Secure and Legally Compliant Timestamping Solution

This repository provides a robust solution for generating secure, legally-compliant timestamps leveraging eIDAS-qualified trust service providers (TSPs). It integrates conventional timestamping with OpenTimestamps to enhance tamper-proofing, utilizing the security of blockchain technology, and incorporates an SSL library for added reliability.

System Requirements

To use this system, the following software and tools are required:

• Terminal: Powershell (Windows) or Bash
• SSL Library: OpenSSL
• OpenTimestamps Client
• Java: Version 10 or newer

Process Overview

The process is designed to be straightforward and automated:

1. Generate Timestamp Request: The first step involves creating a timestamp request using OpenSSL. This request includes only the SHA-512 hash of the file and a unique nonce (a "number used once"). Importantly, this method ensures that only the hash (not the actual file) is transmitted, maintaining privacy and security.

2. Send to Trust Service Provider: The next step involves sending the request to a qualified trust service provider. This is done using built-in Powershell or Bash functions, allowing the same code to work across different operating systems (Windows/Linux). While this process has not been tested on macOS, it may work as well.

3. OpenTimestamps Integration: A secondary request is generated through OpenTimestamps, which appends the file hash to a Merkle tree for timestamping. This process does not publish the hash to Bitcoin immediately. Instead, it first sends the hash (along with a nonce) to various voluntary and free calendars. These calendars aggregate multiple hashes, provide an auditable path between them, and eventually publish them as a transaction in Bitcoin’s blockchain. This method optimizes efficiency while maintaining the integrity and security of the timestamp.

Legal Considerations

In the EU, the law is clear: if you use a trust service provider, you enjoy a presumption of accuracy (similar to a public notary). The UK follows the same principle, but you must use a UK-qualified trust service provider. In the USA, the legal acceptance of this type of evidence depends on the case, but with the ots stamp, no judge will deny it.

THIS DOESN'T CONSTITUTE LEGAL ADVICE. ALWAYS CHECK YOUR LOCAL LAWS FIRST.

SECTION 6
Electronic Time Stamps
Article 41: Legal Effect of Electronic Time Stamps

1. An electronic time stamp shall not be denied legal effect and admissibility as evidence in legal proceedings solely because it is in electronic form or does not meet the requirements of a qualified electronic time stamp.
2. A qualified electronic time stamp shall enjoy the presumption of accuracy regarding the date and time it indicates, as well as the integrity of the data it is associated with.
3. A qualified electronic time stamp issued in one Member State shall be recognized as a qualified electronic time stamp in all Member States.

Article 42: Requirements for Qualified Electronic Time Stamps

1. A qualified electronic time stamp must:
   • (a) Bind the date and time to data in a way that prevents undetectable changes.
   • (b) Be based on an accurate time source linked to Coordinated Universal Time (UTC).
   • (c) Be signed with an advanced electronic signature or sealed with an advanced electronic seal by a qualified TSP.

YOU MUST USE A QUALIFIED EIDAS-COMPLIANT PROVIDER FROM THE LIST TO ENSURE THE SECURITY OF YOUR TIMESTAMPING.

Understanding .tsr Files

A .tsr (Timestamp Response) file contains a digitally signed timestamp issued by a qualified trust service provider. It ensures the integrity and existence of a document at a specific time.

How .tsr Works

1. The .tsr file is generated when a timestamp request is sent to a trust service provider.
2. It includes:
   • The SHA-512 hash of the original file.
   • The precise timestamp issued by the provider.
   • A digital signature from the provider, ensuring authenticity.
3. The .tsr can later be used to verify that the original file has not changed since the timestamp was issued.

Validating .tsr Files

To verify the validity of a .tsr file, you need to:

• Use OpenSSL:

  openssl ts -verify -in timestamp.tsr -CAfile tsp_cert.pem -data original_file.txt -token_in
  

• The verification process checks:

  • The digital signature from the TSP.
  • The timestamp's association with the original file.
  • Whether the issuing certificate is still valid.

