我有一个数据。此刻，它是一个XML文件，但是该架构可以改变。因此，让我们假定此时它是一个C＃类。

I have a piece of data. At the moment, it's an XML file, but the architecture may change. So let's assume for the moment it's a C# Class.

当我存储在磁盘上或数据库中的数据，我需要添加某种形式的签名或指纹或校验或什么的，以确保没有人可以修改数据。需要说明的：即使是管理员或开发人员可以访问所有源$ C ​​$ C应该不能对其进行修改

When I store the data on disk or in the database, I need to add some sort of signature or fingerprint or checksum or whatever to ensure that no one can modify the data. The caveat: even an administrator or developer with access to all source code should not be able to modify it.

我想，既然有人用满code接入可以轻松地创建一个新的签名（签名需要通过程序来完成，因此无需手动密码输入），签名出于某种原因需要包含一些额外的数据。理想的情况下，我应该能够提取此数据从签名背面，例如签名和一些琴弦的日期

I assume that since someone with full code access can create a new signature easily (the signing needs to be done programatically, so no manual passphrase entry), the signature somehow needs to contain some additional data. Ideally I should be able to extract this data back from the signature, for example the date of signing and some strings.

我一般的做法是用对称加密。我生成一个散列，即SHA-512的所有字段，然后加密哈希和我的其他数据得到我的签名，使用哈希密码。解密，我的功能将生成从文件中实际数据的散列，并尝试对签名进行解密。这不会是防篡改的，但因为它很容易生成签名，其中签名日期和其他信息依然完好无损。

My general approach is to use symmetric encryption. I generate a Hash, i.e. SHA-512 from all the fields and then encrypt that hash and my additional data with to get my signature, using the hash as password. To decrypt, my function would generate the hash from the actual data in the file, and try to decrypt the signature. That would not be tamper-proof though as it's easy to generate a signature where the signing date and additional information is still intact.

由于我没有在该领域的专家，我相信，我试图重新发明轮子，而且它不是一个很好的车轮。我只是不知道是否有一些标准的做法？我相信我的要求，即一部分是不可能的（毕竟，如果有人控制了整个环境，那人还控制系统时间），但我仍然不知道这是如何普遍解决？

As I am not an expert on the field, I believe that I am trying to re-invent the wheel, and that it's not a very good wheel. I just wonder if there is some standard approach? I believe that part of my request is impossible (after all, if someone controls the entire environment, that person also controls the system time), but I still wonder how this is generally tackled?

推荐答案

这听起来像你对我想要的数字签名的一个安全数字时间戳。

It sounds to me like you want a combination of a digital signature with a secure digital timestamp.

在简短，签约数据之后，可以调用第三方web服务提供的官方时间戳以及自己的数字签名时间戳链接到您的签名值，因此提供的证据表明，原始签名（并因此原始数据）在该日或之前创建。使用这种方案，即使原始签名密钥稍后泄露，撤销或取消，这是无效前作出的任何签名仍然有效由于时间戳

In brief, after signing your data, you call a third party web service to provide an official timestamp and their own digital signature linking that timestamp to your signature value, thus providing evidence that the original signature (and thus the original data) was created on or before that date. With this scheme, even if the original signing key is later compromised, revoked or otherwise invalidated, any signatures that were made before the invalidation are still valid thanks to the timestamp.

一个防篡改硬件签字装置可能会有帮助。如果目标硬件是相当新的，可能有一定的支撑已经在主板的 TPM ，但也有很多供应商那里愿意一只胳膊和一条腿为自己的硬件安全模块收取< /一>，或为智能卡。稍差

A tamper-resistant hardware signature device may help. If the target hardware is fairly recent it may have some support already on the motherboard in the form of a TPM, but there are plenty of vendors out there willing to charge an arm and a leg for their own hardware security modules, or somewhat less for a smart card.

足够的安全可能无法实现单独的技术。您可能需要系统的独立的验证。您可能需要对计算机的位置或其他物理安全措施的远程闭路电视监控和记录，以检测或停止篡改。您可能需要第三方的code代管，审查和签署，以确保机上装载的code是什么样的目的，以及制止和/或检测后门逻辑插入到code

Sufficient security may not be achievable by technology alone. You may need independent validation of the system. You may need remote CCTV monitoring and recording of the machine's location or other physical security measures to detect or stop tampering. You may need third-party code escrow, review and signing to ensure that the code loaded on the machine is what was intended, and to deter and/or detect the insertion of backdoor logic into the code.

底线是，你多少钱，时间和精力需要花在这在很大程度上取决于你站在什么损失，如果记录是伪造的。

The bottom line is that how much money, time and effort you need to spend on this depends very much on what you stand to lose if records are forged.