Discussion:
What is best for this purposes ? (digital signature, disk encryption, "time" signature)
(too old to reply)
test
2005-12-12 03:56:41 UTC
Permalink
Hi everybody

First of all please excuse my ignorance if my questions sound dumb but I
am not a security expert.

I am looking for a software that would allow me to do the following:

-to digitally sign and eventually encrypt the content of an e-mail
-to digitally sign and eventually encrypt the content a message posted
on a discussion board or news group
-to encrypt a disk or some specific directories on that disk. The disk
may be a removable one like a flash card or USB connected laptop disk
(HDD)
-I would also like to make sure that the time stamp embedded in the
digital signature can not be contested. I know that you can sign a piece
of text or message but I am not sure about the time thing as you can
change the time on your computer any time you want or simply your clock
may be behind or ahead. Not sure what would be a solution for this. I
pretty sure that this involves a third party that may or not may be part
of a PKI infrastructure.

I know that for the first three requirements PGP may be a good option.
Not sure what I need for the forth requirement mentioned above.

Thank you in advance for any advice or clue on this matters

T
Paul Rubin
2005-12-12 05:15:10 UTC
Permalink
Post by test
-to digitally sign and eventually encrypt the content of an e-mail
PGP/GPG. What do you mean by "eventually encrypt"?
Post by test
-to digitally sign and eventually encrypt the content a message posted
on a discussion board or news group
PGP/GPG. But posting encrypted stuff to a newsgroup is kind of silly
for most purposes--the idea of newsgroups is everyone can read it.
Post by test
-to encrypt a disk or some specific directories on that disk. The disk
may be a removable one like a flash card or USB connected laptop disk
(HDD)
PGPdisk, Scramdisk, etc.
Post by test
-I would also like to make sure that the time stamp embedded in the
digital signature can not be contested.
"Cannot be contested"? You're asking what computer programs can
control the actions of human beings. They don't exist. However,
there are secure timestamp services available from Entrust, Verisign,
etc. They at least provide cryptographic assurance of a timestamp
that they claim is correct and that has an audit trail.
Post by test
I know that you can sign a piece of text or message but I am not
sure about the time thing as you can change the time on your
computer any time you want or simply your clock may be behind or
ahead. Not sure what would be a solution for this. I pretty sure
that this involves a third party that may or not may be part of a
PKI infrastructure.
Yes, you need the clock run by a so-called trusted third party.
test
2005-12-12 13:12:18 UTC
Permalink
Sory Paul I did a cut and paste. No intention to post encrypted messages
:-)
on news groups.
"Eventually encrypt"=nice to have the message encryption option
I am not asking for "computer programs which can control human actions".
All
I am asking for is the option to have the time stamp confirmed by a
third party. You said that this is possible but didn't explain how or
what are the tools that I need to buy/use.

Thank you for the other advice
T
Post by Paul Rubin
Post by test
-to digitally sign and eventually encrypt the content of an e-mail
PGP/GPG. What do you mean by "eventually encrypt"?
Post by test
-to digitally sign and eventually encrypt the content a message posted
on a discussion board or news group
PGP/GPG. But posting encrypted stuff to a newsgroup is kind of silly
for most purposes--the idea of newsgroups is everyone can read it.
Post by test
-to encrypt a disk or some specific directories on that disk. The disk
may be a removable one like a flash card or USB connected laptop disk
(HDD)
PGPdisk, Scramdisk, etc.
Post by test
-I would also like to make sure that the time stamp embedded in the
digital signature can not be contested.
"Cannot be contested"? You're asking what computer programs can
control the actions of human beings. They don't exist. However,
there are secure timestamp services available from Entrust, Verisign,
etc. They at least provide cryptographic assurance of a timestamp
that they claim is correct and that has an audit trail.
Post by test
I know that you can sign a piece of text or message but I am not
sure about the time thing as you can change the time on your
computer any time you want or simply your clock may be behind or
ahead. Not sure what would be a solution for this. I pretty sure
that this involves a third party that may or not may be part of a
PKI infrastructure.
Yes, you need the clock run by a so-called trusted third party.
Victor Roberts
2005-12-12 22:17:25 UTC
Permalink
Post by test
Sory Paul I did a cut and paste. No intention to post encrypted messages
:-)
on news groups.
"Eventually encrypt"=nice to have the message encryption option
I am not asking for "computer programs which can control human actions".
All
I am asking for is the option to have the time stamp confirmed by a
third party. You said that this is possible but didn't explain how or
what are the tools that I need to buy/use.
Thank you for the other advice
T
There are at least two services that you send an e-mail to.
They sign and time stamp the message and then send it back
to you and/or forward it on to some other person. For
example, see http://www.itconsult.co.uk/stamper.htm which is
a free service. There are also commercial services that will
confirm when the message was received and/or opened by the
receiving party.

