GLOBALTRUST QUALIFIED TIMESTAMP – qualified time stamp according to eIDAS-VO for audit-proof document management

14. April 2023
GLOBALTRUST QUALIFIED TIMESTAMP qualifizierter Zeitstempeldienst gemäß eIDAS-VO

GLOBALTRUST QUALIFIED TIMESTAMP assigns a time stamp to any document and thereby guarantees the existence of this document at this point in time. The document itself is not transferred, data protection is preserved – internationally recognized standard RFC 3161 and EU-wide legal basis guarantee interoperability. GLOBALTRUST archives issued time stamps at no additional cost.

Why GLOBALTRUST QUALIFIED TIMESTAMP?

In many cases it is important to know when a document was created, when it was submitted or when it was published – or more abstractly: when an electronic process took place. Just think of the financial market, which would no longer function at all without unfalsifiable and millisecond-precise time information.

On the one hand, the local computer time is far too imprecise, and on the other hand, it can also be manipulated at will. The Internet does not know reliable time information, so special services are required. A time confirmation from a trustworthy third party therefore has high probative and confirmatory power.

The qualified timestamp links an electronic document to the “official time”. This guarantees the existence of the document at this point in time. In addition, it is proven that the document has not been changed since this point in time (integrity).

Electronic time stamp services are gaining in importance. They serve to preserve evidence that also withstands long-term regulatory requirements: be it for audit-proof archiving, proof of the priority of intellectual property, prevention of fraud, documentation of submission and receipt dates or in electronic procurement procedures. Our customers use them for numerous other functions as part of automated document management.

A reliable indication of the time is of the utmost importance, particularly in connection with the publication of information, the existence of a specific website, UWG issues, copyright infringement, e-tendering issues or issues relating to the use of names and terms. Other common application scenarios are time stamps embedded in electronic signatures on contracts, protocols in the e-health sector, and non-disclosure agreements (NDAs).

As a trust service provider according to eIDAS and SVG, the timestamp service GLOBALTRUST QUALIFIED TIMESTAMP is provided under the supervision of the Telekom-Control-Commission/RTR GmbH. In 2018, GLOBALTRUST was the first provider in Austria to play a key role in shaping the development.

What can’t a timestamp do?

As a “time signature”, a timestamp proves the exact point in time at which a document was available. An intact time signature is also proof that the document has not been changed after it was attached (integrity).

However, it makes no statement as to where or by whom a document originates (authenticity) and also does not express approval of the document content (“content commitment”). These functions can only be covered using (qualified) electronic signatures and seals. Here we have created a short overview.

Internationally recognized standard

GLOBALTRUST uses the internationally recognized and widely used standard RFC 3161 (Internet X.509 Public Key Infrastructure Timestamp Protocol, TSP). This ensures global interoperability, regardless of the file format or document management system used.

How does the qualified timestamp work?

A unique, non-forgeable hash code is automatically generated from a document. This hash code is uniquely associated with a specific document. However, the content of the document cannot be inferred from the hash code. Any (electronic) data can be used as a hashable and therefore time-stampable “document”. XML, PDF and JSON documents are popular.

This hash code is transmitted to the GLOBALTRUST TIMESTAMP server in encrypted form (TIMESTAMP request), where it is provided with the exact time and electronically signed by the TIMESTAMP server.

GLOBALTRUST QUALIFIED TIMESTAMP obtains the exact time directly from the Frankfurt atomic clock and guarantees an accuracy of one second (internal analyses yielded an accuracy of better than 10 milliseconds). The time stamp is either transmitted as a separate file to the requester, who keeps this file together with the original document. However, numerous systems also have integrated time stamp functions and embed, e.g. B. insert the timestamp in a signed or unsigned PDF. In addition, the time stamp is kept by GLOBALTRUST for 35 years for later questions on the preservation of evidence.

