time stamp concept

What Is Timestamping and How to Use It With Digital Signatures?

Everything has changed since the pandemic struck. We saw many changes in how we travel, shop and work. For businesses, one of the most profound changes is remote or hybrid work, which has accelerated the need for a “digital signature” for documents or software code. When it comes to applying digital signatures to a document or software application, you want to make sure that it’s properly implemented to reduce risk.

What Is the Risk Associated With a Digital Signature?

To understand the risk that comes from a digital signature, start by thinking about the workflow for an ink signature. When you sign any legal document, it’s typically done in the presence of a notary. The notary verifies your identity and validates the date and time of the signature. In return, you would also record an entry in a logbook with date and time of the transaction and add a thumbprint.

Now think about implementing this flow in the digital world. When you sign any document with your public key infrastructure (PKI) based digital signature, how do you make sure that there is non-repudiation in place? For example, when a PDF document is digitally signed with your PKI based certificate, it adds the information about the person and date and time of the signature. However, the date and time of this signature is based on the computer’s local time, which can be easily changed or forged. If your certificate is expired or revoked, you could potentially change the local time to make it appear that the certificate is still valid. So, how do you prevent this and trust the digital signature?

Create Trust and Long-Term Signature Validity With Timestamping

You can solve this problem by using Time Stamping Authority (TSA), which uses RFC 3161 Time-Stamp Protocol (TSP) to apply an accurate, trusted timestamp. It is used for proving that the data has not been tampered with and guarantees the data integrity. When TSA is used while signing the document or code, tampering with the timestamp is prevented.

How Timestamping Works

The TSA uses PKI to apply a timestamp to documents or code. Here is a summary of how it works:

  1. The client application such as Microsoft Authenticode or Signtool creates a hash of the document or code file and sends it to TSA.
  2. The TSA combines the hash of the file and with the trusted timestamp and signs it with a private key. It then creates a timestamp token which is returned to the client.
  3. The timestamp token is recorded within the file.
The hash is combined with the trustedtimestamp and is signed with its private key.HashHID IdenTrustTimestamping-as-a-ServiceHashTimestampTimestamp TokenThe client application receives the timestamp token.The client application requests a timestamp for a document or software code and a hash is generated.The timestamp token is recorded in the document or software code that contains X.509 digital signatures.PDF0111101001111010DOCX>1234

If the file gets modified after the signature and timestamp are applied, the hash value will not match, and the user will be warned that the data has been altered and can’t be trusted.

The Solution: Trusted Timestamps

TSA can prevent forgery and create longevity for digital signature of document or software application code. HID Timestamping-as-a-Service, powered by IdenTrust, helps organizations to reduce risk by providing a long-term validation and non-repudiation of time and date. It provides a digital seal of data integrity and trusted date and time of when the transaction has occurred. Talk to an IdenTrust PKI expert about how you can extend the validity of certificates even after they expire.  >>

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).