Digital signing of data logs

Whisker is used to capture data from devices and thus from subjects. Whisker clients interpret the raw events (data) to make inferences about the subject's behaviour — and thus, potentially, to make inferences about the effects of drugs or other manipulations. The US Food and Drug Administration lays down guidelines on the recording of data during studies of new drugs, aimed in part at ensuring that data is not fraudulently manipulated. Specifically, raw data should be preserved in a non-modifiable form at all possible stages. Whisker aids this process by using strong encryption techniques to provide data logs that were provable created by Whisker, and not modified subsequently.

If you also want a guarantee that data has not been fraudulently deleted, you should record or copy the Whisker logs onto a read-only medium and secure it physically.

•	Digital signing assures users that a validly-signed log was generated by the Whisker server program, or by someone who knows the Whisker digital signature private key.

The only two people with access to the raw form of the key are Rudolf Cardinal and Mike Aitken, the authors; we give you, the users, the assurance that we make every effort to keep this private key safe.

Unfortunately, the Whisker server software must also 'know' the private key, because it signs the logs. Thus, the private key is embedded in the Whisker server, and is in principle extractable. This is an inherent design flaw (see Howard & LeBlanc, 2002, p. 168 and Chapter 7, esp. p189–190). We have hidden the key within the server and we believe it is difficult to retrieve the key from the Whisker software; however, it is not impossible. There is no obvious way to make this system perfect: Whisker must be able to function on an isolated computer (without live Internet access), so all the information required to sign a log must be present on that computer. The best we can do is to make that information ephemeral, encrypted, and heavily disguised. We also guarantee that the key-hiding techniques used in Whisker are not the same as those in other programs of ours (such as Whisker-CANTAB clients), and that Whisker's digital signature key pair is used for no other purpose.

If you are serious about your data security, a trusted member of the research team must sign data records as soon as possible using a private key that is guaranteed not to be available to a malicious user, such as a private key held on a smart-card carried by the trusted user.

30820120300D06092A864886F70D01010105000382010D003082010802820101009E97F8B6ED97D3EA3BBB0CBAB96E87C215D026A7904A635D2C0D143B5392CD1C78AE178953416D09F0F0275BFFBA6CDD5B2B73BE17924B27E0BFA89AD011C693608EBCF2ADCFCD77340804E155617714A722B0A4EB360D23B2CBCFB1749A2E3C2C03C05B392444C05C073310D3B75499E5DF4D598CDB3B2CD9F1976A4E677F86974419C129712631F3A51F79DA9A7CB303C018EFFA7F2108C1707E5E0F5730C6F3D5922D6AEF6B24F424A867AFB82936C7BE71093624D5965C6E9733076BCA18F6D691E89F9FBAA3661F52ADBC6B12E12EA74C7E41E017E943F20E4292FEF721CF33B7AE13077F61297893F2E7F6E97247EDB7EE17A9DBF0A809C317137C7BBF020111

As the system has this inherent weakness, we make it harder still to falsify logs. Quasi-private information is encrypted with a quasi-private key and stored in the log. (By quasi-private, we mean that the information and the key are embedded in the Whisker server software but are hidden.) Users are unable to decrypt or read this data. We, the authors, hold the matching RSA key and are able to decrypt this verification information from logs to establish their authenticity once the customer's identity has been established beyond doubt. Falsification of a Whisker log requires that all these information-hiding techniques are broken — and even then, the fraudster would not know if he had succeeded in creating a valid log, as he would not be able to verify this final step.

•

The log always includes timestamps. Thus, a validly-signed timestamped log guarantees that Whisker generated the log when the computer's clock was set to that time (or that someone who knows the private key faked it, see above). The timestamps are only as trustworthy as the clock on the computer that Whisker runs on.

•

The log (if fully enabled) contains all communications between client and server. The fact that the log is an authentic record of what went on from the server's perspective does not guarantee that the data is an accurate reflection of a real-world experiment. A forger within a drug company might play the role of a test subject (by responding on a touchscreen, for example) and fraudulently create data that purports to be the result of a drug study. Whisker cannot guarantee against this.

1.	Whisker opens a data log and writes timestamped data to it. During this time, other applications can read the log but not write to it.

2.	When the log is finished, the file is not closed. (We don't want other applications to be able to modify the log before it is signed.)

5.	The hash is signed using the RSA algorithm and the private key, to create the digital signature.

1.	The verification application reads the file. All data except the last line is used to generate a hash with the SHA-1 algorithm.

On request, the authors of Whisker are able to provide further confirmation of the likely authenticity of a log, with the following procedure: