JP2009187179A - Time stamp device and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To issue a correct time stamp using a clock which has an independent power source and can not be operated from the outside. <P>SOLUTION: A time stamp device 10 is provided with a local clock part which can not be operated from the outside except when initializing a time, and a time stamp processing part. A local clock part equipped with an independent power source generates a time from fixed-interval oscillation signals generated by an oscillation means when receiving the supply of a power from the power source, and outputs transmission data including the time information at fixed intervals. The time stamp processing part acquires the time information from the received transmission data, and transmits the acquired time information to a time audit station system 70, and receives and stores time audit certificate data. When a time stamp request is received from a client terminal 80, and a time acquired when receiving the request is within a term of validity acquired from the stored time audit certificate data, the time stamp is generated based on the time. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a time stamp apparatus and method for issuing a time stamp used to prove that a digital document or the like was present at a certain time, for example.

Conventionally, time stamp technology has been used to prove that a digital document is indeed present at a certain time and has not been altered or altered since then.
Patent Document 1 describes a technique in which a time stamp device issues a time stamp using a local time when the time distribution audit server has received time auditing / calibration. Patent Document 2 describes that when a time stamp device cannot always connect to a time distribution audit server, the time is corrected by a radio clock to maintain the accuracy of the clock after receiving the time distribution. ing.
JP 2002-229869 A JP 2006-236251 A

  The above-described conventional method for calibrating / correcting the time of the time stamp apparatus with an external time source has a high possibility of being subject to time tampering from the outside, and also complicates the apparatus. Even when time accuracy is not required, always connecting to a time distribution audit server or correcting the time with a radio clock increases the distribution cost and complicates the time stamp apparatus. However, if a clock that cannot be calibrated / corrected from the outside is used, there is a possibility that a time stamp using the correct time cannot be issued if the clock is distorted.

  The present invention has been made in consideration of such circumstances, and an object of the present invention is to provide a time stamp device that can issue a time stamp of the correct time while using a clock that has an independent power source and cannot be operated from the outside. And providing a method.

  The present invention has been made to solve the above-described problem, and includes a time unit including a clock unit that generates time and a time stamp processing unit that generates time stamp data using the time generated by the clock unit. In the stamp device, the clock unit generates a time from the power source, an oscillation unit that receives an electric power supply from the power source and generates an oscillation signal having a constant period, and an oscillation signal generated by the oscillation unit A time control unit, a time setting unit that performs time setting to the time control unit only once, and thereafter prohibits time setting, and transmission data that includes time information generated by the time control unit at regular intervals. A signal transmission unit for outputting, the time stamp processing unit received by the signal reception unit for receiving transmission data output from the signal transmission unit at regular intervals, and received by the signal reception unit A time acquisition unit that acquires time information from the received data, and the time information acquired by the time acquisition unit is transmitted to the time audit station system, and the time audit certificate data for the transmitted time information is received and the time The time audit control unit that writes to the audit certificate holding unit and the time stamp request received from the client terminal, and the time acquired by the time acquisition unit when the time stamp request is received is stored in the time audit certificate holding unit A time stamp generating unit that generates time stamp data according to the time and returns the data to the client terminal when the time is within the expiration date obtained from the time audit certificate data. Device.

  Further, the present invention is the time stamp device described above, wherein the timepiece unit and the time stamp processing unit have tamper resistance.

  Further, the present invention is the time stamp device described above, wherein the time setting unit receives the time setting request, and information indicating that the time is initially set is set in a storage unit included in the clock unit. If not, the time is set in the time control unit, and information indicating that the time is initially set is written in the storage unit.

  In addition, the present invention is the time stamp device described above, wherein the time stamp creating unit generates time stamp data further setting the time audit certificate data.

  Further, the present invention is the time stamp device described above, wherein the time acquisition unit determines that the acquired time information is correct when the acquired time information is a time advanced from a previously acquired time. It is characterized by judging.

  The present invention is the above-described time stamp device, wherein the signal transmission unit outputs transmission data including encrypted time information that is the encrypted time, and the time acquisition unit includes the transmission The encryption time information set in the data is decrypted.

  The present invention is the time stamp device described above, wherein the clock unit further includes an encryption time holding unit that holds information in which a time is associated with an encryption time of the time, and the signal The transmission unit reads information on the encryption time corresponding to the time generated by the time control unit from the encryption time holding unit, and outputs transmission data including the read information on the encryption time. To do.

  Further, the present invention is the time stamp device described above, wherein the time acquisition unit sets the information on the encryption time set in the transmission data received by the signal reception unit to the transmission data received in the past. The transmission data is judged to be valid when the encrypted time information is not correct.

  In addition, the present invention is the time stamp device described above, wherein the clock unit and the time stamp processing unit are detachable.

  Further, the present invention is the time stamp apparatus described above, wherein the time stamp processing unit stores time audit certificate data stored in the time audit certificate holding unit when the replacement of the clock unit is detected. It further comprises an erasing unit for erasing.

  Further, the present invention is the time stamp apparatus described above, wherein the time stamp processing unit is set with information indicating that the time is significantly shifted in the time audit certificate data received by the time audit control unit. An output unit for outputting an error in the case of the error.

  Further, the present invention is the above-described time stamp device, wherein the time stamp processing unit further includes a notification unit for notifying that the expiration date is near when a predetermined period is reached until the expiration date of the clock unit. It is characterized by providing.

  Further, the present invention is the above-described time stamp device, which includes a computer device connected to the client terminal via a network, the clock unit, and a hardware security module as the time stamp processing unit. It is characterized by that.

  In addition, the present invention is the time stamp device described above, which is a hardware security module connected to the client terminal by a connector.

