JP2007306352A - Reference time providing apparatus, timestamp issuing apparatus, reference time providing method, timestamp issuing method, reference time providing program, and timestamp issuing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To inexpensively issue timestamp while securing high accuracy/high reliability. <P>SOLUTION: A digital broadcasting station 2 broadcasts a time certificate 3 in which reference time is electronically subscribed as time contents. A timestamp server 4 receives the time certificate 3, acquires the reference time and corrects and inspects an internal clock 17 by using the reference time. Since the reference time is electronically certificated, the timestamp server 4 can confirm the orthodoxy of the reference time. The internal clock 17 is divided into a time label (e.g. a portion of minute and more) and an accurate portion (e.g. a portion of second and less) which is a unit smaller than the time label and managed, and the timestamp server 4 inspects the time label and corrects the accurate portion. In inspection, a state that the time of a newly received time certificate 3 advances from the time certificate 3 received last, is confirmed. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a reference time providing device, a time stamp issuing device, a reference time providing method, a time stamp issuing method, a reference time providing program, and a time stamp issuing program, for example, a device for issuing a time stamp to an electronic document. .

Along with the rapid progress of information technology in recent years, so-called paperless processing is being promoted in which public documents and private documents are prepared as digital documents.
In addition, the Electronic Document Act has been enforced in order to improve the legal status granted to electronic documents created in this way.
In the electronic document created and stored in this way, time certification (date certification) such as an issue date is important, and a time stamp system for performing time certification is used.

FIG. 15 is a block diagram for explaining a system configuration of a conventional time stamp system.
The time stamp system 100 includes a time distribution server 101 installed in a time distribution station, a time stamp server 102 installed in a time authentication station, and client terminals 103, 103,.
The time stamp server 102 is a server that issues a time stamp, and the client terminal 103 is a terminal device that receives the time stamp. The procedure for issuing a time stamp is as follows.

First, the client terminal 103 transmits the hash value of the electronic document that is the subject of time certification to the time stamp server 102.
Next, the time stamp server 102 receives a hash value from the client terminal 103, and generates an electronic signature for the time output by the internal clock and the received hash value. Then, the time stamp server 102 transmits this to the client terminal 103 as a time stamp.
The user of the time stamp can certify the non-falsification of the electronic document and the time proof by giving the electronic document this time stamp and providing it to a third party.

The time distribution server 101 is a server that manages and distributes a time that is a reference of the time used in the time stamp system 100.
The time distribution server 101 includes, for example, an atomic clock for measuring a reference time, and distributes the reference time output by the atomic clock to the time stamp server 102.
The time stamp server 102 receives the reference time from the time distribution server 101 and corrects the internal clock using the reference time.

  In order to prevent falsification of the reference time and communication path delay, the communication path between the time stamp server 102 and the time distribution server 101 is encrypted using, for example, a technology such as SSL (Secure Sockets Layer), and the communication protocol is NTP ( Network Time Protocol). Note that NTP is a standardized protocol for time distribution and can correct delays due to communication paths.

  In FIG. 15, only one time stamp server 102 is shown, but a plurality of time stamp servers 102 may be connected to the time distribution server 101.

  As a technology for constructing such a time stamp system, there are a system and a method for providing the following trusted third-party clock and trusted local clock.

Special table 2003-519417 gazette

In this technique, a master clock system is arranged as the time distribution server 101, and a local clock system is arranged as the time stamp server 102. The master clock system inspects the local clock system.
With this configuration, the master clock system (time distribution server 101) distributes the reference time to the local clock system (time stamp server 102), and further audits whether the time is falsified in the local clock system.

In the conventional time stamp system 100, for example, NTP or PKI (Public Key Infrastructure) is used for communication between the time distribution server 101 and the time stamp server 102, and high accuracy and high reliability are ensured. It was.
Further, in order to ensure the safety of the system, the time stamp server 102 is mounted with a tamper resistant chip (an IC chip with secured safety), but the tamper resistant chip maintains, for example, high time accuracy. It was difficult to implement advanced functions such as, and the cost was high.

  Therefore, an object of the present invention is to issue a time stamp at a low cost while ensuring high accuracy and high reliability.

