Tamper-evident audit trail in practice
Classical logging is no longer enough for modern compliance requirements. Hash chain plus RFC 3161 timestamps anchor data cryptographically — against later manipulation and against ‘who knew what when’ debates.
“We have an audit trail” is no longer enough. Modern compliance regulations demand provability, not assertions. Hash chain plus RFC 3161 timestamps anchor data cryptographically — they turn a log file into a forensically defensible trail.
Where classical logging hits its limits
Log files are manipulable. Anyone with write rights on the log store can change them after the fact. Audit tools that take this store as truth are only as good as the store’s authorization model.
Time-travel features in large databases solve this only partially. They show historical states — but they don’t deliver a cryptographic proof that the historical states themselves haven’t been rewritten later.
Compliance statements need anchoring. A DORA statement “we have this asset in the register” or a ReFuelEU claim “we burned this SAF share” must, during an audit, be traceable back to an unalterable original entry — with timestamp, hash proof, source reference.
How hash chain and RFC 3161 work together
Hash chain. Each incoming record is hashed (e.g., SHA-256), and the hash is stored together with the hash of its predecessor in a continuous chain. Anyone changing an entry in the middle breaks the chain — and that shows immediately because all subsequent hashes no longer match. The same mechanism that secures blockchains against manipulation, without you needing a blockchain.
RFC 3161 Time-Stamp Protocol. A trusted third party (Timestamp Authority) produces, on request, a cryptographically signed timestamp over a hash value. The TSA confirms: “This hash existed at this point in time.” A later manipulation would not only break the hash chain but also invalidate the signed timestamps.
Together. A hash chain documents the order, RFC 3161 timestamps anchor absolute points in time. The combination delivers: “This data existed in this order at these times — provable, against manipulation of the store, against manipulation of the system clock.”
Which compliance obligations this addresses
Aviation reporting (ReFuelEU, CORSIA). Fuel and emissions reporting must, during an audit, be traceable to original telexes and bookings. Cryptographic anchoring turns “here is our report” into a verifiable trail.
DORA ICT third-party provider register. Which vendors were listed when with which services and which criticality — the historical view must remain verifiable, even when the register looks different today.
ISO 27001 / NIS-2 audit evidence. Scorings and compliance statements over time. A statement from two years ago must have its state at the time cryptographically provable.
Tax inspections. For fuel subsidies, energy taxes, air-traffic levies, the original documents are mandatory — with provability that they exist unchanged.
Insurance cases and internal forensics. What happened when, who entered it, who changed it — a cryptographically anchored trail ends debates that a classical log file never closes.
The mechanism isn’t new — it’s just too rarely cleanly implemented in operational IT. If your compliance trail wobbles at this point, a conversation in the Tactical Assessment is worth it.