  Further, the present invention is a time stamp method used in a time stamp apparatus including a clock unit that generates time and a time stamp processing unit that generates time stamp data using the time generated by the clock unit. In the timepiece unit, the oscillation unit receives power from a power source included in the timepiece unit and generates an oscillation signal at a constant interval, and the time control unit generates a time from the oscillation signal generated by the oscillation unit. The time setting unit sets the time to the time control unit only once, and thereafter prohibits the time setting, and the signal transmission unit transmits the time information generated by the time control unit. While outputting the data at regular intervals, in the time stamp processing unit, the signal reception unit receives transmission data output at regular intervals from the signal transmission unit, the time acquisition unit, Time information is acquired from the transmission data received by the signal receiving unit, and the time audit control unit transmits the time information acquired by the time acquisition unit to the time audit station system, and the time for the transmitted time information The audit certificate data is received and written in the time audit certificate holding unit, the time stamp generating unit receives the time stamp request from the client terminal, and the time acquired by the time acquiring unit when the time stamp request is received is , When it is within the validity period obtained from the time audit certificate data stored in the time audit certificate holding unit, the time stamp data is generated according to the time and returned to the client terminal, This is a time stamp method.

  According to the present invention, since a clock that cannot be operated from the outside after the initial setting is used, the time is not falsified, and in addition, the time stamp data can be generated using the time at which the time audit was performed. Highly reliable time stamps can be issued.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is an overall configuration diagram of a time stamp system according to an embodiment of the present invention. As shown in the figure, the time stamp system includes a time stamp device 10 as a TSU (Time-Stamping Unit) used in a TSA (Time-Stamping Authority), and the time stamp device 10. Time audit authority system 70 of a time authority (TA) that issues a time audit certificate indicating an audit result of a time generated by receiving power supplied from an independent power source provided in the apparatus, and a time stamp The client terminal 80 requests the apparatus 10 to issue a time stamp, receives the time stamp data, and adds it to the digital document. The time stamp apparatus 10 and the time audit station system 70 are connected by a network such as ISDN, for example. Further, for example, a personal computer (hereinafter referred to as “PC”) is used as the client terminal 80, and the time stamp device 10 is connected via a network such as the Internet or a LAN (Local Area Network). Or a connector such as a USB.

  FIG. 2 is a functional block diagram of a time stamp apparatus 10 (TSU) according to an embodiment of the present invention. In the figure, the time stamp device 10 includes a local clock unit 20, a time stamp processing unit 30, a communication unit 50, a time stamp receiving / outputting unit 51, and a display unit 52. The time stamp device 10 can be configured by connecting a local security unit 20 and a hardware security module (HSM) as the time stamp processing unit 30 to a computer device such as a PC, for example. In this case, the communication unit 50, the time stamp reception / output unit 51, and the display unit 52 can be realized by a PC.

  The communication unit 50 transmits / receives data to / from other devices, and here, performs encrypted communication with the time audit station system 70 and the client terminal 80 using SSL (Secure Socket Layer) or the like. The time stamp receiving / outputting unit 51 receives a time stamp request from the client PC as the client terminal 80, notifies the time stamp processing unit 30, and returns the time stamp generated by the time stamp processing unit 30 to the client terminal 80. . The display means 52 is a display or lamp such as an LCD (Liquid Crystal Display), and displays information.

  The local clock unit 20, which is an HSM, includes time setting means 21, independent power supply means 22a and 22b, oscillation means 23a and 23b, time control means 24a and 24b, time A temporary holding means 25a, time B temporary holding means 25b, and encryption. Time label holding means 26 a and 26 b and signal transmission means 27 are provided.

  The independent power supply means 22a supplies power to the oscillation means 23a, and the independent power supply means 22b supplies power to the oscillation means 23b. The oscillating means 23a and 23b generate and output an oscillation signal having a predetermined frequency based on the frequency of the source oscillator. The time control unit 24a generates a time using the oscillation signal output from the oscillation unit 23a, and temporarily writes the generated time in the time A temporary holding unit 25a. Similarly, the time control unit 24b generates a time using the frequency signal output from the oscillation unit 23b, and temporarily writes the generated time in the time B temporary holding unit 25b. Here, the time generated by the time control unit 24a using the oscillation signal A that is the oscillation signal from the oscillation unit 23a is referred to as time A, and the time control unit 24b uses the oscillation signal B that is the oscillation signal from the oscillation unit 23b. The time to be generated is time B. The encryption time label holding means 26a and 26b store information in which the time is associated with the encryption time label corresponding to the time, and the time control means 24a is the encryption time corresponding to the generated time A. The encryption time A which is a label is read from the encryption time label holding unit 26a and output to the signal transmission unit 27, and the time control unit 24b converts the encryption time B which is the encryption time label corresponding to the generated time B into the encryption time. Read from the label holding means 26 b and output to the signal transmitting means 27. The signal transmission unit 27 outputs the information of the encryption time A and the encryption time B and the identification number of the local clock unit 20 to the time stamp processing unit 30.

  The time stamp processing unit 30 which is an HSM includes a signal receiving unit 31, a decrypting unit 32, encrypted time label holding units 33a and 33b, a local clock identification number confirmation unit 34, a time A holding unit 35a, a time B holding unit 35b, Time stamp issuance control means 36, time audit control means 37, signature key / certificate holding means 38, time audit certificate holding means 39, time comparison means 40, time stamp creation means 41, signature means 42, time stamp time confirmation means 43.

  The signal receiving unit 31 receives the encryption time A, the encryption time B, and the identification number of the local clock unit 20 from the local clock unit 20. The decrypting means 32 refers to the encrypted time label holding means 33a that stores information in which the time A and the encrypted time A are associated with each other, decrypts the received encrypted time A into the time A, and sends it to the time A holding means 35a. Write. Similarly, the decrypting means 32 decrypts the encrypted time B received with reference to the encrypted time label holding means 33b that stores the information that associates the time B with the encrypted time B into the time B, and the time B holding means Write to 35b. The local clock identification number confirmation unit 34 confirms the validity of the local clock unit 20 that has output the encryption time A and the encryption time B based on the received identification number of the local clock unit 20.