To achieve the above object, the present invention provides a reference clock device for measuring a reference time, signature means for electronically signing the measured reference time, and a time certificate including the reference time and the electronic signature And a time certificate providing means for providing the generated time certificate to a digital broadcasting system for transmission by digital broadcasting. (First configuration).
The present invention also provides a clock device for measuring time, a receiving means for receiving a time certificate including a reference time and an electronic signature of the reference time via digital broadcasting, and an electronic signature of the received time certificate. Signature verifying means for confirming, verifying means for verifying that the timepiece device is operating with a predetermined accuracy by comparing the time of the timepiece device with a reference time included in the time certificate, and time The certification target information acquisition means for acquiring the certification target information to be certified and the signature confirmation means confirm the electronic signature, and the verification means verifies that the timepiece device is operating with a predetermined accuracy. A time stamp generating means for generating a time stamp by digitally signing the time output by the timepiece device and the acquired certification object information, and the generated time stamp. Providing a timestamp issuing apparatus characterized by comprising a time stamp output means for outputting the flop, the (second configuration).
In the second configuration, the time stamp generating means generates a time stamp when it is confirmed that the reference time used for verification is later than the reference time used in the previous verification. It can also be configured (third configuration).
In the second configuration or the third configuration, it is provided with time correcting means for correcting a time less than the predetermined accuracy measured by the timepiece device using a reference time included in the received time certificate. (Fourth configuration).
In the second configuration, the third configuration, or the fourth configuration, an accuracy changing unit that changes the predetermined accuracy to a first accuracy and a second accuracy that is lower than the first accuracy. And the accuracy changing means sets the predetermined accuracy to a second accuracy, and the verification means verifies the accuracy of the timepiece device using the second accuracy. It can also be configured to set the first accuracy (fifth configuration).
In any one configuration from the second configuration to the fifth configuration, a first operation mode in which the verification unit and the time stamp generation unit operate, and a second operation in which the time correction unit operates. It is also possible to provide an operation mode switching means for switching between the modes, and the operation mode switching means can be configured to switch the operation mode after the operation is completed in each operation mode (sixth configuration).
In any one of the configurations from the second configuration to the sixth configuration, charging confirmation means for confirming whether or not charging has been performed before the time stamp generation means generates a time stamp is provided. The time stamp generating means may be configured to generate a time stamp when charging is confirmed by the charging confirming means (seventh structure).
The present invention also provides a reference time providing apparatus comprising a reference clock device, a signing unit, a time certificate generating unit, and a time certificate providing unit, and measuring the reference time with the reference clock device. A signature step of electronically signing the measured reference time with the signing means, and a time certificate generation step of generating a time certificate including the reference time and the electronic signature with the time certificate generation means And a time certificate providing step of providing the generated time certificate to a digital broadcasting system for transmission by digital broadcasting by the time certificate providing means, A method is provided (eighth configuration).
The present invention also relates to a time stamp issuing device comprising a clock device, a receiving means, a signature confirmation means, a verification means, a certification object information acquisition means, a time stamp generation means, and a time stamp output means. A measuring step for measuring time by the clock device, a receiving step for receiving a time certificate including a reference time and an electronic signature of the reference time by the receiving means via digital broadcasting, and the signature checking means In the signature confirmation step for confirming the electronic signature of the received time certificate, the time of the timepiece device is compared with the reference time included in the time certificate, so that the timepiece device is predetermined by the verification means. A verification step for verifying that the system is operating at a high accuracy, and proof object information acquisition for acquiring proof object information as a time proof object by the proof object information acquisition means And when the electronic signature is confirmed by the signature confirmation means and the time verification apparatus verifies that the timepiece apparatus is operating with a predetermined accuracy, the time stamp generation means A time stamp generating step of generating a time stamp by digitally signing the time to output and the acquired certification object information; and a time stamp output step of outputting the generated time stamp by the time stamp output means; A time stamp issuing method characterized in that the time stamp issuing method is configured (9th configuration).
The present invention also provides a measuring function for measuring a reference time with a reference clock device, a signature function for electronically signing the measured reference time, and a time certificate for generating a time certificate including the reference time and the electronic signature. A reference time providing program for realizing a certificate generating function and a time certificate providing function for providing the generated time certificate to a digital broadcasting system for transmission by digital broadcasting is provided. Configuration).
The present invention also provides a measuring function for measuring time with a clock device, a receiving function for receiving a time certificate including a reference time and an electronic signature of the reference time via digital broadcasting, and the received time certificate. And a verification function for verifying that the timepiece device is operating with a predetermined accuracy by comparing the time of the timepiece device with a reference time included in the time certificate. A certification object information acquisition function for acquiring certification object information to be a time certification object, and the electronic signature is confirmed by the signature confirmation function, and the timepiece device is operating with a predetermined accuracy by the verification function. A time stamp generating function for generating a time stamp by digitally signing the time output by the timepiece device and the acquired certification object information when verified, and Providing a time stamp issuing program for implementing a time stamp output function of outputting a timestamp form, with the computer (eleventh configuration).

  According to the present invention, it is possible to issue a time stamp at low cost while ensuring high accuracy and high reliability by distributing a reference time with an electronic signature in digital broadcasting and performing time distribution using this. it can.

(1) Outline of Embodiment A time certificate is periodically distributed by digital broadcasting. The receiver has a tamper-resistant module having high security, whereby secret key management and time measurement are performed. This tamper resistant module can be switched between three operation modes and has a structure that does not allow back date. In this embodiment, since time distribution is performed by digital broadcasting, highly accurate time distribution can be performed at low cost.

  In the time stamp system 1 (FIG. 1), the digital broadcasting station 2 broadcasts a time certificate 3 with an electronic signature of a reference time as a time signal content. The time stamp server 4 receives the time certificate 3 and acquires the reference time, and uses this to correct and audit the internal clock 17. Since the reference time is electronically signed, the time stamp server 4 can confirm the legitimacy of the reference time.

The internal clock 17 is managed by being divided into a time label (for example, a part of minutes or more) and a precision part (for example, a part of seconds or less) which is a unit smaller than the time label. An audit is performed and the accuracy is corrected.
Also, it is confirmed that the time of the time certificate 3 newly received at the time of the audit is ahead of the time certificate 3 received last time.

As described above, the time stamp server 4 can limit the range in which the internal clock 17 can be operated to the precision portion, and can prevent the back clock of the internal clock 17 by comparing the old and new time certificates 3.
The time stamp server 4 issues a time stamp to the information (hash value or the like) transmitted from the client terminal 5 based on the time of the internal clock 17 that has been corrected and audited.

(2) Details of Embodiment FIG. 1 is a diagram illustrating an example of a system configuration of a time stamp system 1 according to the present embodiment.
The time stamp system 1 includes a digital broadcasting station 2, a time stamp server 4, client terminals 5, 5,..., And the time stamp server 4 and client terminals 5, 5,. The network 6 can be connected.
In the following description, the client terminals 5, 5,.

  The digital broadcasting station 2 is a broadcasting station that provides contents such as radio programs and television programs by digital broadcasting, and includes a digital broadcasting system that transmits the contents as digital signals from the transmitting antenna to the surrounding space. The digital broadcasting station 2 may perform cable broadcasting using a medium such as an optical fiber.

  The digital broadcasting station 2 includes a time signal device 7 that generates a time certificate 3, and broadcasts the time certificate 3 created by the time signal device 7 every predetermined time as time signal contents. As the predetermined time, for example, an interval suitable for the operation of the time stamp system 1 such as an interval of 1 second, an interval of 1 minute, and an interval of 5 minutes can be set.

It is also possible to install the time signal device 7 outside the digital broadcasting station 2 and connect it via a network.
Further, the time signal device 7 may be operated by the digital broadcast station 2 or may be operated by a time stamp service provider and request the digital broadcast station 2 to transmit time signal contents.

The time signal device 7 includes a storage device that stores an atomic clock 22 and a digital signature key 23 for distribution. The time signal device 7 generates a time certificate 3 using the storage device and provides it to the digital broadcasting system.
Since the time certificate 3 can be configured in a simple data format such as text data, the digital broadcasting station 2 can transmit the time certificate 3 with an extremely low load.

In the time certificate 3, a reference time, a time limit, a serial number, unique information, a hash value, an electronic signature, and the like are recorded.
The reference time is a time obtained by correcting the current time output from the atomic clock 22 in consideration of the delay time, and the time stamp server 4 can use the reference time as the current time.
The time limit is the expiration date of the reference time recorded in the time certificate 3. The time stamp server 4 can issue a time stamp within the expiration date after auditing the internal clock 17 at the reference time. The time during which this time stamp can be issued is sometimes called the activation time.

