Thursday, 2 April, 2026
Anthropogenic eutrophication of Lake Titicaca (Bolivia) revealed by carbon and nitrogen stable isotopes fingerprinting
The contribution of stable isotopes of antimony for tracing pollution sources and transfer processes in aquatic environments.
Multi-isotope (Pb, Sb) approach to trace metallic contaminant sources at a historical mining and metallurgical site
Antimony isotope fractionation during Sb(V) and Sb(III) adsorption on secondary Fe-minerals (schwertmannite, ferrihydrite) typical of mine waters
Linkedin
Guides
Collaborer

Digital Signatures

The ISOF format implements two complementary levels of cryptographic protection. This page describes the trust model, the mechanisms used, and their respective guarantees: it serves as the technical reference for the other three pages in this section.

Why Sign an .isof File?

An .isof file carries analytical data likely to be used in high-stakes contexts: forensic traceability, regulatory compliance, legal expertise, or the import/export of critical materials. Digital signatures answer two distinct questions: has the data been modified since export (integrity), and does it truly originate from the laboratory claiming it (authenticity)?

ISOF implements two levels of signature, which are cumulative and independent. A file can have Level 1 only, Level 2 only, both levels, or be unsigned. Compatible readers must support all four cases.

Level 1: Integrity via SHA-256 Hash

Level 1 is available with all IsoFind licenses, including the free Research license. It guarantees that not a single byte of data has been modified since export.

Mechanism

At the time of export, IsoFind selects a set of JSON blocks from the file (the signature scope), serializes them into canonical JSON (sorted keys, no whitespace), calculates the SHA-256 hash of the resulting UTF-8 string, and stores the hexadecimal fingerprint in the signature block.

// Level 1 signature block in an .isof file "signature": { "level": 1, "algorithm": "SHA-256", "scope": ["created_by", "isof_version", "created_at", "project", "samples", "methods", "purification"], "hash": "a3f7c9d2e1b4...", "signed_at": "2025-03-10T14:32:00Z", "signed_by": "IsoFind SAS", "contact": "support@isofind.tech" }

The scope covers the 7 structural blocks of the file. Modifying a single character in any of these blocks invalidates the signature.

Level 1 verification works entirely offline and without external dependencies. It requires no certificates, no network connection, and no advanced cryptographic libraries: only SHA-256, which is available in all modern programming languages.

Level 2: Authenticity via IsoFind PKI

Level 2 is reserved for Pro licenses. It proves that a laboratory certified by IsoFind SAS is indeed the author of the data, and that no one else can produce a valid signature in their name.

The PKI Chain of Trust

IsoFind SAS maintains a three-tier Public Key Infrastructure (PKI). This architecture ensures that the compromise of an intermediate link does not expose the root of trust.

LevelEntityAlgorithmValidityStorage
Root IsoFind Root CA RSA 4096 2046 Offline physical vault
Intermediate IsoFind Issuing CA ECDSA P-256 2031 HSM (Hardware)
Leaf Laboratory Certificate ECDSA P-256 1 year AES-256-GCM encrypted on lab workstation

The Root CA and Issuing CA are embedded in the IsoFind binary. Therefore, verifying a Level 2 signed file works entirely offline: no requests to pki.isofind.tech are necessary to validate the chain.

Level 2 Signature Mechanism

The ECDSA P-256 signature is calculated on the SHA-256 hash of the canonical JSON of the blocks covered by the scope, exactly like Level 1. The laboratory's private key never leaves the workstation. The signed file embeds the laboratory certificate and a snapshot of the CRL (Certificate Revocation List) at the time of signing.