This procedure guarantees 100% confidentiality of your valuable documents. The content of the confidential documents is never transmitted to GLOBALTRUST. Since the hash code is also transmitted in encrypted form, it is not possible for attackers to identify who is actually making requests.

GLOBALTRUST archives issued time stamps

In addition, each time stamp (not the document!) is archived for evidence purposes and can be made available at a later date. Even if the customer loses their timestamp, presenting the hash value of a document is sufficient to check the validity at a specific point in time. GLOBALTRUST archives all assigned time stamps for up to 35 years.

Conditions

Time stamps can be requested in different annual quotas. The minimum amount is 100 time stamps, which must be used within one year. A change to the next higher quota size is possible at any time and must be announced by the user.

  • 100 time stamps/year: 20 euros
  • 1,000 time stamps/year: 185.00

Conditions for special contingents, higher scales or for resellers on request. Users of a GLOBALTRUST certificate receive a basic quota free of charge.

Users receive a reminder email about current consumption and order information when their quota is running out. This ensures that the service is always available.

Accuracy of GLOBALTRUST QUALIFIED TIMESTAMP

GLOBALTRUST QUALIFIED TIMESTAMP guarantees a time accuracy of +/- one second. The time refers to UTC (Universal Time Zone). If the time guarantee can no longer be guaranteed, the timestamp service will be temporarily deactivated and the applicant will receive a corresponding warning.

Internal tests have shown that the accuracy is 100 times higher and the deviations are typically less than 10 milliseconds.

“As a collecting society for the copyrights of more than 27,000 members, we have to deal with tens of thousands of administration contracts every year. We only sign them electronically – advanced, fully automated, completely legally secure and including a qualified time stamp.”

DI Roman Oslansky, Head of IT Division, AKM

Who can use GLOBALTRUST QUALIFIED TIMESTAMP?

An order from GLOBALTRUST is required for use. Holders of certain valid GLOBALTRUST Certificates are entitled to up to 100 free timestamps.

What do you need to use it?

Adobe Acrobat also allows a time stamp to be included when signing a PDF document, which is retrieved automatically. No additional software is required. Installation see https://www.globaltrust.eu/static/support-adobe-acrobat-dc-wi….

Numerous providers of ECM, DMS and ERP systems have already integrated GLOBALTRUST QUALIFIED TIMESTMAP into their products.

These Solution Partners support the implementation of your qualified time stamp project.

Automated timestamp services and bulk timestamps

Of course, the automated assignment of time stamps or the provision of large quantities of documents with time stamps is also possible. This requires special archive programs. On request, GLOBALTRUST provides interested developers with the necessary specifications for integrating the time stamp functions into their products.

Which hash algorithms are supported?

GLOBALTRUST QUALIFIED TIMESTAMP supports the algorithms SHA-256, SHA-512 and RIPEMD-160, which are considered to be secure.

“We have been offering tailor-made e-tendering solutions for private companies and public clients for two decades. Especially for public companies that are subject to the Federal Procurement Act, a legally secure handling of procurement procedures is the essential criterion. In order to be able to guarantee this legal certainty, we use a qualified time stamp from GLOBALTRUST. The integration into our systems was done quickly and easily. We – and therefore also our customers – will continue to rely on this service for the next twenty years!”

Ing. Christian Stecker, General manager, vemap Einkaufsmanagement GmbH 

Which usage variants are supported?

Issue TIMESTAMP using TCP/IP port: timestamp.globaltrust.eu port 10318

  • Timestamp assignment according to Timestamp Protocol (TSP) according to RFC 3161(+ Update RFC 5816)
  • Usage: TLS client authentication with certificate required (certificate must be issued by GLOBALTRUST)
  • Timestamp contains complete certificate chain with timestamp certificate, intermediate certificate and root certificate
  • TLS encryption

Issue TIMESTAMP using HTTPS (Port 443 + 11080)

  • Suitable for Adobe Acrobat from version 10 and Reader DC
  • https://timestamp.globaltrust.eu
  • https://timestamp.globaltrust.eu:11080
  • Use: two alternative variants (A, B) possible
  • Variant A: Authentication with username/password (assigned by GLOBALTRUST)
  • Variant B: TLS client authentication with certificate (certificate must be issued by GLOBALTRUST)
  • Timestamp contains only Timestamp certificate

The step-by-step instructions for using GLOBALTRUST QUALIFIED TIMESTAMP for Adobe Acrobat DC can be found at https://www.globaltrust.eu/static/support-adobe-acrobat-dc-wi….