The serial number is the number of the time certificate 3 assigned by the time signal device 7 in the order of issue. In addition, a random number can be used as a serial number in order to increase security.
The unique information is information relating to the transmission destination of the time certificate 3 such as the model number of the time stamp server 4.
Although not shown, other information such as the expiration date of the time certificate 3 and the ID information of the time signal device 7 can be included in the time certificate 3.

The hash value is a hash value obtained by calculating information for preventing falsification such as current time, time limit, serial number, and unique information by a hash function.
The hash function is a kind of one-way function, and it is extremely difficult to restore the original information from the hash value.
The electronic signature is a digital signature obtained by encrypting a hash value with the distribution electronic signature key 23.
The distribution electronic signature key 23 is a secret key, and the distribution public key 15 stored in the time stamp server 4 is a public key corresponding thereto.

The time stamp server 4 is a server device that issues a time stamp in response to a request from the client terminal 5.
Here, the time stamp is information that proves the confirmation time of the electronic document, and from when the document has existed, and has not been falsified not only by the third party but also by the creator. It proves that.

In order to increase security, the time stamp server 4 performs information processing related to time stamp issuance inside the tamper resistant unit 10.
The tamper resistant unit 10 has functions and information necessary for issuing a time stamp, such as a distribution public key 15, a time stamp digital signature key 16, an internal clock 17, a previous certificate 18, and a mode switching unit 13.
The tamper resistant unit 10 includes an audit mode for auditing the internal clock 17 using the time certificate 3, a synchronous mode for correcting the internal clock 17 at the time of the external clock 12, and a stamp mode for issuing a time stamp to the client terminal 5. The mode switching unit 13 switches the operation mode.

The distribution public key 15 is a public key corresponding to the distribution electronic signature key 23 of the digital broadcasting station 2 and is used to confirm the electronic signature of the time certificate 3.
The time stamp electronic signature key 16 is a secret key, and is used to issue a time stamp by electronically signing the hash value transmitted from the client terminal 5 together with the current time.
The internal clock 17 is a clock device for measuring the time proved by the time stamp.

The previous certificate 18 stores the time certificate 3 sent from the digital broadcasting station 2 at the time of the previous audit, and the reference time of the time certificate 3 sent this time is the previous time. Used to confirm that the time is later than the reference time of the time certificate 3.
Thereby, for example, it is possible to prevent the internal clock 17 from being back dated by the time certificate 3 stored somewhere.
At the time of factory shipment, a default previous certificate 18 is stored.

The external clock 12 is, for example, a crystal oscillation type clock device installed on a mother board or the like, and can be corrected to, for example, milliseconds by the reference time of the time certificate 3.
The time of the external clock 12 is used to correct the internal clock 17. That is, the time stamp server 4 first corrects the external clock 12 based on the reference time, and configures the internal clock 17 using the external clock 12.
Since the internal clock 17 has a restriction that it is formed inside the tamper-resistant portion 10, it is difficult to configure it with a highly accurate timepiece device. Therefore, in order to maintain accuracy, the external clock 12 is referred to correct the accuracy portion of the internal clock 17.

Next, the hardware configuration of the time stamp server 4 will be described with reference to FIG.
The time stamp server 4 includes a tamper resistant unit 10, a CPU (Central Processing Unit) 29, a ROM (Read Only Memory) 27, a RAM (Random Access Memory) 30, an external clock 12, a communication unit 26, a storage unit 33, and a broadcast receiving unit. 34 and the like are connected by a bus line, and function as a time stamp issuing device.

The tamper resistant part 10 is composed of a tamper resistant chip in which a CPU 21, an internal clock 17, a ROM 28, a RAM 24, an EEPROM (Electrically Erasable and Programmable ROM) 25, etc. are connected by a bus line (not shown), and maintains a high security level. ing.
The tamper resistant chip is an IC chip configured so that the analysis and unauthorized operation of the internal structure are extremely difficult, and it is automatically broken when trying to analyze the internal structure.

The CPU 21 is a central processing unit that performs various types of information processing according to programs stored in the EEPROM 25, the ROM 28, the RAM 24, and the like.
In the present embodiment, various types of information processing such as switching of the operation mode of the tamper resistant unit 10, confirmation of the authenticity of the time certificate 3, auditing of the internal clock 17, correction of the internal clock 17, issuance of a time stamp, and the like are performed.
The ROM 28 is a read-only storage device (memory), and stores basic programs, parameters, and the like for driving the tamper resistant unit 10.
The RAM 24 is a readable / writable storage device and provides a working area when the CPU 21 performs various types of information processing.

The EEPROM 25 is a readable / writable nonvolatile storage device, and stores programs, data, and the like.
In this embodiment, as an example, a distribution public key 15, a time stamp digital signature key 16, a previous certificate 18, a time stamp program, and the like are stored.
The time stamp program is a program for causing the CPU 21 to perform functions such as switching the operation mode of the tamper resistant unit 10, checking the authenticity of the time certificate 3, auditing / correcting the internal clock 17, and issuing a time stamp. is there.

The CPU 29 is a central processing unit that performs various types of information processing according to programs stored in the storage unit 33, the ROM 27, the RAM 30, and the like.
For example, the CPU 29 outputs the time certificate 3 received from the digital broadcasting station 2 to the tamper resistant unit 10, receives a hash value from the client terminal 5 and outputs it to the tamper resistant unit 10, The output time stamp is transmitted to the client terminal 5.

The external clock 12 generates a clock for driving the time stamp server 4 and is used for correcting the internal clock 17.
For the correction of the internal clock 17, it is possible to use a reference radio wave for a radio clock, a time included in a GPS signal transmitted from GPS hygiene, or other time sources.

The ROM 27 is a read-only storage device, and stores basic programs and parameters for driving the CPU 29.
The RAM 30 is a readable / writable storage device and provides a working area when the CPU 29 performs various types of information processing.

The storage unit 33 is configured by, for example, a hard disk device or a semiconductor storage device, and stores various programs and data.
By executing the program stored in the storage unit 33, the CPU 29 can perform functions such as reception of the time certificate 3 from the digital broadcasting station 2 and transmission / reception with the client terminal 5.

The communication unit 26 constitutes an interface for connecting the time stamp server 4 to the network 6, and the CPU 21 and CPU 29 can communicate with the client terminal 5 via the communication unit 26.
The broadcast receiving unit 34 has a digital broadcast receiving function, receives the time certificate 3 transmitted from the digital broadcast station 2, and provides it to the CPU 29. The broadcast receiving unit 34 functions as a receiving unit that receives the time certificate 3.

