[Full-disclosure] [Humor] [archivists] National Archives timestamp (fwd)
The Great Unwashed Masses discover SHA-256! -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xBD4A95BF The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently. Harvey Fierstein is an actor and playwright. -- Forwarded message -- Date: Tue, 10 Jul 2007 13:52:18 -0500 From: Brad Jensen [EMAIL PROTECTED] To: 'Bill Cribbs' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [archivists] National Archives timestamp For those who are not aware, there is a computational procedure you can do for any digital file, that creates a unique number, called a hash, that only matches that exact file. There is a Federal standard for one hashing algorithm, called SHA-1. That is a 160-biit number. More commonly used today is the SHA-256 hash, that generates a 256 bit number. Another term for this is 'digital thumbprint'. In the following discussion I am referring implicitly to the use of the SHA-256 hash. If you take a digital file 'A', and you change the order of two characters in the file, the hash becomes completely different. No two digital files will have the same thumbprint. You cannot predict what the thumbprint will be for a file. You cannot forge or modify a file to match an existing thumbprint. There are digital time stamping services on the internet that register these 'thumbprints' to prove a particular file existed at a particular date and time, and it has not changed. The US Postal Service offers a time stamping service for a small fee that they call an 'Electronic Postmark' but it only is kept for seven years. They also require the user to have a digital certificate to establish identity of the person time stamping the file. I propose something simpler. I propose that the National Archives create and offer a free time stamping service that does not require a digital certificate. The purpose of this is to store and retrieve unique file identifiers that will establish that a file existed at a certain date and time, and has not changed. Then files can be archived in multiple locations across a distributed network, and their identity and authenticity will remain unquestionable. This service would be a public good, similar to the digital time source offered by the Navy, for example. The National Archives will keep these timestamps in perpetuity. They would basically be entries in a database, with a 32-byte thumbprint, date and time. They would be a public record, so anyone can look up a thumbprint and now the date and time it was registered. Can others see the value of this idea? I can write the basic software for this. One part would be a database for the National Archives with a web XML interface for registering and retrieving the thumbprints. It would include a feature to thumbprint each day's database entries, to eliminate any possibility of human interference in the process. You don't have to trust anybody or even the institution, since the thumbprints are impossible to forge. The second thing would be a program, downloadable from a web page, to calculate and submit the thumbprint. I can write it in Windows, publish the source, and others could do the same for Linux, etc. What could it be used for? Scanned images, photographs, text documents, backup files, sound recordings, web pages, newspapers, anything that can be digitized. Since the only submission is the thumbprint and not the file, files can remain private yet still be authenticated later. And the processing load on the server is tiny. The other alternative to have someone like the National Archives do it, is to do it ourselves as a distributed database with replication across many sites and servers. I can do it myself, but this needs institutional support to last forever. That institution can be a formal body like the National Archives, or an ad hoc self-organizing one. Perhaps the latter makes sense in this global internet world. I think of this as the 'Forever Project' since it is the first thing designed to last forever. Brad Jensen President LaserVault LLC www.laservault.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd)
They discover SHA256 but misunderstand somewhat. There will be cases where different files yield the same hash, but if the algorithm works as it should it will be infeasible to generate one given the desired hash value in any sufficiently simple way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J.A. Terranson Sent: Wednesday, July 11, 2007 12:25 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd) The Great Unwashed Masses discover SHA-256! -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xBD4A95BF The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently. Harvey Fierstein is an actor and playwright. -- Forwarded message -- Date: Tue, 10 Jul 2007 13:52:18 -0500 From: Brad Jensen [EMAIL PROTECTED] To: 'Bill Cribbs' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [archivists] National Archives timestamp For those who are not aware, there is a computational procedure you can do for any digital file, that creates a unique number, called a hash, that only matches that exact file. There is a Federal standard for one hashing algorithm, called SHA-1. That is a 160-biit number. More commonly used today is the SHA-256 hash, that generates a 256 bit number. Another term for this is 'digital thumbprint'. In the following discussion I am referring implicitly to the use of the SHA-256 hash. If you take a digital file 'A', and you change the order of two characters in the file, the hash becomes completely different. No two digital files will have the same thumbprint. You cannot predict what the thumbprint will be for a file. You cannot forge or modify a file to match an existing thumbprint. There are digital time stamping services on the internet that register these 'thumbprints' to prove a particular file existed at a particular date and time, and it has not changed. The US Postal Service offers a time stamping service for a small fee that they call an 'Electronic Postmark' but it only is kept for seven years. They also require the user to have a digital certificate to establish identity of the person time stamping