如何对日志进行数字签名以确保它们未被修改?
[英]How can I digitally sign logs to ensure that they have not been modified?
问题描述
In our application logs must be signed in order to prove that they have not been changed after they happened. 
在我们的应用程序中,必须签署日志以证明它们在发生后没有被更改。
This means that they must be signed using some sort of timestamp that links the signature with the time at which the log was written and signed. 这意味着必须使用某种时间戳对它们进行签名,该时间戳将签名与日志的写入和签名时间相关联。
This way the log cannot be modified and signed again without changing that timestamp -and therefore any modification attempt could be detected-. 这样,在不更改时间戳的情况下无法再次修改和签名日志 - 因此可以检测到任何修改尝试。
Is there a standard way to do this? 有没有标准的方法来做到这一点?
2 个解决方案
解决方案1
3 2010-09-30 12:13:35
Eugene Mayevski is right, CAdES signature timestamped with the use of external timestamping service will do the job. Eugene Mayevski是对的,CAdES签名时间戳使用外部时间戳服务将完成这项工作。 However, everything depends on the exact threats to the logs your application creates and their potential originators. 但是,一切都取决于您的应用程序创建的日志的确切威胁及其潜在的发起者。 In the first approximation, signing a hash of the log with an external TSA (without local CAdES signing) would be enough for you. 在第一个近似中,使用外部TSA(没有本地CAdES签名)签署日志的哈希就足够了。
解决方案2
1 2010-09-30 11:06:19
Timestamping is part of CAdES standard, and this standard allows detached signatures. 时间戳是CAdES标准的一部分,此标准允许分离签名。 So yes, you can use digital signing with timestamping. 所以,是的,您可以使用带有时间戳的数字签名。 The problem of altering the signed data or misusing the private key (stored in your application) is addressed by timestamping quite efficiently. 更改签名数据或滥用私钥(存储在应用程序中)的问题可通过非常有效的时间戳来解决。
If you develop a .NET or Windows application, you can use PKIBlackbox package of our SecureBlackbox product to make CAdES signatures with timestamping. 如果您开发.NET或Windows应用程序,则可以使用我们的SecureBlackbox产品的PKIBlackbox包来制作带时间戳的CAdES签名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.