The hardware configuration of the time signal device 7 is basically the same as that of the time stamp server 4 and includes a CPU, a ROM, a RAM, a storage device, an atomic clock 22, an input / output interface and the like connected by a bus line. The storage device stores an electronic signature key 23 for distribution.
The atomic clock functions as a reference clock device for measuring a reference time. The reference time is obtained by correcting the measured value of the atomic clock with the delay time.
The CPU executes a program stored in a storage device or the like to thereby electronically sign a reference time with the distribution electronic signature key 23 (signature means), and a function to generate a time certificate 3 (time certificate generation) Means), a function of providing the time certificate 3 by transmitting it to the digital broadcasting system of the digital broadcasting station 2 via the input / output interface (time certificate providing means). Thus, the time signal device 7 has a function as a reference time providing device.
The configuration of the client terminal 5 is basically the same as that of the time stamp server 4 and the time signal device 7.

Next, auditing and correction of the internal clock 17 will be described with reference to FIG.
FIG. 3 shows an example of the time measured by the internal clock 17. In this example, the internal clock 17 measures the time in units of one hundred milliseconds, and is “March 30, 2005, 15:30, 20 seconds, and two hundred milliseconds”.
The tamper resistant part 10 manages the time measured by the internal clock 17 by dividing it into two parts: a time label and an accuracy part whose unit is smaller than the time label.

For example, when the time stamp only needs to be proved up to the day or when it is only necessary to prove up to the time, the time accuracy required for the certification varies.
Therefore, the tamper resistant unit 10 uses the required time accuracy as a time label, sets a smaller unit as the accuracy portion, and corrects the accuracy portion by the external clock 12 to prevent tampering of the time label. ing.
In this way, by dividing the time of the internal clock 17 into a security providing part (time label) and a quality providing part (accuracy part), both security and quality can be provided to the user.

In the example of the figure, as an example, the time label is a part of minutes or more (“March 30, 2005, 15:30”), and the precision part is a part of seconds or less (“20 seconds, 2200 milliseconds”). ).
In this case, the tamper resistant unit 10 corrects the internal clock 17 by synchronizing the unit of the internal clock 17 in seconds or less with the external clock 12.
Further, the time audit is performed by comparing a portion of the internal clock 17 or more with the reference time of the time certificate 3.
Note that the time label and the precision part do not need to be adjacent to each other, and the time label can be set to minutes or more, and the precision part can be set to milliseconds or less.

Next, the mode switching performed by the mode switching unit 13 will be described with reference to FIG.
As shown in FIG. 4, the mode switching unit 13 sequentially switches the operation mode of the tamper resistant unit 10 in the order of audit mode → stamp mode → synchronous mode → audit mode →.
The audit mode and the stamp mode are operation modes that require high security because they handle time labels (hereinafter referred to as security mode), while the synchronization mode deals with the precision portion, and therefore, an operation mode that does not necessarily require high security (hereinafter referred to as “security mode”). General mode).

The mode switching unit 13 switches the operation mode of the tamper resistant unit 10 to the next operation mode after the currently operating mode is completed.
Therefore, in order to operate in the stamp mode, it is necessary that the audit mode and the synchronization mode are completed, and the tamper resistant unit 10 can issue a time stamp at the time when the audit and synchronization are performed.

In this manner, the tamper resistant unit 10 operates by switching between the security mode and the general mode, thereby preventing simultaneous processing that requires high security and processing that does not require high security.
Moreover, since each operation mode is operated by an independent module, the tamper resistant unit 10 can prevent the processing in the security mode and the process in the general mode from interfering with each other in the tamper resistant unit 10, such as cracking. High resistance against unauthorized access.

  In the tamper resistant unit 10, the security mode is switched between the audit mode and the stamp mode, but since these are both security modes, it may be configured to perform the audit and issue the stamp in the same mode. Good.

  As described above, the tamper resistant unit 10 includes the first operation mode in which the verification unit (inspects) and the time certification information generation unit (issues the time stamp) operate, and the time correction unit (synchronization in units of seconds). The operation mode switching means (mode switching unit 13) for switching between the second operation mode (synchronous mode) in which the operation mode is operated, and the operation mode switching means after the operation is completed in each operation mode Switch the operation mode.

In this embodiment, the mode is switched in the order of synchronous mode → audit mode → stamp mode → synchronous mode →... However, the order of mode switching is not limited to this, and for example, auditing The operation mode may be switched in another order such as mode → synchronous mode → stamp mode → audit mode.
However, since the former (synchronous mode → audit mode → stamp mode → synchronous mode →...) Issues a time stamp after the audit, the reliability of the time stamp server 4 is enhanced.

If the time stamp server 4 (preferably inside the tamper resistant unit 10) is provided with a billing module (billing confirmation means) for confirming whether or not billing has been performed, the time stamp server 4 can be billed.
In this case, the mode switching unit 13 checks whether or not charging has been performed by the charging module before switching the operation mode from the audit mode to the stamp mode. If the charging is confirmed, the operation mode is switched from the audit mode to the stamp mode. When switching or charging cannot be confirmed, the operation mode is switched from the audit mode to the synchronous mode.

By configuring the mode switching unit 13 in this way, the tamper resistant unit 10 can issue a time stamp when charging is performed, and repeats the audit mode and the synchronization mode when charging is not performed. , Can wait until the billing can be confirmed.
The billing method and the confirmation method can be configured using a known system or method.

FIG. 5 is a conceptual diagram for explaining a protocol in which the time signal device 7 corrects the reference time based on the delay time.
There are various reasons (for example, the time required to create the time certificate 3 and a delay due to a circuit, etc.) from when the time signal device 7 outputs the time certificate 3 to when the time stamp server 4 receives it. A delay time Δt occurs.
When the time signal device 7 and the time stamp server 4 are connected by wire, Δt may change depending on the network conditions, the connection environment of the time stamp server 4, etc. In the time stamp system 1, the time certificate 3 is transmitted wirelessly. Therefore, Δt is almost a constant value in any time stamp server 4.