  The time audit control unit 37 sends the time A or time B information to the time audit station system 70 and the device authentication certificate data (hereinafter simply referred to as “device”) of the time stamp device 10 read from the signature key / certificate holding unit 38. A time audit request in which "authentication certificate" is set is transmitted to the time audit authority system 70, and the returned time audit certificate data (hereinafter simply referred to as "time audit certificate" or "time audit certificate") ) Is written in the time audit certificate holding means 39. The time stamp issuance control means 36 receives the time stamp request data from the time stamp reception / output means 51, determines whether or not a time stamp can be created, and if it can be created, the time stamp issuance control means 36 proceeds to the time stamp creation means 41. Instructs creation of a time stamp. The time comparison means 40 determines whether the currently held time information is correct by comparing time A and time B. The time stamp creating means 41 uses the information in the time stamp request data for creating the time stamp, the data of the time A or the time B when it is determined to be correct by the time comparing means 40 and the time audit control means 37. Time stamp data before digital signature is generated. The signature unit 42 adds an electronic signature to the time stamp data generated by the time stamp generation unit 41 using a signature key that is a secret key for signature of the time stamp device 10. If the stamp time in the generated time stamp data is the time A, the time stamp time confirmation unit 43 has an error from the time B held in the time B holding unit 35b. If the error from the time A held in the A holding means 35a is within a predetermined allowable value, the time stamp data is output to the time stamp receiving / outputting means 51.

  When the client terminal 80 is a portable computer terminal such as a mobile computer, the local clock unit 20 and the HSM as the time stamp processing unit 30 are configured to be directly connected to the client terminal 80 by USB or the like. Can do. In this case, the communication unit 50 that communicates with the time inspection station system 70 and other devices, the time stamp reception / output unit 51, and the display unit 52 can be realized by the client terminal 80.

  The time audit bureau system 70 receives a time audit means 71 for receiving a time audit request, the time set in the received time audit request, and the UTC (Coordinated Universal Time) managed by the time audit bureau system 70 with high accuracy. A time audit certificate issuing means 72 for detecting a time lag from the correct current time synchronized with (Coordinated Universal Time) and returning a time audit certificate to which the time error and the electronic signature of the time audit authority are added. .

  When a time stamp is generated in a mobile PC environment or the like that cannot be always connected to the time distribution audit server, the time audit certificate received once is desired to be valid after the mobile PC is stopped / started. However, in the conventional time stamp apparatus, the HSM that performs time stamp processing is connected to a personal computer (PC) and operates by receiving power supply. Therefore, if the PC is restarted or stopped after receiving a time audit for the clock in the HSM, the clock is also initialized. Therefore, it was necessary to receive time distribution and audit again after the start. Therefore, it is conceivable to have an independent power supply (battery) in the HSM. However, this makes it possible to keep the time for a certain period, but since the power supply is provided in the HSM, if the power supply stops operating, other functions, that is, a signature encryption processing function, a time stamp generation function Although the data processing function, the memory function, the communication function, etc. operate normally, the HSM itself needs to be discarded / replaced, which is not economical. Therefore, in the time stamp device 10 according to the present embodiment, the local clock unit 20 that operates by receiving power from the autonomous power supply is detachable, and when the power is cut off, only the local clock unit 20 is replaced with a new one. It can be exchanged. While the local clock unit 20 is not exchanged with another local clock unit 20, the time audit certificate received once is stored in the time audit certificate holding means 39 of the time stamp processing unit 30 and is stored in another local clock unit. When it is detected that the clock unit 20 has been replaced, the local clock identification number confirmation unit 34 of the time stamp processing unit 30 deletes the time audit certificate stored in the time audit certificate holding unit 39.

FIG. 3 shows an example of data held by the encrypted time label holding unit 26a of the local clock unit 20. The encrypted time label holding unit 26b holds similar data.
The encrypted time label holding means 26a, 26b includes a time label indicating time information, an encrypted time label corresponding to the time label, a hash value generated from the encrypted time label and the identification number, and the remaining number of days. Information associated with the label and an identification number identifying the local clock unit 20 are held, and these pieces of information are output to the time stamp processing unit 30 as transmission data. By holding such data, the local clock unit 20 can generate the information of the time A and time B generated by itself only during the date and time period indicated by the time labels held by the encrypted time label holding means 26a and 26b. The data can be output to the time stamp processing unit 30. Therefore, the encrypted time label holding means 26a and 26b hold a time label corresponding to a period during which the local clock unit 20 is guaranteed to operate correctly (for example, a period during which the independent power supply means 22a and 22b can supply power). As a result, it is possible to prevent the local clock unit 20 from being used when the period has passed. In the following, the encryption time label, identification number, hash value, and remaining days label corresponding to time A will be referred to as encryption time label A, identification number A, hash value A, and remaining days label A. The corresponding encryption time label, identification number, hash value, and remaining day number label are described as encryption time label B, identification number B, hash value B, and remaining day number label B.

  The hash value held in the encryption time label holding means 26a, 26b is, for example, 40 hexadecimal digits by using an algorithm such as SHA1 (Secure Hash Algorithm 1) from information obtained by combining the encryption time label and the identification number. A hash value of (160 bits) is calculated, and only the first 20 digits of the calculated hash value are extracted. In addition, the remaining number of days label indicates how many days are left until the date indicated by the label corresponding to the last time among the held time labels, that is, until the date that can be used is reached. By displaying the remaining number of days indicated by the remaining number of days label on the display means 52, it is possible to notify the user that the expiration date of the local clock unit 20 is almost over and prompt the user to replace the local clock unit 20 with a new one. Note that the date and time when “−1” is set in the remaining days label indicates that there is a sufficient number of days until the expiration date is reached. Further, the remaining time may be used instead of the remaining days.

FIG. 4 shows an example of data held by the encrypted time label holding means 33 a of the time stamp processing unit 30. The encrypted time label holding unit 33b also holds similar data.
In the figure, encrypted time label holding means 33a and 33b hold information in which an encrypted time label is associated with a decryption time label indicating a time after decryption of the encrypted time label. For example, the encrypted time label holding means 26a and 26b hold information for one year, the encrypted time label holding means 33a and 33b hold information for 20 years, and the like. Furthermore, by holding information corresponding to a time of a sufficiently longer period than the encrypted time label holding means 26a, 26b, the time can be decrypted even when the local clock unit 20 is replaced with a new one. Hereinafter, a decryption time label corresponding to the encryption time label A is referred to as a decryption time label A, and a decryption time label corresponding to the encryption time label B is referred to as a decryption time label B.

