SHA1 Signatures: Can Timestamps Help?

TL;DR

While SHA1 is considered cryptographically broken and shouldn’t be used for new signatures, adding a timestamp to an existing SHA1 signature can provide some limited legal protection. It proves the document existed in its current form at a specific time, but doesn’t fix the underlying security weakness of SHA1 itself.

Understanding the Problem

SHA1 is an old hashing algorithm. It’s been found to be vulnerable to collision attacks – meaning it’s possible (though difficult) to create two different documents that produce the same SHA1 hash value. This means someone could potentially forge a document with the same signature as yours.

Can a Timestamp Help?

A timestamp doesn’t change the fact that SHA1 is insecure. However, it can help establish when your signature was created. This is important for legal reasons. If you signed something in 2018, and someone tries to claim forgery now, a timestamp proves you made the signature before SHA1’s weaknesses were widely exploited.

How Timestamps Work

1. Hashing: You first create an SHA1 hash of your document.
2. Timestamping Authority (TSA): You send this hash to a trusted TSA.
3. TSA Response: The TSA returns a digitally signed timestamp token. This token includes the hash, the date and time, and the TSA’s digital signature.
4. Combining: You combine your original SHA1 signature with the timestamp token.

The key is that the TSA must be trusted – usually a government-approved or commercially reputable provider.

Steps to Add a Timestamp

1. Choose a TSA: Research and select a trustworthy Timestamping Authority. Some common options include DigiCert, GlobalSign, and Entrust.
2. Software/Tools: You’ll need software that supports timestamping SHA1 signatures. Examples include:
   • OpenSSL: A powerful command-line tool (see example below).
   • PDF Signing Software: Many PDF signing tools have built-in timestamping features (e.g., Adobe Acrobat, DocuSign).
   • Dedicated Timestamping Services: Some services offer APIs for integrating timestamping into your applications.
3. Generate the SHA1 Hash: Use a hashing tool to create the hash of your document.

   openssl dgst -sha1 filename.pdf

4. Timestamp with OpenSSL (Example): This is a simplified example; adjust paths and options as needed.

openssl ts -query -certfile tsa_certificate.pem -digest "$(openssl dgst -sha1 filename.pdf)" -md5 http://timestamp.digicert.com

Replace tsa_certificate.pem with the path to the TSA’s certificate and filename.pdf with your document name.

5. Combine Signature & Timestamp: The exact method depends on the software you’re using. Usually, it involves appending the timestamp token to the signature file or embedding it within a digital container (like a PDF).
6. Verify: Test the combined signature and timestamp to ensure they validate correctly.

Important Considerations

• SHA1 is Still Weak: A timestamp doesn’t make SHA1 secure. It only proves when the signature was created, not that the document hasn’t been tampered with.
• TSA Trustworthiness: The TSA must be reliable and trusted. If the TSA is compromised, the timestamp is worthless.
• Long-Term Validation (LTV): Ensure your chosen TSA supports LTV to ensure the timestamp remains valid even if their certificates expire.
• Consider Stronger Algorithms: For new signatures, always use stronger hashing algorithms like SHA256 or SHA384.