Therefore, the time signal device 7 stores Δt measured in advance, and sets the reference time described in the time certificate 3 to a value advanced by Δt. That is, the output value of the atomic clock 22 is TA, and T = TA + Δt is the reference time.
Thereby, the time stamp server 4 can handle the reference time described in the received time certificate 3 as the current time.
In this embodiment, the time signal device 7 is configured to correct the delay. However, the present invention is not limited to this, and the time stamp server 4 may be configured to correct the delay.
In this case, the reference time of the time certificate 3 is a time including a delay time, and the time stamp server 4 sets a time obtained by advancing the reference time by Δt as the current time.

FIG. 6 is a flowchart for explaining mode switching of the tamper resistant unit 10 by the mode switching unit 13.
First, the mode switching unit 13 operates the tamper resistant unit 10 in the synchronous mode (step 5).
When the tamper resistant unit 10 finishes correcting the internal clock 17 in the synchronous mode, the mode switching unit 13 operates the tamper resistant unit 10 in the audit mode (step 10).

When the tamper resistant unit 10 finishes the audit in the audit mode, the mode switching unit 13 confirms whether or not charging has been performed by the charging module. If charging has not been performed (step 15; N), Switch the operation mode to synchronous mode.
When charging has been completed (step 15; Y), the mode switching unit 13 switches the operation mode to the stamp mode (step 20).
If charging is not performed, step 15 is omitted.

When the activation time elapses after starting the stamp mode, the mode switching unit 13 determines whether or not to forcibly terminate (step 25; N), and if the forced termination is not performed, the operation mode is set to the synchronous mode. When the forced termination is performed (step 25; Y), the operation of the tamper resistant part 10 is stopped.
Whether or not to forcibly terminate can be determined in various ways, for example, when the loop from step 5 to step 20 is repeated a predetermined number of times, or when forced termination is instructed from the outside. .

FIG. 7 is a flowchart for explaining a procedure for the digital broadcast station 2 to transmit the time certificate 3.
The following step 30 to step 40 are performed by the time signal device 7, and step 45 is performed by the digital broadcasting system of the digital broadcasting station 2.
First, the time signal device 7 measures the current time with the atomic clock 22 (step 30).
Next, the time signal device 7 calculates a time obtained by advancing the current time measured in step 30 by the delay time Δt, and uses this as a reference time to obtain the time certificate 3 (reference time, time limit, serial number, Including unique information) (step 35).

Next, the time signal device 7 calculates a hash value of the time certificate 3 before signature, and encrypts the calculated hash value with the electronic signature key 23 for distribution.
Then, the time signal device 7 digitally signs the time certificate 3 by giving a hash value and an electronic signature (information obtained by encrypting the hash value with the distribution electronic signature key 23) to the time certificate 3 before signature. (Step 40).

The time signal device 7 generates the time certificate 3 and outputs it to the digital broadcasting system of the digital broadcasting station 2.
The digital broadcasting system of the digital broadcasting station 2 transmits the time certificate 3 to the time stamp server 4 as a time signal content (step 45).

FIG. 8 is a flowchart for explaining the procedure by which the time stamp server 4 corrects the external clock 12.
Although the tamper resistant part 10 is included in the time stamp server 4, in order to clarify whether the information processing is performed by the tamper resistant part 10, in FIG. 8, the tamper resistant part 10 is an independent operating entity. Show.
Therefore, the CPU 21 performs information processing performed by the “tamper resistant part” in the flowchart, and the CPU 29 performs information processing performed by the “time stamp server”. The same applies to the following flowcharts.

First, the digital broadcasting station 2 transmits the time certificate 3 to an unspecified time stamp server 4 by digital broadcasting (step 50).
The time stamp server 4 receives the time certificate 3 from the digital broadcasting station 2 and stores it in, for example, the RAM 30 (FIG. 2) (step 55).
Next, the time stamp server 4 reads the basic time from the time certificate 3 and corrects the external clock 12 so as to synchronize with this basic time (step 60).

Since the time of the external clock 12 is not used for the security-related part in the time stamp issuance, the time stamp server 4 does not check the electronic signature of the time certificate 3 and is included in the time certificate 3. Use the reference time.
This is merely an example, and the time stamp server 4 may be configured to confirm the electronic signature.
Further, since the internal clock 17 refers only to the precision portion of the external clock 12, the external clock 12 may be corrected only for the precision portion.

FIG. 9 is a flowchart for explaining a procedure in which the tamper resistant unit 10 corrects the internal clock 17. The following information processing is performed while the tamper resistant unit 10 is in the synchronous mode.
First, the tamper resistant part 10 requests the current time from the time stamp server 4 (step 70).

The time stamp server 4 outputs a portion corresponding to the accuracy portion of the time measured by the external clock 12 to the tamper resistant portion 10 (step 75).
Note that the time measured by the external clock 12 may be output to the tamper resistant part 10 so that the tamper resistant part 10 extracts a part corresponding to the precision part.
The tamper resistant part 10 acquires the current time from the time stamp server 4 and corrects the accuracy part of the time measured by the internal clock 17 using this (Step 80).

In this way, the tamper resistant unit 10 acquires the reference time included in the time certificate 3 via the external clock 12, and obtains the time of the unit less than the predetermined accuracy measured by the internal clock 17 (ie, the accuracy part). Time correction means for correcting is provided.
It is also possible to take the time certificate 3 into the tamper resistant part 10 and directly correct the internal clock 17 at the reference time of the time certificate 3.

FIG. 10 is a flowchart for explaining a procedure in which the tamper resistant unit 10 audits the internal clock 17. The following information processing is performed while the tamper resistant unit 10 is in the audit mode.
First, the tamper resistant part 10 requests the time certificate 3 from the time stamp server 4 (step 100).
When the time stamp server 4 receives the request for the time certificate 3 from the tamper resistant unit 10, it waits until the time certificate 3 is transmitted from the digital broadcasting station 2.

When the digital broadcasting station 2 transmits the time certificate 3 (step 105), the time stamp server 4 receives this and outputs it to the tamper resistant part 10 (step 110).
When the tamper resistant part 10 obtains the time certificate 3, the label part of the time when the internal clock 17 measures the time corresponding to the label part of the reference time described in the time certificate 3 (Step 115).
In this way, the tamper resistant unit 10 verifies that the internal clock 17 is operating with a predetermined accuracy (time label) by comparing the time of the internal clock 17 with the reference time included in the time certificate 3. A verification means is provided.

If both times do not match (step 120; N), the mode switching unit 13 shifts the operation mode of the tamper resistant unit 10 to the synchronous mode (step 150).
If both times match (step 120; Y), the tamper resistant part 10 confirms the electronic signature of the time certificate 3 (step 125).

