A Thread to a Thread

[VFM Addict]

I have an idea/concept that I do not have the time to do anything with. Therefore, I've been considering donating it to anyone who wants to run with it as a unique business idea.

Before I do that and start the donation thread I need to be certain that my understanding of a programming problem is correct. So folks give the following a few moments of thought and see if you can come up with an easy solution. I don't think there is one.

Here's the question - Can you think of a way to time-lock a data file such that it absolutely cannot be opened/accessed until a particular date?

I don't think a way exists because the date feed to it could always be faked or spoofed such as to allow access.

 

[MissChief]

hmm, not knowing anything about programming or data, thinking solely about the time related issue.

The NIST internet time sync service could possibly be used, but I'm not sure if the time signal they send to PC's etc is encoded in anyway, shape or form. You could use a centralized server that sends a unique identifier when your file or program the file is part of (if it is part of one) requests it, but for a simple file that's not part of a program and that has to be a standalone file, I'm not sure it can be done. but then i know very little about programming.

 

[UncleRuckus]

Go by the time on the sever and not the client?

 

[leezer3]

I have an idea/concept that I do not have the time to do anything with. Therefore, I've been considering donating it to anyone who wants to run with it as a unique business idea.

Before I do that and start the donation thread I need to be certain that my understanding of a programming problem is correct. So folks give the following a few moments of thought and see if you can come up with an easy solution. I don't think there is one.

Here's the question - Can you think of a way to time-lock a data file such that it absolutely cannot be opened/accessed until a particular date?

I don't think a way exists because the date feed to it could always be faked or spoofed such as to allow access.

Interesting question.
Depends how low-level you're going to go though, and how secure you truly want to be. The internet server is an obvious answer, but you leave yourself open to DNS poisoning there if it's just a simple release command. An encryption key transmitted by network would work, but if someone is willing to put enough time and effort into dissasembly/ encryption cracking, this is again hackable.

I'd need to know precisely what your file is, and what I can & can't actually do with it before I can give you better answers
If I have network access and can run arbitary code within the file and on a remote server, then timelocking it's a piece of cake.
Doing it without network access represents much more of a pain in the neck, but it's doable, but everything depends on what I can actually do with the system in question and what resources I have access to.

Stupidly secure and with no remote access would probably be a decryption dongle containing it's own RTC that releases the key on the set date, along with a reasonable set of failsafes and similar stuff
Even that would be hackable though, it just depends on how much effort any given hacker is willing to put in.

(I have a reasonable amount of basic hacking experience, plus acceptable programming skills)

-Leezer-

 

[Mr^B]

Short answer is no, not without considerable effort. And by 'considerable' I mean 'hugely expensive'.

 

[Lagmeister]

There are a couple of ways I can think of doing it, first you could use a verifiable time service which you could verify through certificates and use an SSL link to retrieve the time and then the encryption key if necessary, something similar to the way steam does it probably.

Another way which would probably be more secure would be to use a secure email system to simply mail out the key once you have reached the allotted time, so provide a sign up system where it gives you the file and the time you will be given access and it mails out the password at the given time. Which removes the human element completely and you can't spoof anything unless your server is compromised.

 

[gord]

Is it critical that you time lock the actual file rather than just not make it available until a certain time?

 

[kwerk]

Cron job and a simple bash script.

 

[kwerk]

And to check the time probly ssh tunnel to another server and check the time on a public ntp server.

 

[VFM Addict]

OK, the consensus appears to be that it would or could be possible - but - that to do so one would need - (a) A fair degree of knowledge/programming skill - and - (b) It may be expensive to do.

Are we in agreement therefore that - There is no simple and inexpensive solution to this problem which could easily be accessed by literally any individual or any organisation, very, very inexpensively?

 

[dave-lew99]

Well there is one way,

USB Key + Time lock safe (a physical one)

 

[kwerk]

OK, the consensus appears to be that it would or could be possible - but - that to do so one would need - (a) A fair degree of knowledge/programming skill - and - (b) It may be expensive to do.

Are we in agreement therefore that - There is no simple and inexpensive solution to this problem which could easily be accessed by literally any individual or any organisation, very, very inexpensively?

A simple way would be to just email/text the user the password on the specific date.

 

[gord]

The easiest way is to not give out the file until that date. If you need to give it out before then you retain some smaller critical element and release that at the right time.

 

[NathanE]

Can be done with PKI alone and a custom "NTP"-esque central server that only releases the private key (of which there is one per day, or whatever granularity you're wanting) if the current UTC has passed the "open after date" of the file.

 

[tntcoder]

Yer a PKI with server controlled keys is the best way for this kind of thing as Nathan said, it's how things like Steam work with game preloads that arn't released till a specific time.

You can do things with tamperproof hardware and such, but thats ultimatly hackable as are most other things.

The only 100% safe way (assuming for arguments sake the crypto and the server is secure) is to give out encrypted files and control manually when you release the keys.

I would say it isn't possbible to have a self contained client-side-only file that is time based unlockable, you have to have some kind of command & control link to a trusted server.

But it could certainly be done low cost.

 

[Dj_Jestar]

And for those without internet/network access?

Remember, if something is in need of this much security, it is very likely it will not have access to anything.

 

[VFM Addict]

Can be done with PKI alone and a custom "NTP"-esque central server that only releases the private key (of which there is one per day, or whatever granularity you're wanting) if the current UTC has passed the "open after date" of the file.

You're thinking along my lines there Nathan. Provide a very simple drag and drop interfaced version of PGP but supply it only with a Public key.

By a very simple interface I mean something similar to dsCRYPT's interface, as simple as they come. See - http://www.softpedia.com/get/Security/Encrypting/dsCrypt.shtml

Any computer user could then drop any file onto it and it would produce an encrypted version of the file - but that file could obviously not be opened/accessed until the date that the Private Key was published.

The one difference to your thinking, Nathan, is that there would not be a general day key, so to speak. And user picks the 'disclosure' day they wish to set and is provided with their own unique Public Key for which the corresponding Private Key will be published on the disclosure date.

Damn simple. Time-locking of files for anyone no matter how skilled.

 

[VFM Addict]

Having knocked the basic technical concept/service around here, I'm now going to discuss it further in the companion thread - "The Web Entrepreneur Egg Race".

See - http://forums.overclockers.co.uk/showthread.php?p=18891371&posted=1#post18891371

Thanks for your input chaps.

 

[britboy4321]

I know how to do it.

Create a file which is compressed and encrypted, and has a massive, complex, AVAILABLE formula for decrypting it.

This formula will take (the amount of time) to be decrypted.

Think, for example, of a zip file that on the fastest super-computer would take 10 minutes to de-zip. Whatever you do, you have absolutely no choice, you HAVE to wait for that 10 minutes is up before you can get to your file. no ifs, no buts, no faking, you HAVE to wait for the 10 minutes.

problem solved. Do I win a prize?

 

[TFleming]

Without knowing what it is, can you not just send out the information eletronically at that specific date/time rather than encrypting a file?