They discover SHA256 but misunderstand somewhat. There will be cases where different files yield the same hash, but if the algorithm works as it should it will be infeasible to generate one given the desired hash value in any sufficiently simple way.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J.A. Terranson Sent: Wednesday, July 11, 2007 12:25 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd) The Great Unwashed Masses discover SHA-256! -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xBD4A95BF "The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently." Harvey Fierstein is an actor and playwright. ---------- Forwarded message ---------- Date: Tue, 10 Jul 2007 13:52:18 -0500 From: Brad Jensen <[EMAIL PROTECTED]> To: 'Bill Cribbs' <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: [archivists] National Archives timestamp For those who are not aware, there is a computational procedure you can do for any digital file, that creates a unique number, called a hash, that only matches that exact file. There is a Federal standard for one hashing algorithm, called SHA-1. That is a 160-biit number. More commonly used today is the SHA-256 hash, that generates a 256 bit number. Another term for this is 'digital thumbprint'. In the following discussion I am referring implicitly to the use of the SHA-256 hash. If you take a digital file 'A', and you change the order of two characters in the file, the hash becomes completely different. No two digital files will have the same thumbprint. You cannot predict what the thumbprint will be for a file. You cannot forge or modify a file to match an existing thumbprint. There are digital time stamping services on the internet that register these 'thumbprints' to prove a particular file existed at a particular date and time, and it has not changed. The US Postal Service offers a time stamping service for a small fee that they call an 'Electronic Postmark' but it only is kept for seven years. They also require the user to have a digital certificate to establish identity of the person time stamping the file. I propose something simpler. I propose that the National Archives create and offer a free time stamping service that does not require a digital certificate. The purpose of this is to store and retrieve unique file identifiers that will establish that a file existed at a certain date and time, and has not changed. Then files can be archived in multiple locations across a distributed network, and their identity and authenticity will remain unquestionable. This service would be a public good, similar to the digital time source offered by the Navy, for example. The National Archives will keep these timestamps in perpetuity. They would basically be entries in a database, with a 32-byte thumbprint, date and time. They would be a public record, so anyone can look up a thumbprint and now the date and time it was registered. Can others see the value of this idea? I can write the basic software for this. One part would be a database for the National Archives with a web XML interface for registering and retrieving the thumbprints. It would include a feature to thumbprint each day's database entries, to eliminate any possibility of human interference in the process. You don't have to trust anybody or even the institution, since the thumbprints are impossible to forge. The second thing would be a program, downloadable from a web page, to calculate and submit the thumbprint. I can write it in Windows, publish the source, and others could do the same for Linux, etc. What could it be used for? Scanned images, photographs, text documents, backup files, sound recordings, web pages, newspapers, anything that can be digitized. Since the only submission is the thumbprint and not the file, files can remain private yet still be authenticated later. And the processing load on the server is tiny. The other alternative to have someone like the National Archives do it, is to do it ourselves as a distributed database with replication across many sites and servers. I can do it myself, but this needs institutional support to last forever. That institution can be a formal body like the National Archives, or an ad hoc self-organizing one. Perhaps the latter makes sense in this global internet world. I think of this as the 'Forever Project' since it is the first thing designed to last forever. Brad Jensen President LaserVault LLC www.laservault.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ----------------------------------------- This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/