Brief Overview

Root Cause Forensics has developed a process for electronically signed report documents that allows clients, the Court and third parties to verify that a file has remained unmodified. The process is robust and neither the process nor past or future security is vulnerable to single point failures such as server breakdowns, hacking or general property loses at our offices. The system uses a cryptographic hash signature that is orders of magnitude more secure than any engineering report signing system should need, however, adopting this system makes it reasonably sure that electronically signed reports will be as secure as original paper copies of reports for the foreseeable future, while offering additional avenues of verification not available with paper reports.

Why a Cryptographic Hash Signature ?

The goal is to allow verification that a candidate document is the report document that was stamped and signed. If even one bit of one byte of the document is altered in any way for any reason, the fact that the document is no longer identical to the original will be detectable even without access to the correct original document. The cryptographic hash signature method also allows a system that is not vulnerable to single point physical or electronic compromise. For instance, if a system relied on the security of the company's computer servers to protect a generic image file of a stamp or signature, or locks, fire and alarm systems to protect the physical stamp itself, or some variety of "secret key", then a single incident that exposes or destroys this key piece could compromise the system's security and/or verification. The crytographic hash signature can be published freely without revealing any confidential information about the matter or any sort of key to the signing process. In another system that relies on a generic image file of a stamp or signature; obviously these keys could not be published publicly to allow verification without risking their unauthorized duplication. With a cryptographic signature, the Court or third parties can independently verify they have received a true copy of a report as easily as clients who received the same report directly from Root Cause Forensics.

How the Root Cause Forensics Method Works

A report is prepared as an electronic document. The signature page is printed, stamped with an ink stamp, signed with a pen and assigned a random document number, written by hand on the signature page. Note the system relies on a real ink signature and an initialed stamp impression. No two instances are going to be identical so the distribution of one report cannot affect the security of any other report, past or future. The signature page is then scanned back into electronic form, in colour, and merged with a PDF of the electronic document. The merged document is the final copy of the report document. This document is run through a cryptographic hash program to create a unique electronic signature, a fingerprint, generated based on the totality of the electronic document. This step is as easy as playing a video file on a computer, except the output is a string of hexidecimal numbers. The hash signature is published in a text file to the client along with the electronically signed report document. For the convenience of anyone who might later come into possession of an electronically signed report document without the accompanying text file, the hash signature might be checked here. The entire process is no more time-consuming that printing and signing multiple hard copies of reports and packaging them off to the client by courier.

What Makes a Cryptographic Hash Signature Special ?

A hash is a large number computed from all of the data in the file. There are three important properties of cryptographic hashes. If even one bit of one byte of data in the file is changed, the hash of the file will in general be completely different. The hashing function uses mathematical computations that are far easier to compute in the forward direction from data to hash, and far more difficult, and in practice computationally impossible, to compute in the opposite direction from hash to data. Lastly, for a given set of data and its hash signature, it is mathematically difficult, and in practice computationally impossible, to find another set of data that is similar that produces the same hash signature.

The SHA512 cryptographic hash used by Root Cause Forensics was designed by the United States National Security Agency (NSA). One of its intended uses is to produce a cyrptographic hash signature to assure that documents have not changed -- we are using an advanced tool for exactly what it was designed to do. Brute force methods, that include trying possibilities until one finds a solution, would seem to require 10^154 attempts -- that is a one followed by 154 zeros -- to have a 50% chance of finding any other file with the same hash, if one even exists. There is no guarantee that there is a modified version of the original file that will produce the same hash value -- no guarantee of success even if one had the computational horsepower and the time. To give an impression of the astronomical magnitude of the computational problem, for comparison, the number of atoms in the observable universe is currently estimated to be less than 10^82 -- a one followed by 82 zeros -- a far smaller number.

In the future, quantum computers are predicted to be much better at some types of work than our current computers are, and the NSA and NIST are already in development of "post-quantum" cryptographic systems. However, even if some research lab ever makes a quantum computer with enough q-bits, powered by its own nuclear power plant, it seems unlikely that anyone would bother to use such a computer on our reports when they could instead steal all the bitcoins in the world and crack far more interesting secrets and devices. In addition, we are reasonably confident all of our client's current matters will be resolved by the time such a computer is made. The concept of cryptographic signatures can be extended in the future, by simply keeping pace with whatever better methods the NSA or NIST develop next. Upgrade of the entire system is easy. Old reports are not tied to a hash function believed to be good when the report was generated. If a stronger hash is ever believed necessary, the hash values for all old reports can be re-generated and posted. The process of creating cryptographic hash signatures and checking them will not significantly increase in complexity.

