Signing web pages...

Post #6,549 by ChrisR 8/23/01 9:08:14 PM Reply	Signing web pages... I've got some info and numbers that get pushed to a web page. Some of my end users will be printing this information out as a reference. What I need is to put some method of an encrypted signature on the form that verifies that the information is the same as when it leaves the server, prior to the user getting their hands on it. What I'm trying to protect against is having some user doctor the numbers and come back later when the numbers we show for them don't match their print out. Anyone have experience along these lines? The best possible solution is to have the authentication numbers be printed in bar code instead of a bunch of signature bytes - but I'm not familiar with anything that can be used to produce a bar code graphic on the fly.
Post #6,563 by altmann 8/23/01 10:36:13 PM Reply	Barcode Generators [link\|http://www.azalea.com/giffy/\|Commericial for PHP] [link\|http://cpan.valueclick.com/modules/by-category/18_Images_Pixmaps_Bitmaps/GD/\|Free in Perl (CPAN)] [link\|http://www.planet-source-code.com/xq/ASP/txtCodeId.1880/lngWId.2/qx/vb/scripts/ShowCode.htm\| Free in Java] -- Chris Altmann
Post #6,635 by ChrisR 8/24/01 3:08:01 PM Reply	Thanks. Will take a look.
Post #6,609 by drewk 8/24/01 12:38:35 PM Reply	Futile If it can be printed, it can be doctored. I've done it as a joke, tabloids do it as a business method. Any half-decent retouching artist with a scanner, editing software and printer can do it. Unless you control the printing and use watermarking, holograms or some other anti-conterfeiting technique, this is not a technical question but a managment/business process one. -- Or -- Hmm, you could always combine the key figures on the printout with some private key, make the MD5 hash and print that on the page. If the key doesn't match the result from the printed numbers, you'll know it's doctored. Okay, so the first paragraph should read, "Just because it's in a bar code doesn't mean people can't forge it. If you can figure out how to print bar codes, so can they." This is my sig. There are many like it, but this one is mine.
Post #6,636 by ChrisR 8/24/01 3:12:35 PM Reply	Barcode just used to mask the signature... Want to run the text (including the numbers) through a hash. A barcode looks nicer and a bunch of random bytes, but I'll have to sit down and figure out whether it can hold enuf of the signature. The problem is definitely not unique to the web. I figure the same issue has cropped up with printed reports. Figured someone might have dealt with the issue of detecting whether a document has been doctored.
Post #11,196 by scoenye 10/1/01 11:00:01 PM Reply	Almost :) Swap the use of the hash and the signing algorithm: compute a secure hash of the critical information, then sign the hash with a public key algorithm, using the private key. Have the server publish the signed hash and the public key (as a barcode graphic or otherwise) as part of the page. Presence of the public key allows the client to verify that the hash represents the critical information. However, note that barcoding the signed hash and the key only improves part of the problem. If a complaint arises, someone will still be stuck keying in the numbers that were included in the hash in the right order and without typos.
Post #11,332 by Ashton 10/2/01 7:32:41 PM Reply	Puzzle. Forensics? chain of evidence? Sounds a lot like 'the ontological proof of god' when you get down to real er proof. Even a notarized letter sent registered, content confirmed by phone call later (?) - always is the element of 'the final trusted arbiter': Heinlein's fairwitness ? So if the data being shipped is That sensitive (or in Murican scale of importance in the universe: $-related) - well.. I dunno enough about the many entries that are almost good-enough. Luck, Ashton Turing

Welcome to IWETHEY!