Reputation: 26971
Getting a secure timestamp that cannot be spoofed
What is the best approach to fetching a certified time stamp from the internet from within my app?
I have a licence file that expires at a regular period and I must make sure that the certificate is not expired.
Is such a thing even possible/ does it exist? Ideally when my app runs, it should get a secured/certified time stamp representing current time, but I want to make sure it cannot be faked by the application runner.
Are there any services that offer this out there? It can be commercial, I just don't know where to start and am looking for some pointers.
Upvotes: 0
Views: 214
Answers (1)
Reputation: 46040
Look at Timestamping protocol (RFC 3161). It gives you secure time. To properly use the protocol you can ask the server timestamp some random hash (the server doesn't care), then validate the timestamp and if it's ok, use the time in the timestamp. That would be the most effective approach.
There was a TSP client available in BouncyCastle, if memory serves, and our SecureBlackbox product (including free CryptoBlackbox package) also includes a TSP client and powerful validation mechanisms.
Upvotes: 1
Related Questions
- Alternative timestamping services for Authenticode
- How do you deploy your own Authenticode Timestamping Service?
- Time stamp validation, missing certificate
- Validate a timestamp token against a certificate (but not the whole certification chain) using OpenSSL
- How to create a timestamp server for signature purposes
- How do I securely sign data with a timestamp?
- How to create a protected timestamp?
- How to get a timestamp that is not gullible
- Cryptographic Time
- How to verify that timestamping is done correctly for signed code