Issue TIMESTAMP using HTTPS (Port 10080)

  • Not suitable for Adobe Acrobat
  • https://timestamp.globaltrust.eu:10080
  • Use: two alternative variants (A, B) possible
  • Variant A: Authentication with username/password (assigned by GLOBALTRUST)
  • Variant B: TLS client authentication with certificate (certificate must be issued by GLOBALTRUST)
  • Timestamp contains complete certificate chain with timestamp certificate, intermediate certificate and root certificate

Issue TIMESTAMP using HTTPS (port 13080)

For Adobe Acrobat from version 10 and Reader DC: https://timestamp.globaltrust.eu:13080

  • Usage: Authentication with username/password required (assigned by GLOBALTRUST)
  • Timestamp contains complete certificate chain with timestamp certificate, intermediate certificate and root certificate
  • Product: e.g. Adobe Acrobat Version 10, Adobe Acrobat Reader DC

Developer information

TCP/IP access to GLOBALTRUST QUALIFIED TIMESTAMP Server

Basic process

  1. A hash is formed from the document to be provided with a time stamp. The hash algorithms SHA-1, SHA-256, SHA-512 and RIPEMD-160 are supported.
  2. This hash is sent to the GLOBALTRUST QUALIFIED TIMESTAMP server in the form of a timestamp request specified in RFC3161.
  3. The GLOBALTRUST QUALIFIED TIMESTAMP server returns the timestamp in the form of a timestamp reply.

Access to GLOBALTRUST QUALIFIED TIMESTAMP Server with TCP/IP

The GLOBALTRUST QUALIFIED TIMESTAMP Server implements the “Socket Based Protocol” (RFC 3161 3.3) with the addition that TLS encrypted sockets are used. For user authentication, a client certificate must be presented to the server during the TLS handshake (all non-expired and non-revoked personal GLOBALTRUST certificates are entitled to collect time stamps, but a time stamp quota must be agreed).

The GLOBALTRUST QUALIFIED TIMESTAMP server can be reached via the DNS name timestamp.globaltrust.eu, port 10318.

Basically, solutions can be used in any programming environment, the following support must be given:

  • TLS support
    Use of client certificates in the TLS handshake must be supported
  • Ability to create and interpret a “Socket Based Protocol” header (RFC 3161 3.3)
  • Ability to create a timestamp request according to RFC 3161 (SHA-1, SHA-256, SHA-512 and RIPEMD-160 are supported)
  • Ability to interpret a timestamp response according to RFC 3161

A Java client application might look something like this if the request.tsq file is a valid Timestamp Request (TSQ). The TSQ itself was generated using OpenSSL or the BouncyCastle library.

Please note that the sample code provided is only a first orientation and no guarantee is given for the correct form, content or syntax. The code is intended to make it easier for Java programmers to get started with the timestamp problem.