FIG. 5 is a diagram for explaining the time stamp control flag held in the storage means included in the time stamp issue control means 36.
As shown in the figure, the time stamp control flag includes four flags F0 to F3, and a time normal flag or a time abnormal flag is set in each of the flags F0 to F3. In the flag F0, a time normal flag N0 indicating that the local clock unit 20 is normal or a time abnormality flag E0 indicating that the local clock unit 20 is abnormal is set. In the flag F1, a time normal flag N1 indicating that the time audit is normal or a time abnormality flag E1 indicating that the time audit is abnormal is set. In the flag F2, a time normal flag N2 indicating that it is within the valid period indicated by the time audit certificate or a time abnormality flag E2 indicating that it is outside the valid period is set. As a result of the comparison between time A and time B, a time normal flag N3 indicating that the time is normal or a time abnormality flag E3 indicating that the time is abnormal is set in the flag F3.

Next, the operation of the time stamp device 10 will be described.
FIG. 6 is a diagram showing an outline operation flow of the time stamp apparatus 10, and each flow is repeatedly executed.
First, time A and time B are initially set in the local clock unit 20 (step S101). After the initial setting, the local clock unit 20 starts generating time A and time B, and corresponds to the generated time A every time time A is generated at a constant cycle (for example, every second). Encrypted time label corresponding to the generated time B each time the generated data A including the encrypted time label A, the identification number A, the hash value A, and the remaining number of days label A is generated. Transmission data B including information of B, identification number B, hash value B, and remaining days label B is output to the time stamp processing unit 30 (step S102).

  Each time the time stamp processing unit 30 receives transmission data A and transmission data B from the local clock unit 20, the time stamp processing unit 30 confirms the validity of the transmission data, and transmits the time A from the encrypted time label A of the transmission data A. Time B is obtained from the encryption time label B of data B (step S111). The time stamp processing unit 30 compares the obtained time A and time B to determine whether the time is normal, and holds a time stamp control flag indicating the determination result as issuance permission information (step S112).

  The time stamp processing unit 30 sets time A or time B information obtained in step S111, and periodically (or makes necessary) a time audit request to which the device authentication certificate of the time stamp processing unit 30 is added. In response (non-regularly), it is transmitted to the time audit bureau system 70. Thereby, the time audit certificate indicating the time audit result is received from the time audit station system 70 (step S121). The time stamp processing unit 30 determines whether a time audit certificate indicating that the time is an error within the normal time is received, and holds a time stamp control flag indicating the determination result as issue permission information. Whether time A or time B is used for the time audit request follows a predetermined rule. For example, time A (or time B) can always be used, or time A and time B can be used every time or alternately every predetermined time (number of times). Further, the time audit request may be transmitted autonomously from the time stamp device 10 every predetermined time. The time audit request transmitted from the time audit station system 70 every predetermined time is received and transmitted. It may be. The time audit can be performed at a cycle shorter than the expiration date that can be set in the time audit certificate, such as every several hours.

  The time audit certificate includes error information indicating how long the time notified by the time audit request is from UTC and information on the expiration date of the time audit certificate. If the time is large, a zero value is set as the expiration date. The time stamp processing unit 30 determines whether the time A or the time B notified from the local clock unit 20 is correct based on the expiration date information set in the received time audit certificate, and indicates the determination result. The stamp control flag is held as issuance permission information, and the expiration date of the time audit certificate is checked every predetermined time (for example, at the same interval as the reception interval of the transmission data A and B) (step S122). The time stamp processing unit 30 holds the received time audit certificate until the next time audit certificate is received or until the exchange of the local clock unit 20 is detected.

  When the time stamp issuing request is received from the client terminal 80, the time stamp processing unit 30 has a normal time by comparing the time A and the time B in step S112 based on the time stamp issuance permission information (time stamp control flag). And the time is determined to be within the normal time from the time audit certificate received in step S121, and the current time is within the validity period indicated by the time audit certificate held. Is confirmed, the time stamp data is generated from the current time A or time B and returned to the client terminal 80 (step S131). For generating the time stamp data, if the currently held time audit certificate is for the time A at the time audit, the current time A is used, and if it is for the time B at the time audit, Use the current time B. In addition, after the time stamp data is generated and before output to the client terminal 80, the time in the time stamp data is checked based on the confirmation time A or time B that is not used for generating the time stamp data.

  The time stamp request received from the client terminal 80 includes hash data of a digital document to which a time stamp is desired. The time stamp data generated by the time stamp processing unit 30 in response to the time stamp request includes data including the hash data of the digital document acquired from the time stamp request, the current time A or time B, and the time audit certificate. It is an electronic signature with the signature key of the time stamp device 10.

  When verifying the time stamp of the digital document, the client terminal 80 recalculates the hash data of the digital document and uses the public key paired with the signature key of the TSA (time stamp device 10) to obtain the electronic signature value of the time stamp data. The validity is confirmed by decrypting and verifying. The public key may be received in advance and held in the client terminal 80, or may be included in the time stamp data. If the recalculated hash value matches the hash value included in the time stamp data, it can be proved that the digital document exists at the time stamp time indicated by the time stamp data. It is judged that there was.

  Next, detailed operation of the time stamp apparatus 10 will be described. Here, it is assumed that the oscillating means 23a and 23b output an oscillation signal having a period of 1 second.