the file. I propose something simpler. I propose that the National Archives create and offer a free time stamping service that does not require a digital certificate. The purpose of this is to store and retrieve unique file identifiers that will establish that a file existed at a certain date and time, and has not changed. Then files can be archived in multiple locations across a distributed network, and their identity and authenticity will remain unquestionable. This service would be a public good, similar to the digital time source offered by the Navy, for example. The National Archives will keep these timestamps in perpetuity. They would basically be entries in a database, with a 32-byte thumbprint, date and time. They would be a public record, so anyone can look up a thumbprint and now the date and time it was registered. Can others see the value of this idea? I can write the basic software for this. One part would be a database for the National Archives with a web XML interface for registering and retrieving the thumbprints. It would include a feature to thumbprint each day's database entries, to eliminate any possibility of human interference in the process. You don't have to trust anybody or even the institution, since the thumbprints are impossible to forge. The second thing would be a program, downloadable from a web page, to calculate and submit the thumbprint. I can write it in Windows, publish the source, and others could do the same for Linux, etc. What could it be used for? Scanned images, photographs, text documents, backup files, sound recordings, web pages, newspapers, anything that can be digitized. Since the only submission is the thumbprint and not the file, files can remain private yet still be authenticated later. And the processing load on the server is tiny. The other alternative to have someone like the National Archives do it, is to do it ourselves as a distributed database with replication across many sites and servers. I can do it myself, but this needs institutional support to last forever. That institution can be a formal body like the National Archives, or an ad hoc self-organizing one. Perhaps the latter makes sense in this global internet world. I think of this as the 'Forever Project' since it is the first thing designed to last forever. Brad Jensen President LaserVault LLC www.laservault.com ___ Full-Disclosure - We believe
Re: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd)
Finding collisions is definitely one piece. The other is that you can argue about SHA-1 being the Federal standard. Is it used more due to widespread use in existing applications? Yes. However, all Federal agencies (and people in general) should stop using it where possible. NIST has mandated by 2010 for most uses by Federal agencies. I guess we'll see how well that goes... --- March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. --- Ref: http://csrc.nist.gov/CryptoToolkit/tkhash.html Steven securityzone.org They discover SHA256 but misunderstand somewhat. There will be cases where different files yield the same hash, but if the algorithm works as it should it will be infeasible to generate one given the desired hash value in any sufficiently simple way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J.A. Terranson Sent: Wednesday, July 11, 2007 12:25 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd) The Great Unwashed Masses discover SHA-256! -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xBD4A95BF The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently. Harvey Fierstein is an actor and playwright. -- Forwarded message -- Date: Tue, 10 Jul 2007 13:52:18 -0500 From: Brad Jensen [EMAIL PROTECTED] To: 'Bill Cribbs' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [archivists] National Archives timestamp For those who are not aware, there is a computational procedure you can do for any digital file, that creates a unique number, called a hash, that only matches that exact file. There is a Federal standard for one hashing algorithm, called SHA-1. That is a 160-biit number. More commonly used today is the SHA-256 hash, that generates a 256 bit number. Another term for this is 'digital thumbprint'. In the following discussion I am referring implicitly to the use of the SHA-256 hash. If you take a digital file 'A', and you change the order of two characters in the file, the hash becomes completely different. No two digital files will have the same thumbprint. You cannot predict what the thumbprint will be for a file. You cannot forge or modify a file to match an existing thumbprint. There are digital time stamping services on the internet that register these 'thumbprints' to prove a particular file existed at a particular date and time, and it has not changed. The US Postal Service offers a time stamping service for a small fee that they call an 'Electronic Postmark' but it only is kept for seven years. They also require the user to have a digital certificate to establish identity of the person time stamping the file. I propose something simpler. I propose that the National Archives create and offer a free time stamping service that does not require a digital certificate. The purpose of this is to store and retrieve unique file identifiers that will establish that a file existed at a certain date and time, and has not changed. Then files can be archived in multiple locations across a distributed network, and their identity and authenticity will remain unquestionable. This service would be a public good, similar to the digital time source offered by the Navy, for example. The National Archives will keep these timestamps in perpetuity. They would basically be entries in a database, with a 32-byte thumbprint, date and time. They would be a public record, so anyone can look up a thumbprint and now the date and time it was registered. Can others see the value of this idea? I can write the basic software for this. One part would be a database for the National Archives with a web XML interface for registering and retrieving the thumbprints. It would include a feature to thumbprint each day's database entries, to eliminate any possibility of human
