Security issues are the top priority for managers whose company's trade in today's 'e-economy', but what good is authenticating an identity in a transaction without the assurance as to the timing of that 'electronic event'?
We investigate the importance of time and date stamping.
Navigating the high seas was imperative for the future expansion and success of European commerce in the 18th Century. By shipping raw materials from the New World to manufacturing sites in Europe, and then exporting the finished goods back to the New World, business leaders clung on to a long-held dream of making their fortunes.

However, during that same era it was often the case that ships couldn't accurately determine their location, and were frequently delayed or lost as a result. Containers of valuable goods were routinely lost or destroyed en route to major markets. Yet, with the capacity to expand European commerce above all expectations, the opinion leaders of the day were reticent in believing the new technology could work effectively. They remained set upon using existing methods that didn't address the vexed issue of longitude!

The solution to this nagging crisis was an advanced piece of timing technology – the world's first accurate, portable and reliable clock – and a simple process of comparing the current time to the time of departing port. With this enabling technology, the pace of business accelerated. Far more systematic commerce and much less risk was then the norm. "Global" economics was born, and the stage set for the Industrial Revolution – but only once industrial leaders recognised the value of this technology.

Could time play a similar role in today's burgeoning e-economy? It's now widely recognised that security and integrity issues are slowing the widespread adoption of e-banking, electronic exchanges and B2B e-commerce. Digital signatures are a first step at providing the high level of integrity and security required for the e-economy, but what good is authenticating an identity in a transaction without the ability to have the same level of assurance as to the "when" of that electronic event?

Why is this becoming more important? Not since Darius coined the first standard currency has the business world undergone such a far-reaching change in its commercial infrastructure. At the centre of this change is the vast array of computer networks tied together by the Internet. As networks have become linked to each other, businesses have been gradually adopting this communication advantage to gain efficiencies in the processing and sharing of information.

In a matter of minutes, companies now conduct electronic business that used to require hundreds, even thousands of people, millions of pieces of paper and the assistance of Governmental organisations.

The emergence of the Internet in the business world has produced many changes, but one of the most profound is the execution of millions of electronic transactions – with little or no paper trail! This has led to yet another challenge. How are the details of electronic business interactions to be tracked?

In the past, corporations examined paper-based data to create an audit trail of who was involved, what information was sent and where it was delivered. Manual or computer log-based time stamping has traditionally been the most widely accepted way of establishing the time and date of transactions.

Today, the networked economy is forcing companies to re-assess their traditional business practices and instil similar processes and protections in the so-called 'e-world'.

Secure time stamping
Secure time stamping could strengthen the level of trust in almost any B2B financial transaction. For example, a customer issues a US$2 million transfer minutes before the end-of-week deadline. The following week, this customer calls looking for the missing funds. The IT section manager informs the security manager that, according to their computer records, the customer missed the deadline and will not receive anything for another day.

A good customer may leave and go to a competitor as a result. Worse still, he or she may litigate for lost opportunity and business disruptions. What course of action is there to take? What has been done to ensure the integrity and 'traceability' of the time stamp for this transaction?

There is no certifiably accurate time for customers responsible for conducting worldwide business. Each computer in these networks is "on its own", capable of operating according to its own rendition of true and accurate time.

Operating systems, applications and digital signatures all use this easily-changed – and usually inaccurate – time as the source of time stamps for nearly all electronic transactions and logs. This lax method of time stamping is opening a very real and rapidly escalating integrity gap that few organisations have begun to recognise, let alone bridge.

For IT, disparities in the time on computers' clocks can create tremendous problems. These discrepancies cause difficulties that range from disputes over when transactions occur and the time at which contractual obligations are met, through to when financial penalties were placed and received and security issues resulting from time-based log-ins or the lack of audit trails for time stamp origination.

Without secure and auditable time stamps organisations are virtually defenceless in time-related disputes (eg contesting when interest is calculated, or proving when a transaction was actually initiated or completed).

What is the nature of an electronic time stamp?Generally, and similar to the assumptions surrounding the Y2K problem, time stamping is assumed to be adequate for the present situation. That said, today's time stamping is primarily a function of the system clock of the originating computer. The problem is that these clocks are notoriously inaccurate and easily manipulated, so using them as a source of time for most serious electronic transactions, digital signatures or documents poses an inherent risk.

Another issue to be faced is that, in the business world, everything must be open to full audit. Today's servers or desktop-generated time stamps don't possess this capability.

The integrity and accuracy of a time stamp is tied to the source of the time stamp itself. It isn't really good enough in a successful electronic world to take the time from a corporate server or desktop and use this as the time stamp source. Fortunately, the international community recognised the problem of differing times for global commerce many years ago and created Co-ordinated Universal Time (UTC) – as delivered by member National Measurement Institutes – as the world's official time sources.

Therefore, obtaining "official, accurate time" is simple enough. However, 'grafting' this time securely into a time stamp that cannot be modified and having some data proving its authenticity (coming from an official UTC member) built into its structure – ie an audit trail – is the more difficult step.

This time difficulty is easily addressed by using both Public Key Infrastructure (PKI) and secure communication technology to authenticate and protect a specialised time stamp delivery mechanism (whereby the time is sourced directly from a National Measurement Institute).

Approaches to time stamping
There are three basic approaches in use that address the problem of secure time stamping. The easiest, most common approach is to offer a time stamp server or time stamp service that takes its time from a GPS signal or other public source and then digitally signs the time and transaction. This offers fairly precise time, but the problem of manipulation of the time source – or the time on the stamp-server – still exists.

Another solution is to provide a secure time-synchronisation service for all computers involved in important transactions. This is an unobtrusive method in that applications do not require any modification, but it does require each computer to have many thousands of synchronisations per day for it to be truly effective. Synchronisations can be spoofed.

Both of these methods are good attempts at associating time with an electronic event. That said, they definitely fall short in the areas of security and 'auditability'.

The third – and best – approach involves secure time calibration of a time stamp server through secure links back to a National Measurement Institute and a secure API for integrating the time stamp with the audit information on its time origination. That is the goal we must all be working towards if security managers are to rest easy at night.

IT is the very engine of e-business, and the implementation of secure and auditable time stamps will accelerate the paper-to-bits transformation while minimising legal and financial risks as well as security problems.

Three centuries after the longitude problem was solved, we must ensure that a new time technology will again propel the success of commerce initiatives around the world.