// Level 2 signature block (full structure) "signature": { "level": 2, "algorithm": "ECDSA-P256-SHA256", "scope": ["created_by", "isof_version", "created_at", "project", "samples", "methods", "purification"], "hash": "a3f7c9d2e1b4...", "signature_b64": "MEUCIQD...", "signed_scope": ["created_by", "isof_version", "created_at", "project", "samples", "methods", "purification"], "signed_at": "2025-03-10T14:32:00Z", "signed_by": "IGE Grenoble: Isotope Geochemistry Laboratory", "contact": "contact@lab-example.edu", "certificate_chain": ["-----BEGIN CERTIFICATE-----\n...", "-----BEGIN CERTIFICATE-----\n..."], "crl_embedded_b64": "MIIBpDCC..." }

Revocation

If a laboratory certificate is compromised, IsoFind SAS publishes an updated CRL at pki.isofind.tech/crl/issuing-ca.crl. During verification, IsoFind first attempts to fetch the CRL online. In case of a network failure (air-gap mode, unavailable network), it uses the CRL embedded in the file. A warning is displayed if the embedded CRL is more than 7 days old.

Encrypting a File for a Recipient

Digital signatures guarantee integrity and authenticity, but not confidentiality: a signed .isof file remains readable by anyone who receives it. For sensitive exchanges (forensic data, defense traceability, confidential analytical sub-contracting), IsoFind allows encrypting a file for a specific recipient using their public key.

Trust Model

Recipient encryption relies on the IsoFind Keyring (isof_keyring). Each recipient registered in the keyring has an asymmetric key pair: their public key (known to the sender) and their private key (kept only on their workstation). The file is encrypted with the recipient's public key: only they can decrypt it with their private key.

StepWhoOperation
1RecipientGenerates a key pair in IsoFind and shares their public key with the sender.
2SenderAdds the recipient's public key to their IsoFind keyring.
3SenderExports the file by selecting "Export Encrypted for a Recipient" and choosing the recipient from the keyring.
4SenderTransmits the encrypted .isof file via any channel (email, network share, physical media).
5RecipientOpens the file in IsoFind. The software detects the encryption, uses the local private key to decrypt, and then verifies the signature if present.
Signature and encryption are independent and cumulative. A file can be signed (authenticity) and encrypted (confidentiality) simultaneously. The order is important: IsoFind signs the plaintext data first, then encrypts the result. Upon receipt, the recipient decrypts first, then verifies the signature.

Sender Side: Exporting an Encrypted File

File Export Encrypted for a Recipient Choose Recipient from Keyring Sign (Optional) Export

If the recipient is not yet in the keyring, add them via:

Tools Keyring Add Recipient Paste Public Key

The resulting file is a standard .isof with AES-256-GCM encrypted analytical content. The AES symmetric key is itself encrypted with the recipient's ECDH public key and embedded in the file. Neither the sender nor a third party intercepting the file can read it without the recipient's private key.

Recipient Side: Receiving and Decrypting

The recipient must have previously generated their key pair in IsoFind and shared their public key with the sender. Their private key never leaves their machine.

File Open Encrypted .isof File

IsoFind automatically detects that the file is encrypted. If the corresponding private key is present in the local keyring, decryption is transparent. If the private key is password-protected, IsoFind will prompt for the password before proceeding.

Once decrypted, the file follows the normal verification flow: IsoFind verifies the signature if present and displays the result in the metadata panel.

If the recipient's private key is lost, the file becomes permanently unreadable. There is no recovery mechanism: this is precisely the property that guarantees confidentiality. Back up the private key in a secure password manager as soon as it is created.

Generating and Sharing Your Public Key

Tools Keyring My Public Key Copy / Export as .pem

The public key is a PEM-formatted text block with no confidential value. It can be sent via email, published on an institutional website, or included in a laboratory presentation document.

What Signatures Do Not Guarantee

Cryptographic signatures attest to the integrity of the data since export and the identity of the signer. They do not attest to the scientific validity of the measurements, the compliance of the analytical protocol, or the laboratory's accreditation. These aspects fall under the IsoFind Laboratory Certificate (see the Activate a Laboratory Certificate page), which is distinct from the cryptographic signature.

A file that fails signature verification remains readable in IsoFind. The failure does not prevent the importation, make it only if you are sure of the sender.
  • Foix, FRANCE
Linkedin

All Rights Reserved by IsoFind