views:

30

answers:

2

I am building a windows application to store backups of sensitive files. The purpose of my application is to store a copy of a file with its hash. The program or user will then display the hash publicly in case the user needs to prove they had the backup of the sensitive file at a certain time.

Motivation:

Some situations where this might be useful are:

  • Someone has a job at a company where they think they might be accused of doing something illegal. If they were accused of changing some data over time, it would be convenient to have copies of sensitive files related to their case over a period of time.
  • A politician might take notes about things they did each day, many of them about classified or sensitive subjects, and then want to be able to disclose her files at a later date if they are accused of something (for instance, if the CIA said they were briefed on torture…). Not absolute proof, but it would be hard to create fake backup files for every potential scenario, especially several years into the future. Just to be clear, this application is mostly just an excuse for me to practice my coding skills. I don’t recommend using any type of cryptographic software that hasn’t been scrutinized by several professionals.

Possible Solutions:

For my application, I need to find a good place to publicly store the hash values. Here are my ideas so far:

  1. Send the hash values to a group of people through email. (disadvantage: could annoy people, but would create a traceable record)
  2. Publish the hash values on a public blog (disadvantage: if I ever got in serious legal trouble someone with resources could try to attack the free service I used and erase my data)
  3. Publish the hash values using some online security service that stores documents but does not allow you to delete them. (I am not sure something like this exists.)

What is the most secure and convenient way to publicly display my hash values?

A: 

Truly secure? Print out the hashes on a piece of paper along with a legal text to the effect of, "On this day XX/XX/XXXX I affirm these hashes to be accurately identifying these files with these dates." (not a lawyer, get one to verify this), then have it notarized. Then, save that piece of paper in a secure location.

Paul Betts
+2  A: 

Hash your set of hashes so that you have only one hash to record. Then publish this hash in the classifieds of a widely archived newspaper.

Pascal Cuoq
To clarify why a widely archived newspaper is a good place: you want to make tampering with the hash archives difficult. Someone who wanted to rewrite history would have to visit every public library that archives the paper and tamper with its archive, amongst others. This is much better than a blog that could be hacked into as soon as you leave a security hole unpatched for a few seconds. An official custodian (e.g. a notary) provides intermediate security: the person could be corrupted. For really good security, you could carve the hash on the moon (you get what you pay for).
Gilles