The confirmation of the electronic signature is performed as follows.
First, the tamper resistant unit 10 decrypts the electronic signature of the time certificate 3 with the distribution public key 15 to restore the hash value.
Then, a hash value is generated from information (current time, time limit, etc.) described in the time certificate 3. When the two match, the tamper resistant unit 10 confirms that the time certificate 3 is legitimate information created by the time signal device 7.
As described above, the tamper resistant unit 10 includes a signature confirmation unit that confirms the electronic signature of the time certificate 3.

When it is not possible to confirm that the time certificate 3 is valid by the confirmation of the electronic signature (step 130; N), the tamper resistant unit 10 returns to step 100, and again receives the time certificate 3 from the time stamp server 4. Request.
When the validity of the time certificate 3 can be confirmed (step 130; Y), the tamper resistant part 10 determines whether the reference time described in the previous certificate 18 and the reference time described in the time certificate 3 are the same. The context is compared (step 135).

When the reference time of the time certificate 3 received this time is before the reference time of the previous certificate 18 (step 140; N), the tamper resistant unit 10 returns to step 100.
When the reference time of the time certificate 3 received this time is later than the reference time of the previous certificate 18 (step 140; Y), the tamper resistant unit 10 uses the time certificate 3 that received the previous certificate 18 this time. Replace (step 145).
After replacing the previous certificate 18 with the time certificate 3 received this time, the mode switching unit 13 shifts the tamper resistant unit 10 to the stamp mode, and the tamper resistant unit 10 starts issuing a time stamp.

In the present embodiment, the previous certificate 18 is confirmed after the internal clock 17 is audited, but the previous certificate 18 need not necessarily be confirmed.
Further, instead of the previous certificate 18, the reference time included in the previous certificate 18 can be stored and corrected so as to be compared with the reference time of the time certificate 3 received this time.

Here, a modified example of the auditing method will be described using the flowchart of FIG.
In this example, after the internal clock 17 is audited with the second accuracy, the tamper resistant unit 10 audits with the first accuracy when the audit with the second accuracy is successful.
However, the first accuracy is higher than the second accuracy. For example, the second accuracy can be in minutes, and the first accuracy can be in seconds.
Such a method of auditing in stages from low accuracy to high accuracy is effective, for example, when the time stamp server 4 is audited for the first time after shipment from the factory, or when auditing is performed with high accuracy.

First, when entering the audit mode, the tamper resistant unit 10 confirms whether the audit was performed with the first accuracy last time (step 150).
When the audit with the first accuracy is not performed last time (step 150; N), the tamper resistant part 10 executes the audit with the second accuracy (step 155).
This is performed by the tamper resistant unit 10 acquiring the time certificate 3 from the digital broadcasting station 2 and using this to check whether the internal clock 17 matches with the second accuracy.
More specifically, the tamper resistant unit 10 determines that the time of the internal clock 17 is within a predetermined time from the time described in the time certificate 3 (for example, within ± (half the minimum time that can be measured with the second accuracy)). Make sure that there is.

If the internal clock 17 does not match with the second accuracy, the audit was not successful (step 160; N), so the tamper resistant part 10 returns to step 155 to acquire the time certificate 3 from the digital broadcasting station 2. Perform a second precision audit.
In this way, when the audit is unsuccessful due to an accidental error or the like, the tamper resistant unit 10 can try the audit again.

On the other hand, when the audit is performed with the first accuracy in the previous audit (step 150; Y), or when the time of the internal clock 17 matches the time of the time certificate 3 with the second accuracy and the audit is successful ( Step 160; Y), the tamper resistant part 10 executes the audit with the first accuracy (Step 165). This is performed by the tamper resistant unit 10 acquiring the time certificate 3 from the digital broadcasting station 2 and using this to check whether the internal clock 17 matches with the first accuracy.
More specifically, the tamper resistant unit 10 determines that the time of the internal clock 17 is within a predetermined time from the time described in the time certificate 3 (for example, within ± (half of the minimum time that can be measured with the first accuracy)). Make sure that there is.

If the internal clock 17 does not match with the first accuracy, the audit was not successful (step 170; N), so the tamper resistant unit 10 returns to step 155 to acquire the time certificate 3 from the digital broadcasting station 2. Perform a second precision audit.
In this way, when the audit with the first accuracy is unsuccessful due to an accidental error or the like, the tamper resistant unit 10 can try the audit with the second accuracy again.
On the other hand, when the time of the internal clock 17 coincides with the time of the time certificate 3 with the first accuracy and the audit is successful (step 170; Y), the tamper resistant unit 10 ends the audit mode.

As described above, the tamper resistant part 10 includes the accuracy changing unit that changes the predetermined accuracy defining the time label to the first accuracy and the second accuracy lower than the first accuracy.
Then, the accuracy changing means sets the predetermined accuracy to the first accuracy when the internal clock 17 is successfully audited with the second accuracy.

FIG. 12 is a flowchart for explaining a procedure in which the time stamp server 4 issues a time stamp to the client terminal 5.
First, the client terminal 5 generates a hash value of the electronic document to be issued as a time stamp and transmits it to the time stamp server 4 (step 200).
The time stamp server 4 receives the hash value from the client terminal 5 and outputs it to the tamper resistant unit 10 (step 210).
As described above, the time stamp server 4 includes proof object information acquisition means for acquiring proof object information (hash value) to be a time proof object.

When the tamper resistant part 10 acquires the hash value, it acquires the current time including the time label and the precision part from the internal clock 17 (step 215).
Next, the tamper resistant unit 10 generates data including the hash value, the current time, and other information (for example, identification information of the time stamp server 4, time stamp issuance date and time), and calculates the hash value thereof. .
Then, the tamper resistant unit 10 performs digital signature by encrypting the calculated hash value with the time stamp digital signature key 16 (step 220).

In this way, a time stamp in which the hash value transmitted by the client terminal 5 and the current time of the internal clock 17 are digitally signed by the time stamp digital signature key 16 is generated.
Since this electronic signature is performed after the internal clock 17 is successfully audited, the tamper resistant unit 10 confirms that the electronic signature of the time certificate 3 is confirmed and the internal clock 17 is operating with a predetermined accuracy. In this case, there is provided time stamp generating means for generating a time stamp by digitally signing the time output by the internal clock 17 and the hash value.