• Use any available program to validate them, such as XolidoSign

Understanding OpenTimestamps and Merkle Trees

OpenTimestamps is an open-source protocol that leverages blockchain technology (specifically Bitcoin) to verify the existence of a file at a specific point in time. It uses a Merkle tree to structure file hashes in a secure and efficient manner.

• Merkle Tree: A Merkle tree is a cryptographic structure where each leaf node contains a hash of data, and each non-leaf node is the hash of its child nodes. This structure allows efficient and secure verification of large sets of data.

• Timestamping Process: OpenTimestamps appends your file’s hash into this Merkle tree. This action creates a cryptographic record that proves your file existed at the specific time of the block's creation. The tree structure enables efficient verification while ensuring that data cannot be altered without detection.

• Append vs Prepend: OpenTimestamps uses the concepts of "append" and "prepend" to manage how hashes are added to the blockchain:

  • Append: When you append, your hash is added to the end of the tree structure, ensuring that the file’s timestamp is recorded sequentially.
  • Prepend: When prepending, your hash is inserted at the beginning of the Merkle tree, providing flexibility in how timestamps are structured within the blockchain.

.ots Files

OpenTimestamps provides an additional layer of security through blockchain verification:

• File Hashing: The hash of the file is included in the blockchain, proving its existence at a specific point in time.
• Blockchain Proof: OpenTimestamps uses Bitcoin's blockchain to record file hashes in a Merkle tree, providing immutable proof of the file's existence.

This system has been utilized by entities such as the Boletín Oficial de la República Argentina since July 2017 and Estonia's government, which uses a custom blockchain-based system similar to this one.

---

Combining Both Functions

By combining both eIDAS-qualified timestamping and OpenTimestamps, this solution offers one of the most secure and tamper-proof timestamping methods available. The added redundancy of using multiple trusted services ensures continued security, even if one provider is compromised.

Future updates will focus on incorporating Long-Term Validation (LTV) features to further enhance the validity of timestamps and a restamping process. Moreover, most TSPs provide OCSP (Online Certificate Status Protocol) responses for extended periods after service termination, ensuring continued reliability. With multiple providers in place, the risks of service interruptions are minimized.

Additionally, OpenTimestamps provides a blockchain-based timestamp that, while not carrying the same presumption of accuracy as eIDAS timestamps in the EU, can be instrumental in legal contexts, particularly in courts, where it would be immediately accepted with professional examination. The most difficult part would be explaining to a non-technical person how this is mathematically impossible to manipulate (if you are able, then congratulations, you'll have broken all the modern cryptography).

IMPORTANT NOTE

I did this in my free time, in spanish, and very poorly documented. I do a lot of bad things, such as loading the full list of TSP in RAM. For any normal user this wouldn't be a problem, but beware of that.

Also I use the tads.jar library, property of DLSIS (UPM). I'll change all that code to use standard java libraries instead, but at the moment, I have to give them atribution for the use of those. Also, you must not use freely those libraries or any library used by me without checking the LICENSE of them first.

This repo doesn't have yet a LICENSE doc until I fix those things, so tecnically is not free to use yet.

Ideas for improving

• Use of standard libreries instead of tads.jar.
• Refactor code and document to English.
• Implement Roughtime protocol.

Roughtime is a protocol that aims to achieve rough time synchronisation in a secure way that doesn't depend on any particular time server. For many applications, accurate network time isn’t essential: it suffices to be within 10 seconds of real time, but security is paramount. This observation is the primary motivation behind Google’s Roughtime protocol, a simple protocol by which clients can synchronize their clocks with one or more authenticated servers while keeping inaccurate servers accountable. Cloudflare is providing a free, high-availability, and low-latency authenticated time service that leverages our expansive network for increased robustness in Roughtime. Our service can be reached at roughtime.cloudflare.com:2002.

• RFC3161 restamping (or at least OCSP responses/CRLs) LTV+x
• PDF generation with detailled info of timestamps, how to verify them, base64 encoded RFC3161 stamps...
• Open to ideas