FIG. 7 is a detailed flow of the time initial setting process in step S101 of FIG. Here, a case where the initial setting of time A is performed will be described.
The time setting unit 21 of the local clock unit 20 determines whether a flag indicating that the time A has been initialized is set in the storage unit provided in the time setting unit 21 (step S201). When the time setting means 21 determines that the flag indicating that the time A has been initialized is not set (step S201: YES), the time setting means 21 receives a time label based on the time output from the TA from an external time setting device. Then, the reception timing of the time label is synchronized with the oscillation signal A generated by the oscillation means 23a (step S202). The time setting means 21 determines whether or not the synchronization error resulting from the synchronization in step S202 is smaller than a predetermined specified value (step S203). If it is determined that the value is equal to or greater than the predetermined specified value (step S203: NO), the process returns to step S202 and the synchronization process is performed again.

When it is determined that the synchronization error resulting from the synchronization in step S202 is smaller than the predetermined specified value (step S203: YES), the time control unit 24a displays the time label indicating the acquired time A as time A temporary. The time setting means 21 sets the flag indicating that the time A has been initialized (step S205) in the storage means included in the time setting means 21 (step S205).
If it is determined in step S201 that the flag indicating that the time A has been initially set is set (step S201: NO), the process ends.

  Although the initial setting process for time A has been described above, the same applies to the initial setting for time B. In the case of the initial setting process for time B, the oscillating means 23a, the time control means 24a, the time A temporary holding means 25a, the oscillation signal A, and the time A are respectively set to the oscillating means 23b, the time control means 24b, the time B temporary holding means 25b, The oscillation signal B and time B may be replaced.

FIG. 8 is a detailed flow of the time generation transmission process in step S102 of FIG. Here, the case of performing time generation transmission processing at time A will be described.
The time control unit 24a obtains a time A ′ that is a past time A held in the time A temporary holding unit 25a based on the oscillation rising timing of the oscillation signal A output from the oscillation unit 23a (oscillation unit A). Then, a new time A is generated by adding 1 second to the time A ′, and is set in the time A temporary holding means 25a (step S301). The time control unit 24a uses the encrypted time label holding unit to transmit the information of the encrypted time label A, the identification number A, the hash value A, and the remaining number of days label A corresponding to the time A as the transmission data A indicating the time A. It reads from 26a (step S302). The time control unit 24a determines whether or not the information has been successfully read from the encrypted time label holding unit 26a based on whether the read data is 0 (step S303). If it is determined that the information has been successfully read (step S303: YES), the signal transmission unit 27 reads the encrypted time label A, the identification number A, the hash value A, and the read value from the encrypted time label holding unit 26a. Then, the transmission data A including the information of the remaining number of days label A is transmitted to the time stamp processing unit 30 (step S304), and the processing from step S301 is repeated again. If it is determined that reading of information from the encrypted time label holding unit 26a has failed (step S303: NO), the process ends.

  Although the time generation / transmission process at time A has been described above, the same applies to the time generation / transmission process at time B. In the case of time generation transmission processing at time B, the oscillation means 23a, time control means 24a, time A temporary holding means 25a, encrypted time label holding means 26a, oscillation signal A, time A, time A ', transmission data A, encryption Oscillating means 23b, time control means 24b, time B temporary holding means 25b, encrypted time label holding means 26b, oscillation signal B, time B, respectively. , Time B ′, transmission data B, encrypted time label B, identification number B, hash value B, remaining number of days label B.

FIG. 9 is a detailed flow of the time setting process in step S111 of FIG. Here, the case where the time setting process of time A is performed will be described.
The signal receiving means 31 of the time stamp processing unit 30 receives the transmission data A from the local clock unit 20 (step S401). The decryption means 32 determines whether the encryption time label A set in the transmission data A is not all 0 (a series of 0s) and does not match the encryption time label A received before. It is determined whether label A is valid (step S402). If it is determined that it is valid (step S402: YES), the decryption means 32 reads the decryption time label A corresponding to the encryption time label A from the encryption time label holding means 33a (step S403). At this time, processing is performed by sequentially searching the rows after the row from which the previous decoding time label A is read, or by searching only the rows near the row from which the previous decoding time label A is read. Can be speeded up. The decoding unit 32 obtains the time A ′ that is the past time A held in the current time A holding unit 35a, and the time indicated by the read decoding time label A, that is, the time A is the time A ′. It is determined whether or not the time is further advanced (step S404).

When it is determined that the time A is a time advanced from the time A ′ (step S404: YES), the local clock identification number confirmation unit 34 confirms the validity by the clock identification (step S405). Details of this processing will be described later.
When the local clock identification number confirmation means 34 determines that the clock identification is correct, the decryption means 32 stores the decryption time label A in the time A holding means 35a (step S406), and the time stamp issuance control means 36 The clock normal flag N0 is set in the storage means provided (step S407). When the remaining number of days label A set in the transmission data A is a negative value (step S408: YES), the decrypting means 32 repeats the processing from step S401 again, and the remaining number of days label A is a positive value. If this is the case (step S408: NO), the remaining number of days is displayed on the display means 52, or a warning is output by a warning means (not shown) (for example, a device that informs the user that the local clock replacement time is near) ( Step S409), the processing from step S401 is repeated again.

  When it is determined in step S402 that the encrypted time label A is not valid (step S402: NO), or when it is determined in step S404 that the time A is not a time advanced from the time A ′ (step S402). (S404: NO), the decryption means 32 sets the clock abnormality flag E0 in the storage means included in the time stamp issue control means 36 (step S410), and ends the process.

Although the time setting process when the transmission data A is received has been described above, the same applies to the time setting process when the transmission data B is received. In the case of time setting processing when transmission data B is received, encrypted time label holding means 33a, time A holding means 35a, time A, time A ′, transmission data A, encrypted time label A, and decryption time label A , Remaining time number label A is encrypted time label holding means 33b, time B holding means 35b, time B, time B ', transmission data B, encrypted time label B, decryption time label B, remaining day number label B and Replace it.
The decryption key may be stored in advance, and the encrypted time labels A and B may be decrypted each time.