Further, since it can be confirmed that the reference time of the time certificate 3 is later than the reference time of the previous certificate 18, the tamper resistant unit 10 uses the reference time used for the verification as the reference used in the previous verification. When it is confirmed that the time is later than the time, a time stamp is generated.
Furthermore, when charging is performed, the stamp mode is entered after the charging is confirmed. Therefore, the tamper resistant unit 10 generates a time stamp when the charging is confirmed.

When the tamper resistant part 10 generates a time stamp, it outputs it to the CPU 29, and the time stamp server 4 transmits it to the client terminal 5 (step 230).
As described above, the tamper resistant unit 10 includes time stamp output means for outputting the generated time stamp.
The client terminal 5 receives the time stamp from the time stamp server 4 (step 235).

The time stamp user can guarantee the non-falsification of the electronic document to a third party by attaching the time stamp to the electronic document.
Then, the third party can confirm the non-falsification of the electronic document acquired from the time stamp user as follows.
A third party prepares a time stamp public key corresponding to the time stamp electronic signature key 16 and confirms the authenticity of the time stamp by confirming the electronic signature of the time stamp attached to the electronic document. To do.
That is, the third party generates a hash value of the electronic document and compares it with the hash value included in the time stamp.
If the two match, it is possible to confirm the non-falsification of the electronic document and the time information given by the time stamp server 4.

The following effects can be obtained by the embodiment described above.
(1) Time distribution with high time synchronization accuracy of several milliseconds or more is possible.
(2) Since the tamper resistant part 10 can be easily made into an IC chip by mounting a simple algorithm, cost reduction can be realized.
(3) With a communication protocol that separates time certification and time synchronization, it is possible to realize a highly accurate time distribution and service utilizing digital broadcasting.
(4) By utilizing digital broadcasting, a large-scale time synchronization system can be constructed.

Next, a modification of the present embodiment will be described.
In this modification, a time stamp function similar to that of the time stamp server 4 is provided in the measurement device, and when the measurement value is measured, the time stamp is issued to the measurement data on the spot.
FIG. 13 is a block diagram for explaining a network configuration of a time stamp system 1a according to a modification.
The time stamp system 1 a includes a digital broadcasting station 2, a measuring device 4 a, and a data collection server 8.
The configuration of the digital broadcasting station 2 is the same as that of the embodiment described above.

Similar to the time stamp server 4, the measuring device 4 a includes an external clock 12 and a tamper-resistant unit 10, and can perform synchronization and auditing with the time certificate 3 transmitted from the digital broadcasting station 2, and can also detect physical quantities. A measurement unit 14 that performs measurement is provided.
For example, the measurement unit 14 measures a physical quantity every predetermined time, and outputs measurement data to the tamper resistant unit 10 when the measurement is performed.

The tamper resistant unit 10 gives the current time of the internal clock 17 and the like to the measurement data, and digitally signs it with the time stamp digital signature key 16. As a result, a time stamp is issued to the measurement data.
The measuring device 4 a acquires the measurement data to which the time stamp is given from the tamper resistant unit 10, and transmits it to the data collection server 8 via the network 6.
The data collection server 8 collects time-stamped measurement data from the measurement device 4a and accumulates it.

As described above, in this modification, the measurement device 4a has a time stamp issuing function, and thus the time stamp is immediately issued on the spot when the measurement data is acquired. It can be done reliably.
As a concrete usage form of the measuring device 4a, for example, it can be used for commercial measuring devices such as an electric meter, a water meter, a gas meter, a weather observation device, a seismometer, an air pollution measuring device, a plastic house It can be used for various special measuring devices such as thermometers and nuclear power station radiation measuring instruments.

  Further, if the measurement device 4a is equipped with a GPS (Global Positioning Systems) device and is configured to issue a time stamp to the measurement data and the current position by GPS, the measurement time and measurement location of the measurement data can be recorded in an unchangeable manner. .

The following effects can be obtained by this modification.
(1) A time stamp can be issued to measurement data on the spot where the measurement value is measured. For this reason, falsification of measurement data can be prevented.
(2) Since the time certificate 3 to be digitally broadcast is received and the internal clock 17 is synchronized and audited, a highly accurate time stamp can be issued without using expensive equipment such as an audit server.
(3) Meter reading work such as a water meter can be automated.

Next, a second modification of the present embodiment will be described.
In this modification, a parent-child relationship is set in the measurement device, and the parent device issues a time stamp to the measurement data measured by the child device.
FIG. 14 is a block diagram for explaining a network configuration of the time stamp system 1b according to the second modification.
The time stamp system 1b includes a measuring device 4b, a data collection server 8 disposed so as to be connectable to the measuring device 4b via the network 6, and slave units 50, 50,... Capable of wireless communication with the measuring device 4b. It has.

The measuring device 4b includes the external clock 12 and the tamper-proof unit 10 as well as the measuring device 4a, and also supports a communication function (either wireless or wired) with the child device 50 and the child device private key of the child device 50. A handset public key database 19 storing handset public keys to be stored is provided.
Each child device 50 has a child device ID, and the measuring device 4b identifies the child device 50 by the child device ID and obtains the child device public key of the child device 50 from the child device public key database 19. Can be acquired.

The subunit | mobile_unit 50 has memorize | stored the measurement part which measures a physical quantity, and the subunit | mobile_unit private key which is a secret key, and electronically signs the measurement data measured by the measurement part with the subunit | mobile_unit private key, and transmits to the measuring device 4b.
When the measurement device 4b receives the measurement data from the child device 50, the measurement device 4b acquires the child device public key of the child device 50 from the child device public key database 19, and uses this to check the legitimacy of the measurement data.
The measuring device 4b gives the current time of the internal clock 17 (not shown) to the measurement data, digitally signs it with the time stamp digital signature key 16, and issues a time stamp.
The measuring device 4b transmits the measurement data to which the electronic signature has been added to the data collection server 8, and the data collection server 8 receives and accumulates it.

The following effects can be obtained by this modification.
(1) Since the subunit | mobile_unit 50 does not require a time stamp issuing function, many measuring devices can be arrange | positioned cheaply.
For example, when monitoring the temperature of each location in a greenhouse, install one measuring device 4b and install the slave unit 50 in other locations to save time in the temperature data of each location in the greenhouse. A stamp can be issued.
(2) For example, when collecting measurement data in a place where it is difficult to receive digital broadcasting, the measuring device 4b is installed in a place where digital broadcasting can be received, and the slave unit 50 is installed in a place where receiving digital broadcasting is difficult By doing so, a time stamp can be issued to the measurement data.
As such a case, for example, there is a case where the measuring device 4b is installed outside the tunnel and the slave unit 50 is installed inside the tunnel.

