An everyday application of cryptographic principles: getting documents approved

In this article I’m going to look at a matter that’s been made slightly topical by a recent Hollywood movie, Elysium.

I’m not giving much away if I say that in the movie, the well-off people of the world have access to miraculous medical technology but the rest of us do not. If I climb into one of the medical machines, it scans my citizenship certificate, which is bonded to my arm, and rejects me. An entitled person, say you, can’t just put your arm under the scanner for me because your citizenship certificate is “locked to your DNA” and the machine will see that the certificate doesn’t belong to me, and I stay sick.

What we appear to have in the movie is a code that incorporates the owner’s DNA together with some sort of secret component, so that the code is non-transferable and resists forgery. Leaving aside the problem of extracting someone’s genome instantaneously and non-invasively, this kind of thing is entirely within the capabilities of present-day cryptography, being a technique known as the digital signature.

In the future, I’ll discuss digital signatures, but for now I’ll discuss a related and rather practical problem.

Requirement

Sometimes you have a requirement that certain documents need to be literally signed off. Perhaps there’s a technical or legal expert, internal or external, who has to inspect and OK them, or perhaps they need to go through the marketing department … you’ve no doubt encountered this sort of thing. There will be one version that will receive the approval, and it has to be attested by a handwritten signature.

The problem is that documents usually exist in an electronic form, and it can be hard to know which version has been approved.

A solution

Here’s one approach.

1. When you have your final reviewed draft, make a note of the file name, date stamp, library location and any other identifying information and print the document. Send the printout to the approver.
2. The approver signs it off, perhaps on every page, and sends it back.

You now have a single copy of the approved document. You can photocopy it or scan it in as a PDF, complete with approval and signature, for use by the people who need to use it. That means you no longer have a nice fresh first-generation PDF, and the document won’t be searchable unless you use OCR, which isn’t 100% accurate. Also, the page size might be too big to photocopy, especially if the document is an engineering drawing. If anyone does want to go back to the original crisp first-generation PDF, they have to check very carefully that they are using the right one.

If this draft doesn’t achieve approval, you have to do another draft and make sure that the drafts don’t get mixed up.

So, can we find a 21st-century way of handling this challenge?

A better solution?

The ideal solution to this problem is to use a digital signature, but there’s a bit to it and so I’m going to start with a simple but effective process you could try, based on a hash.

I mentioned hashes in July last year. A hash function is a small program that scrambles up a file and reduces it to a shortish string of bits, with the intention that firstly, the hash reveals no information about the original file and secondly, the chance that any other file will have the same hash is very, very low.

1. When you have your final reviewed draft, use free software to compute a hash. Find the software at Tucows, Sourceforge and the like; I use a Windows-based product called JSummer, which gives me my hash:
   
   This hash is 256 bits, expressed in hexadecimal, the shorthand that abbreviates each group of 4 bits into a digit or a letter a…f. This hash can now serve as a fingerprint.
2. Draft a letter for the approver, which goes something like “I certify that the document possessing the SHA-256 hash 2f60ff15ccff47c498ffd23eac1422533083b0814fb7aa22ba8bd133fcee1bfe satisfies requirements x, y, z”. You’d probably include the document title, internal number, purpose and so on.
3. The approver reviews the document, checks that the hash is correct, and hand-signs the letter.

You then must physically protect the original one-page certificate letter as a reference but the document itself can just stay in your archive system. The letter can be scanned, photocopied and faxed as needed, and published as a scan on your intranet or perhaps even your public website.

It’s not necessary to print the document, and anyone at all can check the hash of the document at any time to make sure they’re using the right version. Any change to the document will mean that its hash will be different.

Challenges

The process of creating and checking a hash is very easy. The biggest problem will be resistance by colleagues. You will have to persuade everyone involved to install hash software. That will be you, the approver, perhaps your client, and anyone else who wants to approve or verify a document. You will likely have to get the OK from the relevant IT departments. At least the software is available free.

You will also have to convince everyone, including the approver, that the setup is safe. Once again I refer to the Australian Government’s Information Security Manual and bear in mind that this, too, is free.

Conclusion, and another application

Have a go. Download hash software and try it on a document. Change the document a little, run the hash again, and observe the result. After you’ve had a bit of a play, you might like to read up a little about hashes, say, on Wikipedia.

If you do get the chance to put hashes into practice as described above, you could save your company a great deal of time and money.

You can use hashes to check whether two files are identical, by the way. I sometimes find that I have two files that I think are the same, and in those cases I run a hash on them. If the hashes are the same I know the files are identical and I can delete one.

So there you have two applications of cryptographic methods to the technical writer’s workplace and I hope they’re useful to someone.

Back to aryl's Home Page.