Users of other programming languages ​​(C, C++, etc.) may need RFC3161-compliant extensions or function libraries. In this regard, contact your supplier for your development environment. GLOBALTRUST cannot provide any support for this.

package eu.globaltrust.test;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;

import javax.net.ssl.HttpsURLConnection;

import org.bouncycastle.util.encoders.Base64;

public final class TSAHTTPClientWithHTTPAuth {

    private TSAHTTPClientWithHTTPAuth() {
    }

    public static void main(final String[] args) {
        // Truststore setzen; Truststore enthält GLOBALTRUST root
        // Zertifikat - notwendig, da der Client dem TLS Serverzertifikat
        // sonst nicht traut - siehe
        // http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore
        System.setProperty("javax.net.ssl.trustStore", "truststore-client");

        // Username und Passwort für HTTP Authentifikation setzen
        String username = "USERNAME";
        String password = "PASSWORT";

        try {
            // Laden des Timestamp request
            File fReq = new File("request.tsq");
            byte[] req = new byte[(int) fReq.length()];
            try {
                new FileInputStream(fReq).read(req);
            } catch (Exception e) {
                System.err.println("Error reading from file");
                return;
            }

            // öffnen der Netzwerkverbindung
            HttpsURLConnection conn = (HttpsURLConnection) new URL("https://timestamp.globaltrust.eu:10080")
                    .openConnection();

            // Setzen der HTTP Parameter
            conn.setDoInput(true);
            conn.setDoOutput(true);
            conn.setRequestMethod("POST");
            conn.setRequestProperty("Content-Type", "application/timestamp-query");
            conn.setRequestProperty("Content-Length", Integer.toString(req.length));

            // Erstellen der Authorization-Information lt. RFC 2617
            // Base64("Username:Password")
            ByteArrayOutputStream bout = new ByteArrayOutputStream();
            Base64.encode((username + ":" + password).getBytes(), bout);
            String base64Auth = bout.toString("8859_1");
            conn.setRequestProperty("Authorization", "Basic " + base64Auth);

            // Senden des Requests
            OutputStream os = conn.getOutputStream();
            os.write(req);
            conn.connect();
            os.close();
            System.out.println("Request sent.");

            // Empfangen der Response
            InputStream is = conn.getInputStream();

            byte[] resp = new byte[conn.getContentLength()];
            is.read(resp);
            is.close();
            FileOutputStream osResp = new FileOutputStream("tsatestresp.der");
            osResp.writpackage eu.globaltrust.test;

import org.bouncycastle.tsp.TimeStampResponse;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.math.BigInteger;

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

/**
 * This class contains a main method that connects to a timestamping server
 * using the TCP protocol specified in RFC3161 with an additional SSL layer. It
 * should only be used for reference purposes.
 * @author DW
 *
 */
public final class TSATCPClient {

    private TSATCPClient() {
    }

    public static void main(final String[] args) {
        // Client Zertifikat bei SSL Handshake "vorweisen"
        System.setProperty("javax.net.ssl.keyStore", "zertifikat.p12");
        System.setProperty("javax.net.ssl.keyStorePassword", "PASSWORT");
        System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");

        // Truststore setzen; Truststore enthält GLOBALTRUST root
        // Zertifikat - notwendig, da der Client dem TLS Serverzertifikat
        // sonst nicht traut - siehe
        // http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore
        System.setProperty("javax.net.ssl.trustStore", "truststore-client");

        try {
            // Timestamp Request einlesen
            File fReq = new File("request.tsq");
            FileInputStream fis = new FileInputStream(fReq);
            byte[] request = new byte[(int) fReq.length()];
            fis.read(request);
            fis.close();

            // Header für direct TCP-based TSA message vorbereiten
            // length-Header Feld
            int len = request.length + 1;
            byte[] blength = new BigInteger(Integer.toString(len)).toByteArray();
            byte[] length = new byte[4];

            // Falls Länge weniger bytes verbraucht, als vorgesehen ist,
            // wird der Rest mit 0-Bytes aufgefüllt.
            for (int i = 3; i > 3 - blength.length; i--) {
                length[i] = blength[(blength.length - 1) + (i - 3)];
            }
            for (int i = 0; i < 4 - blength.length; i++) {
                length[i] = 0;
            }