It is the figure which showed the system configuration | structure of the time stamp system. It is the figure which showed the hardware constitutions of the time stamp server. It is the figure which showed an example of the time which an internal clock measures. It is a figure for demonstrating switching of an operation mode. It is a figure for demonstrating the protocol which correct | amends reference time. It is a flowchart for demonstrating mode switching. It is a flowchart for demonstrating the procedure which transmits a time certificate. It is a flowchart for demonstrating the procedure which corrects an external clock. 5 is a flowchart for explaining a procedure for correcting an internal clock 17; It is a flowchart for demonstrating an audit procedure. It is a flowchart for demonstrating the modification of an inspection method. It is a flowchart for demonstrating the procedure which issues a time stamp. It is a figure for demonstrating a modification. It is a figure for demonstrating the 2nd modification. It is a figure for demonstrating the system of the conventional time stamp system.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Time stamp system 2 Digital broadcasting station 3 Time certificate 4 Time stamp server 5 Client terminal 6 Network 7 Time signal device 8 Data collection server 10 Tamper resistant part 12 External clock 13 Mode switching part 15 Public key for delivery 16 Electronic signature for time stamp Key 17 Internal clock 18 Previous certificate 22 Atomic clock 23 Electronic signature key for distribution

Claims (11)

A reference clock device for measuring a reference time;
A signing means for electronically signing the measured reference time;
Time certificate generating means for generating a time certificate including the reference time and the electronic signature;
Time certificate providing means for providing the generated time certificate to a digital broadcasting system for transmission by digital broadcasting;
An apparatus for providing a reference time, comprising: A clock device for measuring time;
A receiving means for receiving a time certificate including a reference time and an electronic signature of the reference time via digital broadcasting;
Signature confirmation means for confirming the electronic signature of the received time certificate;
Verification means for verifying that the timepiece device is operating with a predetermined accuracy by comparing the time of the timepiece device with a reference time included in the time certificate;
A certification object information obtaining means for obtaining certification object information to be a time certification object;
When the electronic signature is confirmed by the signature confirmation means and when it is verified by the verification means that the timepiece device is operating with a predetermined accuracy, the time output by the timepiece device and the acquired certification object Time stamp generating means for generating a time stamp by electronically signing information;
Time stamp output means for outputting the generated time stamp;
A time stamp issuing device characterized by comprising:   The time stamp generation means generates a time stamp when it is confirmed that the reference time used for verification is later than the reference time used in the previous verification. The time stamp issuing device described in 1.     The time correction means for correcting the time less than the predetermined accuracy measured by the timepiece device using a reference time included in the received time certificate is provided. The time stamp issuing device described in 1. Comprising a precision changing means for changing the predetermined precision to a first precision and a second precision lower than the first precision;
The accuracy changing unit sets the predetermined accuracy to a second accuracy, and when the verification unit verifies the accuracy of the timepiece device using the second accuracy, the predetermined accuracy is set to the first accuracy. 5. The time stamp issuing device according to claim 2, wherein the time stamp issuing device is set to accuracy. An operation mode switching unit that switches between a first operation mode in which the verification unit and the time stamp generation unit operate and a second operation mode in which the time correction unit operates;
6. The time stamp issuance according to claim 2, wherein the operation mode switching unit switches the operation mode after the operation is completed in each operation mode. apparatus. Charging confirmation means for confirming whether or not charging has been performed before the time stamp generating means generates the time stamp;
The said time stamp production | generation means produces | generates a time stamp, when charge is confirmed by the said charge confirmation means, The claim of any one of Claim 2 to 6 characterized by the above-mentioned. Time stamp issuing device. In a reference time providing device comprising a reference clock device, a signing means, a time certificate generating means, and a time certificate providing means,
A measuring step for measuring a reference time in the reference clock device;
A signature step of electronically signing the measured reference time with the signing means;
A time certificate generating step of generating a time certificate including the reference time and the electronic signature by the time certificate generating means;
A time certificate providing step of providing the generated time certificate to a digital broadcasting system for transmission by digital broadcasting in the time certificate providing means;
A method for providing a reference time, comprising: In a time stamp issuing device comprising a clock device, a receiving means, a signature confirmation means, a verification means, a certification object information acquisition means, a time stamp generation means, and a time stamp output means,
A measuring step of measuring time in the timepiece device;
A receiving step of receiving, via digital broadcasting, a time certificate including a reference time and an electronic signature of the reference time by the receiving means;
A signature confirmation step of confirming an electronic signature of the received time certificate by the signature confirmation means;
A verification step of verifying that the timepiece device is operating with a predetermined accuracy by the verification means by comparing the time of the timepiece device and a reference time included in the time certificate;
A certification object information acquisition step of acquiring certification object information to be a time certification object by the certification object information acquisition means;
When the electronic signature is confirmed by the signature confirmation means, and when it is verified by the verification means that the timepiece device is operating with a predetermined accuracy, a time output by the timepiece device by the time stamp generation means A time stamp generating step for generating a time stamp by digitally signing the acquired certification object information;
A time stamp output step of outputting the generated time stamp by the time stamp output means;
A time stamp issuing method characterized by comprising: A measurement function for measuring a reference time with a reference clock device;
A signature function for electronically signing the measured reference time;
A time certificate generation function for generating a time certificate including the reference time and the electronic signature;
A time certificate providing function for providing the generated time certificate to a digital broadcasting system for transmission by digital broadcasting;
Program for providing a reference time for realizing the above on a computer. A measurement function for measuring time with a clock device;
A reception function for receiving a time certificate including a reference time and an electronic signature of the reference time via digital broadcasting;
A signature confirmation function for confirming the electronic signature of the received time certificate;
A verification function for verifying that the timepiece device is operating with a predetermined accuracy by comparing the time of the timepiece device and a reference time included in the time certificate;
A certification object information acquisition function for acquiring certification object information that is a time certification object;
When the electronic signature is confirmed by the signature confirmation function, and when it is verified by the verification function that the timepiece device is operating with a predetermined accuracy, the time output by the timepiece device and the acquired certification object A time stamp generation function for generating a time stamp by electronically signing information;
A time stamp output function for outputting the generated time stamp;
Is a time stamp issue program for realizing the above on a computer.

Images