How Does One Handle Such A Report to Preserve its Cryptographic Hash Signature ?

Saving the file on the computer desktop, on a hard drive or on a USB flash drive or writable CD will in general preserve the file identical to the original. Leaving a copy of the file in the incoming email server leaves the report document unmodified. Forwarding the file in email will not modify the report document, and creates an additional copy of the original document in one more person's email inbox.

What Will Cause A Verification Failure ?

Failure of verification may arise from innocuous causes. All facsimile systems, even ones that appear to faithfully preserve the content of the report document, will alter the hash signature. For instance printing the electronic document, and then scanning the printed document back to an electronic document will be detectable. Facsimile (FAX) machines will change the file, even if the document is sent to the sending fax machine in electronic form, and the document is delivered by a receiving paperless fax machine to its recipient. Certain electronic document management systems (like those used by legal offices or insurance companies) may accept electronic reports but by default automatically re-render most text and picture documents in lower resolution for more compact memory storage. Such a re-rendered stored document that is then exported out again as a stand-alone file has essentially been put through a virtual fax machine. The exported file will not be identical to the original file and therefore the signatures will not match. Electronic document management systems that store identical digital copies, or can be ask to do this for particular files, will preserve the crytographic hash signature as well. Naturally, cropped versions of the document, where pages or paragraphs are omitted will not match the original. Intentionally modified documents will also not match the signature. Intentional modification includes such accepted practices as adding banners, such as fax machines do, or imprinting received dates, or watermarks, or any sort of comment markups. From time to time users of a report may also intentionally send only a few pages of a long report on to another recipient and such partial or edited documents will not match the cryptographic hash signature.

We Have Just Described the Entire Process, Isn't that a Problem?

No, and that is one of its strengths. If a secret needs to be kept to assure the usefulness of a report authentication system, then the system is only as secure as the secret.

One Has Received A Report, Now What ? -- Do Nothing

First, one does not need to do anything unless one suspects the copy of a report they received is not the original. One can almost certainly stop there. Checking crytographic hash signatures is a hassle and the entire point is they are so tough to break, it pointless to even try hacking them. When they do not match it will more likely be for innocuous or obvious reasons as explained above.

I think in my entire career, I have checked only a handful of digital signatures. In those cases, I was dealing with intermittent hardware problems and giant data files. I needed to detect data corruption caused by read or transmission errors. In that particular work, I had to provide tracability if needed, not only to prove accuracy in transmission but also to answer any possible doubt that I had intentionally tampered with the data. Normal error-detection schemes can be effective at detecting random errors like in corrupted transmissions but some schemes may be intentionally tricked with manipulated data, so they do not guarantee there has been no intentional tampering. A cryptographic hash met all needs of the project. The method was effective at detecting a problem in one data transfer that I recall, so I repeated the transfer and verification process and came through with a match between the first and third read of the data indicating they were identical and correct. I concluded that the second transfer had experienced a transmission error.

If the document is in greyscale instead of colour, or has pages missing, or has writing all over it, or received stamps, or fax banners, or the appendices are missing, or is packed into a brief with other documents, then the document will not match the digital signature. If in doubt, request an original electronic copy of the document.

How does One Check a Report?

If one wants to check a digital signature on a candidate report document, one needs only the candidate report document. On the signature page, there will be a document number. One can check this webpage for the crytographic hash signature corresponding to the document number. (The cryptographic hash signature was also provided to the original recipient in a text file which may or may not have been distributed with the document -- no matter.) Now that one has the candidate report document and the original digital signature, one has to generate the signature for the candidate report document. This is done with a piece of software -- there are suggestions in the next paragraph. If the signature generated by the program matches the one given on this page, then the candidate report document has been verified to be the same as report document when it was distributed. If the signature does match, then the candidate document is not an exact copy of what was distributed. One does not need a copy of the original document to know the candidate document is not right. If we compare this to checking answers on a test, one does not need to know the right answer to recognize a wrong answer. Unfortunately, a non-match of a signature does not tell the reader how the candidate report document was or came to be modified -- it may have happened for innocuous reasons. If it is important simply request an original electronic copy of the document.

Programs to Compute the SHA512 Hash of a File

There are a number of programs that can compute the SHA512 hash of a file but Quick Hash seems like the most accessible across different operating system platforms. This video showing it in action demonstrates (at about 1 minute 30 into the video) just how much the hash changes each time an addition character of data is added. One would download this program or some other program that generates the SHA512 hash of a file, run it and compare the hash signatures. I do not recommend "free" on-line hash services that require your file to be uploaded to a third party server.