15

Does there currently exist a free online service that accepts a file, hashes it, takes an authoritatively chosen timestamp (from one or more time services), signs these and sends this signed message back? E.g. a digital notary, but only with regards to the timestamp and not the validity of the content as legal notaries might be obligated to guarantee.

Such a service might have an extremely simple API: Simply wget http://service/<checksum> and receive a signed message containing one or more timestamps and the checksum. The emphasis would be on the type of authority who might make such a service.

Edit: Although the original question did not emphasise the following, the Bitcoin-based timestamping services provided below do not rely on one authority, but rather the entire Bitcoin network. They can be seen as tamper-proof and verifiable without the help of the service that helped you sign it!

sshine
  • 272
  • 5
  • 11
  • Not exactly helpful, but you can try to stack type 0x40 PGP signature packets together in one PGP key. Problem is, I don't know of any implementation that creates type 0x40 keys. – calccrypto Dec 29 '13 at 21:50
  • 1
    This service is a pretty popular one and has been up for a long time. It's not an "instant" API though, it uses emails and it seems to send your stamp at the end of the day. – orlp Dec 30 '13 at 01:23
  • I ended up reasking this at: http://softwarerecs.stackexchange.com/questions/14139/trusted-timestamping-public-proof-that-i-knew-something-at-a-given-time-without because I hadn't found it before. – Ciro Santilli OurBigBook.com Nov 24 '14 at 10:39
  • You can check tecxoft tsa (www.tecxoft.com/tsa.php), offers free signup, this TSA is compliant to RFC 3161. It is easy to integrate, good for PDF digital timestamps. –  Jul 26 '15 at 05:41

3 Answers3

12

If you search on "timestamp", "timestamping", and "notary" on Crypto.SE and Security.SE, you'll find lots of references. I've collected a number of timestamping services that were mentioned in one of those places; this should provide a number of companies and online services you can check out:

I cannot vouch for or endorse any of those.

See, for instance, the following questions on this site, and the following other resources:

Happy reading!

Community
  • 1
D.W.
  • 36,365
  • 13
  • 102
  • 187
7

Several certificate authorities operate RFC-3161-compliant time-stamp servers that can be used free-of-charge. OpenSSL can create RFC 3161 time-stamp requests and verify the responses.

Here is a simple Bash script that time-stamps a file using the time-stamp server operated by StartSSL:

in_file='[path to file]'  # name of file to be hashed and time-stamped
out_file="${in_file}.tsr"  # name of file to save the time-stamp response
ts_server='http://www.startssl.com/timestamp'  # URL of time-stamp server

Use openssl to create the time-stamp request, then use curl to submit the request and save the response.


openssl ts -query -data "$in_file" -sha1 -cert |
curl -o "$out_file" -sSH 'Content-Type: application/timestamp-query' --data-binary @- "$ts_server"


Verify the response.


openssl ts -verify -data "$in_file" -in "$out_file" -CApath "$(openssl version -d | cut -d '"' -f 2)/certs/"


Print the response in human-readable format for more info.


openssl ts -reply -in "$out_file" -text

Example of command outputs:

$ echo 'This is an example.' > testfile

$ in_file='./testfile'
$ out_file="${in_file}.tsr"
$ ts_server='http://www.startssl.com/timestamp'


$ openssl ts -query -data "$in_file" -sha1 -cert |
> curl -o "$out_file" -sSH 'Content-Type: application/timestamp-query' --data-binary @- "$ts_server"


$ openssl ts -verify -data "$in_file" -in "$out_file" -CApath "$(openssl version -d | cut -d '"' -f 2)/certs/"
Verification: OK


$ openssl ts -reply -in "$out_file" -text
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified


TST info:
Version: 1
Policy OID: 1.3.6.1.4.1.23223.1.2.0
Hash Algorithm: sha1
Message data:
    0000 - a6 f1 53 80 1c 93 03 d7-3c a2 b4 3d 3b e6 2f 44   ..S.....<..=;./D
    0010 - c6 b6 64 76                                       ..dv
Serial number: 0x28DD7D
Time stamp: Jan  1 18:26:50 2014 GMT
Accuracy: 0x01 seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0xB9943DF6F7CD5191
TSA: DirName:/CN=StartCom Time-Stamping Authority/O=StartCom Ltd. (Start Commercial Limited)
Extensions:

Given a copy of the original file along with the *.tsr response, anyone can verify that the authority time-stamped the hash of the file at the specified time.

On Windows, Microsoft's SignTool can be used instead of OpenSSL.

Community
  • 1
Vincent Yu
  • 372
  • 4
  • 11
2

See http://TrueTimeStamp.org

  • Free.
  • Easy to manually time stamp files or a file's SHA256 hash.
  • Easy API for automated time-stamping by calling
  • Easy verification of time-stamps on the website by supplying the file or its hash.
  • Supplies Certificates that can be verified even offline.
  • Uses several ways to prove the time-stamp:
    • Stores time-stamps and hashes in its online database.
    • Digitally signed certificate using PKI.
    • Sequentially linked hashes.
Sean
  • 61
  • 3