FIG. 10 is a detailed flow of the time comparison process in step S112 of FIG.
The time comparison unit 40 acquires the time A information from the time A holding unit 35a and the time B information from the time B holding unit 35b (step S501), and the time error between the time A and the time B is a predetermined rule. It is determined whether it is smaller than the value (step S502). When it is determined that the time difference between the time A and the time B is smaller than the predetermined specified value (step S502: YES), the time comparison unit 40 stores the clock normal flag N3 in the storage unit included in the time stamp issue control unit 36. Is set (step S503), and the process returns to step S501. On the other hand, when it is determined that the time difference between the time A and the time B is equal to or greater than the predetermined specified value (step S502: NO), the time comparison unit 40 stores the clock in the time stamp issuance control unit 36. The abnormality flag E3 is set (step S504), and a warning is output by the display means 52 or a warning means (not shown) to prompt replacement of the local clock (step S505).

FIG. 11 is a detailed flow of the time audit process in step S121 of FIG. Hereinafter, a case where the time audit is performed based on the time A will be described.
The time audit control unit 37 detects that it is a predetermined time for transmitting the time audit request, or receives a time audit instruction from the time audit station system 70 (step S601). The time audit control unit 37 receives the TA device authentication certificate from the time audit station system 70 (step S602) and confirms the validity (step S603). Further, by transmitting the device authentication certificate of the time stamp apparatus 10 obtained from the signature key / certificate holding means 38 to the time audit authority system 70, the time audit authority system 70 confirms that the time stamp apparatus 10 is correct. If the TA device authentication certificate is determined to be correct (step S603: YES), the communication means 50 establishes SSL encrypted communication. The time audit control unit 37 acquires the time A from the time A holding unit 35a, and transmits a time audit request in which the acquired time A is set to the time audit station system 70 (step S604).

  When an abnormality such as a communication error does not occur and the transmission of the time audit request is successful (step S605: YES), the time audit control unit 37 receives the time audit certificate from the time audit station system 70. The time audit control unit 37 writes the received time audit certificate and the identification number A in the transmission data A in the time audit certificate holding unit 39 (step S606). The time audit control unit 37 determines that the time audit is successful if a normal value (positive value) is set in the expiration date information of the received time audit certificate (step S607: YES), and the time stamp. Information on the expiration date of the time audit certificate is set in the storage means held by the issue control means 36, and the clock normal flags N1 and N2 are set (step S608). The time comparison unit 40 performs the audit in the time audit certificate from the audit time in the time audit certificate, the time A acquired from the time A holding unit 35a, and the information on the time B acquired from the time B holding unit 35b. A time error of time B with respect to time is calculated (step S609). If the time error of the calculated time B with respect to the TA time is smaller than a predetermined specified value (step S610: YES), the process is terminated as it is.

If it is determined in step S603 that the TA device authentication certificate is not correct (step S603: NO), if the time audit request transmission fails in step S605 (step S605: NO), the display means 52 or A warning of failure of time audit is output by warning means (not shown) (step S613).
In step S607, when the time expiration date information in the time audit certificate is not positive (step S607: NO), the clock abnormality flag E1 is set in the storage unit included in the time stamp issue control unit 36 ( Step S611), a warning is output by the display means 52 or a warning means (not shown) to prompt the exchange of the local clock (Step S613).
In step S609, when the time error of the calculated time B with respect to the TA time is equal to or greater than a predetermined value (step S610: NO), the clock abnormality flag E3 is set in the storage unit included in the time stamp issue control unit 36. Then, a warning is output by the display means 52 or a warning means (not shown) to prompt replacement of the local clock (step S613).

  Although the audit process at time A has been described above, the same applies to the audit process at time B. In the case of the audit process at time B, time A holding means 35a, time A, identification number A, time B holding means 35b, and time B are set as time B holding means 35b, time B, identification number B, time A holding means 35a, respectively. The time A may be replaced.

FIG. 12 is a detailed flow of the time audit certificate expiration date check process in step S122 of FIG. Hereinafter, a case where the immediately preceding time audit is performed at time A will be described.
When the time normality flag N1 is set in the time stamp issuing control means 36 (step S701), the time audit control means 37 reads the information of time A from the time A holding means 35a (step S702). The time audit control unit 37 issues a time stamp when the read time A is within the expiration date set in the time audit certificate held in the time audit certificate holding unit 39 (step S703: YES). The time normal flag N2 is set in the storage means provided in the control means 36 (step S704). Further, the time audit control unit 37 determines whether or not the expiration date set in the time audit certificate becomes the expiration date after the specified number of days (or time) (step S705). If it is determined that the expiration date is not yet reached after the specified number of days (or time), the process ends (step S705: NO), and if the expiration date is determined after the specified number of days (or time) Then, the remaining number of days or the remaining time is displayed on the display means 52 or a warning means (not shown) to warn that the time audit certificate is almost due (step S706).

The time audit control unit 37 ends the process when the time normal flag N1 is not set in the time stamp issuance control unit 36 (step S701: NO).
In step S703, when the read time A exceeds the expiration date set in the time audit certificate (step S703: NO), the time abnormality flag E2 is stored in the storage unit included in the time stamp issue control unit 36. Is set (step S707), and a time audit request is transmitted to the TA time audit station system 70 (step S708).

  In the above description, the time audit certificate expiration date check process when the previous time audit is performed at time A has been described, but the same applies to the time audit certificate expiration date check process when the immediately previous time audit is performed at time B. is there. In the case of the time audit certificate expiry date check process when the previous time audit is performed at time B, the time A holding means 35a, time A, and remaining day number label A are respectively time B holding means 35b, time B, remaining day number label. Replace with B.

