IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Internet Forum / Futile
Post #6,609
by drewk
Picture of drewk
8/24/01 12:38:35 PM
Reply
New Futile
If it can be printed, it can be doctored. I've done it as a joke, tabloids do it as a business method. Any half-decent retouching artist with a scanner, editing software and printer can do it. Unless you control the printing and use watermarking, holograms or some other anti-conterfeiting technique, this is not a technical question but a managment/business process one.

-- Or --

Hmm, you could always combine the key figures on the printout with some private key, make the MD5 hash and print that on the page. If the key doesn't match the result from the printed numbers, you'll know it's doctored.

Okay, so the first paragraph should read, "Just because it's in a bar code doesn't mean people can't forge it. If you can figure out how to print bar codes, so can they."
This is my sig. There are many like it, but this one is mine.
Post #6,636
by ChrisR
8/24/01 3:12:35 PM
Reply
New Barcode just used to mask the signature...
Want to run the text (including the numbers) through a hash. A barcode looks nicer and a bunch of random bytes, but I'll have to sit down and figure out whether it can hold enuf of the signature.

The problem is definitely not unique to the web. I figure the same issue has cropped up with printed reports. Figured someone might have dealt with the issue of detecting whether a document has been doctored.
Post #11,196
by scoenye
10/1/01 11:00:01 PM
Reply
New Almost :)
Swap the use of the hash and the signing algorithm: compute a secure hash of the critical information, then sign the hash with a public key algorithm, using the private key. Have the server publish the signed hash and the public key (as a barcode graphic or otherwise) as part of the page.

Presence of the public key allows the client to verify that the hash represents the critical information.

However, note that barcoding the signed hash and the key only improves part of the problem. If a complaint arises, someone will still be stuck keying in the numbers that were included in the hash in the right order and without typos.
     Signing web pages... - (ChrisR) - (6) - Aug. 23, 2001, 09:08:14 PM EDT
         Barcode Generators - (altmann) - (1) - Aug. 23, 2001, 10:36:13 PM EDT
             Thanks. Will take a look. -NT - (ChrisR) - Aug. 24, 2001, 03:08:01 PM EDT
         Futile - (drewk) - (2) - Aug. 24, 2001, 12:38:35 PM EDT
             Barcode just used to mask the signature... - (ChrisR) - Aug. 24, 2001, 03:12:35 PM EDT
             Almost :) - (scoenye) - Oct. 1, 2001, 11:00:01 PM EDT
         Puzzle. Forensics? chain of evidence? - (Ashton) - Oct. 2, 2001, 07:32:41 PM EDT

If I wanted conversations like that, I'd talk to my girlfriend on the phone.
73 ms