How can I digitally sign logs to ensure that they have not been modified?
In our application logs must be signed in order to prove that they have not been changed after they happened.
This means that they must be signed using some sort of timestamp that links the si开发者_StackOverflow中文版gnature with the time at which the log was written and signed.
This way the log cannot be modified and signed again without changing that timestamp -and therefore any modification attempt could be detected-.
Is there a standard way to do this?
Eugene Mayevski is right, CAdES signature timestamped with the use of external timestamping service will do the job. However, everything depends on the exact threats to the logs your application creates and their potential originators. In the first approximation, signing a hash of the log with an external TSA (without local CAdES signing) would be enough for you.
Timestamping is part of CAdES standard, and this standard allows detached signatures. So yes, you can use digital signing with timestamping. The problem of altering the signed data or misusing the private key (stored in your application) is addressed by timestamping quite efficiently.
If you develop a .NET or Windows application, you can use PKIBlackbox package of our SecureBlackbox product to make CAdES signatures with timestamping.
精彩评论