If the message is proprietary, you should obviously encrypt
it before sending it through an outside service. If you have
a file that you want to certify was created on a certain
date, you can encrypt and sign the file and then e-mail it
to yourself using one of these services, which will add a
time stamp controlled by someone other than you.

A Google search for PGP Time Stamp will yield more options.

Another low tech option is to get a gmail account and send
an encrypted and signed copy of everything you want to time
stamp to that account and leave it there. Gmail will show
the date and time the item was received, and, as long as you
have no relationship with Google, the copy on the gmail
server should prove the date and time it was received.

I have no idea how well any of this will hold up in court,
but it seems as good or better than the paper systems that
have been used for hundreds of years.

--
Vic Roberts
Replace xxx with vdr in e-mail address.
cryptoman101011
2005-12-13 15:50:18 UTC
Permalink
check these guys out T, they might have a solution you are looking for.
it's software only and requires no certificates. www.tutarus.com
David Ross
2005-12-15 00:51:21 UTC
Permalink
I came up with an idea for a new line of business where I worked.
It would be in a department different from mine in a very large
corporation. Not knowing anyone in that other department, I wanted
to secure the fact that I originated the idea.

I detailed the idea in a Word document. I digitally signed the
file using PGP, getting a detached ASCII signature file. Then I
submitted the signature file to the PGP Digital Timestamping
Service at <http://www.itconsult.co.uk/stamper.htm>. (There are
other such services.) I placed the Word file, my signature file,
and the reply signature file from the PGP Digital Timestamping
Service all together in a single folder on my PC at home (which was
backed-up periodically).

After doing all this, I held on to my idea for two weeks before
submitting it to my company. The delay ensured that anyone else
claiming authorship of my concept would not be able to deny my
prior possession of the Word file.

My own signature verifies that I had access to the Word file at
some questionable date. The important issue is that I indeed had
sufficient access to sign the Word file.

The reply from the PGP Digital Timestamping Service verifies that
my signature file existed at some date that is harder to question.
Why is it harder to question? (1) The PGP Digital Timestamping
Service maintains and publishes logs of when submitted files are
processed. (2) The service can be easily tested in a manner that
does not reveal a test is being conducted. (These are
characteristics of most -- all? -- such services.)
--
David E. Ross
<http://www.rossde.com/>

I use Mozilla as my Web browser because I want a browser that
complies with Web standards. See <http://www.mozilla.org/>.
"[Anon] farfegnugen" >
2008-04-24 19:59:50 UTC
Permalink
Given http://people.csail.mit.edu/tromer/twirl/

and what it says about factoring 1024 bit RSA keys, what is the recommended solution given the current state to GnuPG?
David W. Hodgins
2008-04-24 22:03:50 UTC
Permalink
Post by "[Anon] farfegnugen" >
and what it says about factoring 1024 bit RSA keys, what is the
recommended solution given the current state to GnuPG?
Given "the design remains hypothetical", I wouldn't worry about it
too much. Also gpg supports keys with 4096 bits, so just to be on
the safe side, use the maximum key length.

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Loading...