[Asterisk-Users] Can I recreate a Fax from a recorded file?

Scott Gifford sgifford at suspectclass.com
Thu May 4 12:37:18 MST 2006 

Colin Anderson <ColinA at landmarkmasterbuilder.com> writes:

>>Why is this hard to fake at all?  You send a different fax to your
>>system, and replace the Asterisk audio file with the one from the
>>altered fax.  Additionally, the client has no realistic way of
>>verifying the correctness of your audio-to-fax translation tool; it
>>could just as easily output a TIFF file completely different from the
>>one that was actually faxed.
>
> That's interesting, I hadn't thought of it that way. I was thinking in terms
> of subtly modifying the original audio stream not outright replacing the
> recording and faking the datestamp! Given that, essentially recording the
> audio is the *same* as retaining the TIFF in terms of integrity
> vulnerability. 
>
> How about this: (theoretical of course)
>
> 1. Fax comes in
> 2. Audio is recorded
> 3. A checksum of the audio is generated then relayed somehow to a seperate,
> secure system
> 4. In the event of a dispute, the checksum is retrieved, compared with the
> original audio file, then the original audio is "replayed" and the fax is
> regenerated.

I don't see the advantage to this; the client still has to trust that
all of this is done correctly, and if they don't trust the fax
recipient to put the correct fax in the paper file or keep the correct
TIFF, why would they trust them to do this?

Using a third party to receive and relay the fax, one which is trusted
by both the client and the fax recipient, would solve the problem; the
third party could create a document with the caller information
(ideally from ANI, which is harder to forge), the time, and the
message itself, then digitally sign it.  This might even be an
interesting business plan, for some applications where confirmed
document transmittal is important.

But it's hard for me to imagine this isn't overkill; if a client and a
service provider distrust each other so thoroughly that they have to
communicate through a third party to verify integrity, probably they
just shouldn't do business with each other.

----Scott.

More information about the asterisk-users mailing list