FIG. 13 is a detailed flow of the time stamp issuing process in step S131 of FIG. Hereinafter, a case where the immediately preceding time audit is performed at time A will be described.
The time stamp issuance control means 36 receives time stamp request data from the client PC as the client terminal 80 via the communication means 50 and the time stamp reception / output means 51 (step S801). The time stamp issuance control means 36, when the clock normal flag N0 is set in the storage means (step S802: YES) and the time normal flag N3 is set by time comparison (step S803: YES), Information on the time A, which is the current time, is acquired from the A holding means 35a (step S804). When the time stamp issuance control means 36 refers to its own storage means and determines that the time A is within the validity period and that the time normal flags N1 and N2 have been set (step S805: YES), The time stamp creating means 41 is instructed to generate a time stamp using the time A. The time stamp creating means 41 generates plaintext data of a time stamp including the hash data of the digital document acquired from the time stamp request, the time A, and the time audit certificate held in the time audit certificate holding means 39. Generate. The signature unit 42 performs an electronic signature on the generated plaintext data using the signature key of the TSA (time stamp device 10) read from the signature key / certificate holding unit 38, and adds it to the plaintext data ( Step S806). The time stamp time confirming unit 43 determines that the time error between the time A that is the stamp time in the time stamp data generated in this way and the time B acquired from the time B holding unit 35b is smaller than a predetermined specified value. (Step S807: YES), a time stamp response including the generated time stamp data is returned to the client PC (Step S808).

  When the clock normal flag N0 is not set in the storage means (step S802: NO), when the time normal flag N3 is not set (step S803: NO), when the time A is not within the expiration date, or If the time normal flags N1 and N2 are not set in the storage means (step S805: NO), or the time A that is the stamp time in the time stamp data and the time B acquired from the time B holding means 35b If the time error is equal to or greater than the predetermined specified value (step S807: NO), the time stamp creating means 41 returns a time stamp response in which an error is set to the client PC (step S809).

  In the above description, the time stamp issuing process when the immediately preceding time audit is performed at the time A has been described, but the same applies to the time stamp issuing process when the immediately preceding time audit is performed at the time B. In the case of the time audit certificate expiry date check process when the immediately preceding time audit is performed at time B, time A holding means 35a, time A, time B holding means 35b, and time B are set as time B holding means 35b and time B, respectively. The time A holding means 35a and the time A may be replaced.

FIG. 14 is a flow of the time audit certificate presence / absence confirmation process, which is executed at predetermined time intervals such as every second and before the time audit certificate expiration date check process of FIG.
The time audit control unit 37 determines whether or not the time audit certificate holding unit 39 holds the time audit certificate (step S901). When the time audit certificate is held, the time audit certificate expiration date check process shown in FIG. 12 is executed (step S902), and the processes from step S901 are repeated. On the other hand, when the time audit certificate is not held in the time audit certificate holding means 39, the clock abnormality flags E1 and E2 are set in the storage means included in the time stamp issuance control means 36, and the processing from step S901 is repeated. (Step S903).

FIG. 15 is a detailed flow of the clock identification confirmation process in step S405 of FIG.
The local clock identification number confirmation unit 34 uses the SHA1 that is the same algorithm as the hash algorithm held in the local clock unit 20 from information obtained by combining the encrypted time label A and the identification number A set in the transmission data A. A hash value α is calculated using an algorithm (step S1001). If the first 20 digits of the calculated hash value α are the same as the hash value A set in the transmission data A (step S1002: YES), the local clock identification number confirmation unit 34 determines the time audit certificate holding unit 39. Is acquired (step S1003), and it is determined whether it matches the identification number A acquired from the transmission data A (step S1004). When the identification number A ′ and the identification number A match (step S1004: YES), the local clock identification number confirmation unit 34 terminates the processing. When the identification number A ′ and the identification number A do not match (step S1004: NO), the time clock certificate holding unit The time audit certificate stored in 39 is erased (step S1005).

  If it is determined in step S1002 that the calculated hash value α does not match the hash value A set in the transmission data A, the local clock identification number confirmation unit 34 stores the time audit certificate holding unit 39. The stored time audit certificate is erased (step S1006), and the clock abnormality flag E0 is set in the storage means included in the time stamp issue control means 36 (step S1007).

  In the above, the clock identification confirmation process when the transmission data A is received has been described, but the same applies to the clock identification confirmation process when the transmission data B is received. In the case of the clock identification confirmation processing when the transmission data B is received, the transmission data A, the encryption time label A, the identification number A, the hash value A, and the identification number A ′ are respectively set to the time B, the transmission data B, and the encryption time. The label B, the identification number B, the hash value B, and the identification number B ′ may be replaced.

In this way, by including the unique identification number for identifying the local clock unit 20 and the hash value in the transmission data transmitted from the local clock unit 20, the time stamp processing unit 30 receives a time audit certificate in the past. It is compared with the identification number of the watch, and if there is a change, the time audit certificate received in the past is deleted. The hash value is generated from the encrypted time label and the identification number. However, since the hash value exists, it is not necessary to create the encrypted time label for each local clock unit 20, and the time stamp processing unit 30 stores the hash value. Power decoding data can be reduced. Further, it is possible to prevent the time audit certificate from being used continuously by inputting a new local clock unit 20 and a fake identification number (because it is fixed).
Therefore, as long as the time audit certificate is within the validity period, even when the time stamp device 10 is turned off, it is possible to issue a time stamp again without starting a new time audit at the time of activation.

16 and 17 show examples of the hardware configuration of the local clock unit 20.
In FIG. 16, the hardware security unit of the local clock unit 20 includes a CPU (central processing unit) 101a, an EEPROM (Electronically Erasable and Programmable Read Only Memory) 102a, a RAM (Random Access Memory) 103a, a power supply unit 104a, a clock 105a, A configuration in which an input I / F (interface) 106a and an output I / F 107a are connected by a bus 108a, a CPU 101b, an EEPROM 102b, a RAM 103b, a power supply unit 104b, a clock 105b, an input I / F (interface) 106b, and an output I / F107b is connected by a bus 108b.

