carré aspect of Surety’s business.