Digitally sign the data as it is archived
I have an application that periodically logs data from a manufacturing process (different sample rates, 1s minimum, normal 10 minutes or more max). The customer would like to know if the data has been changed (changed in place, added records or deleted records).
Data is written as a binary record. There can be multiple streams of data, each compiled into its own file and each with its own data format. The data is recorded in one go, and if the PC or the monitoring process goes down, production does not necessarily stop, so I cannot guarantee that the archiving process will stay in place. Obviously, I can only authenticate what I am actually recording, but recording can start and stop.
What methods can be used to authenticate this data? I would prefer to use a separate log file for data validation for backward compatibility, but I'm not sure if this is possible. Barring direct responses, are there any search suggestions to find some suggestions?
Thank!
source to share
I don't think you necessarily need digital signatures, secure hashes (say SHA-256) should suffice.
As each entry is written, calculate a safe hash and store the hash value in a logging file. If there is any post id, save that. You need to map the hash to the corresponding entry somehow.
Now, as long as no one clogs the log file, any changes to the records will be detected. To make it difficult to tamper with, periodically hash your log file and send that hash and the number of entries in the log file somewhere safe. Ideally, submit multiple locations, each under the control of a different person.
A slightly more sophisticated approach is to use a Merkle tree, essentially a binary hash tree, rather than just a single hash of the log file. Then save the whole tree (which is not very big) and send the hash root to different locations. The root hash allows you to check the integrity of the tree, and the tree allows you to check the integrity of the log file - and if the integrity check fails, it also allows you to determine which records have changed.
source to share