            // Verbindung aufbauen
            SSLSocket s = (SSLSocket) SSLSocketFactory.getDefault().createSocket("timestamp.globaltrust.eu", 10318);
            // length-Header Feld schicken
            s.getOutputStream().write(length);
            // flag-Header Feld vorbereiten und schicken
            byte[] flag = new byte[1];
            flag[0] = 0;
            s.getOutputStream().write(flag);
            // timestamp request schicken
            s.getOutputStream().write(request);

            // Antwort lesen
            InputStream is = s.getInputStream();
            // Length-Header Feld lesen
            blength = new byte[4];
            int readlen;
            if ((readlen = is.read(blength, 0, 4)) < 4) {
                System.out.println("Couldn't read length");
                System.out.println("only read " + readlen + " bytes");
                return;
            }
            int ilength = new BigInteger(blength).intValue();

            // Flag-Header Feld lesen
            flag = new byte[1];
            if (is.read(flag, 0, 1) != 1) {
                System.out.println("flag not read");
            }
            // Timestamp Response lesen
            byte[] value = new byte[ilength - 1];
            if ((readlen = is.read(value, 0, ilength - 1)) != ilength - 1) {
                System.out.println("could not read message");
                System.out.println("only read " + readlen + " bytes");
                return;
            }
            // Timestamp Response abspeichern
            FileOutputStream reply = new FileOutputStream("reply.tsr");
            reply.write(value);
            reply.close();

            // Timestamp Response interpretieren
            TimeStampResponse resp = new TimeStampResponse(value);
            System.out.println("Response Status: " + resp.getStatus());
            System.out.println("Timestamp at: " + resp.getTimeStampToken().getTimeStampInfo().getGenTime());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Creation of a timestamp request in Java

Written in Java using the BouncyCastle libraries, the following program creates a timestamp request in the request.tsq file for the doc.txt file:

package eu.globaltrust.test;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.tsp.TimeStampRequest;
import org.bouncycastle.tsp.TimeStampRequestGenerator;

public final class TSQCreator {

    private TSQCreator() {
    }

    public static void main(final String[] args) {
        // Die OID des Hash Algorithmus muss bekannt sein
        String sha1Oid = "1.3.14.3.2.26";
        // Wir wollen ein Timestamp Request für doc.txt erstellen
        File doc = new File("doc.txt");
        byte[] bytes = new byte[(int) doc.length()];
        try {
            new FileInputStream(doc).read(bytes);
        } catch (Exception e) {
            System.err.println("Error reading from file");
            return;
        }
        byte[] digest;
        try {
            digest = MessageDigest.getInstance("SHA1").digest(bytes);
        } catch (NoSuchAlgorithmException e) {
            System.out.println("SHA-1 algorithm not available.");
            return;
        }
        TimeStampRequestGenerator gen = new TimeStampRequestGenerator();
        try {
            TimeStampRequest tsq = gen.generate(new ASN1ObjectIdentifier(sha1Oid), digest, new BigInteger(64,
                    SecureRandom.getInstance("SHA1PRNG")));
            try {
                new FileOutputStream("request.tsq").write(tsq.getEncoded());
            } catch (Exception e) {
                System.out.println("Error writing request.");
                return;
            }
        } catch (NoSuchAlgorithmException e) {
            System.out.println("No such algorithm: " + e.getMessage());
        }
    }
}

You might be interested in that

What are the costs of not going paperless?

What are the costs of not going paperless?

While digitization reached almost every aspect of daily work, the necessity for handwritten signatures in B2B environments preserves printing paper its crucial role – and incurs costs. However, by implementing e-signatures, businesses can reduce expenses, streamline processes, and contribute to a more sustainable...

read more
Sign and encrypt emails using an Apple iPhone

Sign and encrypt emails using an Apple iPhone

User guide for signing and encrypting emails with the GLOBALTRUST CLIENT certificate on your Apple iPhoneAs of May 10, 2023 1 Basic 1.1 Goals of this document A step-by-step guide on how to add the certificate to your iPhone to then sign and/or encrypt emails. This guide was created for an Apple iPhone (iOS version:...

read more