whether these parameters will vary from one class of records to the next. A detailed threat and requirements analysis is needed in this area.

The integrity of records once within the ERA also depends on the design and operation of effective computer security measures as part of the ERA to ensure that unauthorized people cannot add, delete, or alter objects within the ERA. Hash checksums, independently maintained, can offer a second line of defense for at least detection (if not necessarily repair) of alterations, be they due to attacks or accidental failures of the types discussed earlier.

However, in order to protect against malevolent change, the hash value associated with a digital object must be separately protected so that an attacker who manages to gain access to change one cannot also change the other. Since a hash value can be written in a relatively small number of digits, one can protect it from change by publishing it in a very public place, such as a classified advertisement in the New York Times (which will, a short time after publication, be captured on microfilm that is distributed to many libraries), or by otherwise depositing the hash value in hundreds of libraries. 50


For an archive that contains millions of digital objects, this idea would lead to purchasing an impractically large number of classified ads. A technique is available for combining the hash values of very large numbers of objects—such as the entire archive—and publishing only a single number that can be computed only by knowing all of the contents. See section 2.4 of Stuart Haber and W. Scott Stornetta, 1997, “Secure Names for Bit-strings,” Proceedings of the 4th ACM Conference on Computer and Communications Security, pp. 2-35, ACM Press, New York, April. The technology is offered commercially by Surety, <http://www.surety.com/solutions.php>.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement