Table of Contents

PGP and GPG

I will talk on this page of everything related to security and authentication on the Internet.

Personal use

PGP and GPG are two compatible asymmetric encryption and signing software. Their features are:

For emails, you should use some software to automatically manage your keyring and sign, verify signatures, encrypt and decrypt messages, like the Enigmail addon with Thunderbird.

Trusted Timestamping

If a trusted third party signs with its private key a document of yours and a timestamp issued by them, then it will prove that the document existed at this time, and has not been altered since.

Remarks:

The protocol RFC 3161 is a standard for TSA (Trusted Timestamping Authority) services, whose usage is described in the following section.

There is also a possibility to do it with the block chain, to avoid central authority.

There are a few freely available services for individuals, but they don't all have the same level of trust. Some are certified by some administration (for instance [this list](https://www.ssi.gouv.fr/administration/qualifications/prestataires-de-services-de-confiance-qualifies/prestataires-de-services-de-certification-e) for the french ANSSI, or the european eIDAS regulation), some have a specialized TSA certificate that can be chained to a trusted root certificate, and some are just an independent party, but not authorities. They also provide different accuracies, and sometimes no accuracy information at all (in this case it is not clear if a reasonable default value can be opposed), and support different types of cryptographically secure hashes (the best one being SHA512, with SHA256 ok as well; did not find any supporting SHA3).

Free services (as of 2022):

Limited services:

Services With free trial duration:

Others have more critical limitations or expansive:

You can also use a software client to use the RFC 3161 protocol, with a server providing the service:

Lists of services:

Sources:

RFC 3161

Get timestamp

With TSR request file:

openssl ts -query -data <file> -sha512 -cert -out <file>.tsq
curl -H "Content-Type: application/timestamp-query" --data-binary "@<file>.tsq" <service-url> > <file>.tsq.tsr

Directly with hash (does not work with all services):

hash=($(sha512sum <file>))
curl -H "Content-Type: application/timestamp-query" "<service-url>/?sha512=$hash" --output <file>.tsr

Inspect files

TSQ request:

openssl ts -query -in <file>.tsq -text

TSR request:

openssl ts -reply -in <file>.tsr -text

Verify timestamp

From the original file:

openssl ts -verify -in <file>.tsr -data      <file>     -CAfile cacert.pem -untrusted tsa.crt

From the TSQ request file:

openssl ts -verify -in <file>.tsr -queryfile <file>.tsq -CAfile cacert.pem -untrusted tsa.crt

From the digest:

openssl ts -verify -in <file>.tsr -digest    <hash>     -CAfile cacert.pem -untrusted tsa.crt

Service certificates can be extracted from the TSR response file if they were embedded:

openssl ts -reply -in <file>.tsr -token_out | openssl pkcs7 -inform der -print_certs

And decoded with:

openssl x509 -in globalsign-root-ca.pem -text -noout

These extract should however only be used with the -untrusted argument, and trusted certificates should be used for the -CAfile argument, downloaded from the service website. .crt files can be converted to .pem files with the following command:

openssl x509 -inform DER -outform PEM -in <file>.crt -out <file>.pem