The CPU 101a is a central processing unit that performs calculation and control, and implements the time setting means 21 and the time control means 24a of FIG. The EEPROM 102a stores the programs of the time setting unit 21 and the time control unit 24a, and realizes the encrypted time label holding unit 26a. The RAM 103a is a readable / writable memory, and includes a work area when the CPU 101a executes various programs, and implements the time A temporary holding means 25a. The power supply unit 104a implements the independent power supply unit 22a, and the timepiece 105a implements the oscillation unit 23a.
Similarly, the CPU 101b realizes the time setting means 21 and the time control means 24b, and the EEPROM 102b stores the programs of the time setting means 21 and the time control means 24b, and the time setting means 21 and the encrypted time label holding means 26b. Realize. The RAM 103b includes a work area when the CPU 101b executes various programs, and implements the time B temporary holding unit 25b. The power supply unit 104b implements the independent power supply unit 22b, and the timepiece 105b implements the oscillation unit 23b.
The input I / Fs 106a and 106b can receive data from the outside, realize the time setting means 21, and the output I / Fs 107a and 107b can transmit data to the outside. The transmission means 27 is realized.

  In FIG. 17, the hardware security unit of the local clock unit 20 connects the CPU 101, EEPROM 102, RAM 103, power supply unit 104, clocks 105 a and 105 b, input I / F (interface) 106, and output I / F 107 via a bus 108. Configured. The oscillation means 23a and 23b are realized by the clocks 105a and 105b, respectively, but the other means are realized by common hardware.

  FIG. 18 is a diagram illustrating an example of the hardware configuration of the time stamp processing unit 30, the communication unit 50, the time stamp reception / output unit 51, and the display unit 52. In the figure, a hardware security unit 115 as a time stamp processing unit 30 includes a CPU 111, a ROM 112, a RAM 113, a storage unit 114, and a communication control unit of a computer device such as a PC connected to the hardware security unit 115 via a USB or the like. 116, the output I / F 117, the input I / F 118, and the display unit 119 are connected to the bus 121. The hardware security unit 115 includes a CPU 122, a ROM 123, a RAM 124, and an EEPROM 125.

  The CPU 111 reads a system program from the ROM 112 and controls each unit. The RAM 113b includes a work area when the CPU 111 executes various programs. The storage unit 114 is a hard disk or the like, and stores various programs as well as data. The communication control unit 116 controls the output of data to the outside by the output I / F 117 and the input of data from the outside by the input I / F 118, thereby realizing the communication unit 50 of FIG. The display unit 119 is a display device such as a display.

  The CPU 122 reads the program from the ROM 123, decrypts the program 32, the local clock identification number confirmation unit 34, the time stamp issue control unit 36, the time audit control unit 37, the time comparison unit 40, the time stamp creation unit 41, the signature unit 42, A time stamp time confirmation unit 43 is realized. The RAM 124 realizes a time A holding unit 35a, a time B holding unit 35b, and a time audit certificate holding unit 39, and the EEPROM 125 implements encrypted time label holding units 33a and 33b and a signature key / certificate holding unit 38. .

  FIG. 19 is a diagram illustrating an example of a hardware configuration of the entire time stamp apparatus 10. In FIG. 16, the output I / Fs 107a and 107b as shown in FIG. 16 are connected to the hardware security unit of the local clock unit 20 as shown in FIG. However, the output I / F 117 and the input I / F 118 are combined as an input / output I / F 120.

  FIG. 20 is a view showing the appearance of a tamper-resistant local timepiece used as the local timepiece unit 20. The tamper-resistant local timepiece has an internal module case in which internal modules consisting of CPU, RAM, EEPROM, oscillator, battery, etc. are packaged with resin, and a signal transmission terminal for inputting external signals to the internal module (initial time setting) And a terminal X and a terminal Y connected to a terminal of a coil wound around the internal module case.

  FIG. 21 is a diagram showing a module configuration of the local clock unit 20. FIG. 21A shows the shape of the coil 1, and FIG. 21B shows the shape of the coil 2. Each of the coil 1 and the coil 2 is one electric wire, and the coil 1 is wound around the inner module, and the coil 2 is wound around the coil 1 in a direction perpendicular to the coil 1. Then, the coil terminal X is connected to one terminal of the coil 1, the other terminal of the coil 1 is connected to one terminal of the coil 2, and the other terminal of the coil 2 is connected to the coil terminal Y. The coil terminal X and the coil terminal Y act as one electric wire. After the coils 1 and 2 are wound in this way, the resin is packaged in an external module case as shown in FIG. 21C, resulting in a module configuration as shown in FIG.

  FIG. 22 is a diagram for explaining unauthorized operation detection of the tamper resistant local timepiece. As shown in the figure, the tips of the coils are respectively connected to two terminals of a switch connected to the CPU. In such a configuration, when the coil is broken, the CPU detects the disconnection and erases the data of the encrypted time label stored in the EEPROM.

Specifically, when the coil is connected from the outside of the internal module in the manufacturing process, the initial disconnected state is 0, the coil connected state is 1, and the coil is broken, and the RAM is 2 Above, the initial state 0 is set, and the EEPROM data is protected. Next, when the coil is connected, the CPU detects the connection and sets state 1 on the RAM. If the CPU detects a break in the state where the state 1 is set on the RAM, the state 2 is set and the data on the EEPROM is erased.
Due to the above mechanism, when the external resin is destroyed and the coil is destroyed for the purpose of unauthorized operation, the encrypted time data on the EEPROM is erased. It becomes possible not to take out.

According to the present embodiment, the local clock of the time stamp apparatus can be set only at the time of shipment, and is not subjected to calibration / correction from an external time, so that it is not subject to time tampering. be able to.
Further, since the time label output from the local clock is encrypted, it is impossible to illegally enter a future time in the time stamp processing device. Since the time label of the local clock is encrypted in advance and held in the local clock unit, the local clock does not need a complicated cryptographic processing device. In addition, since the time stamp processing device cannot receive the time received in the past again, it is possible to block the replay attack (observing the encrypted data and transmitting the same content later).
In addition, since the time stamp processing apparatus can issue a time stamp only for the time limit specified by the time audit certificate acquired from the time auditing authority, the time stamp issuing authority depends on the time auditing authority. Therefore, it is possible to prevent a time stamp based on the tampered time from being issued.
Since the time audit certificate is valid while the local clock and time stamp processing device are connected, even if the power supply to the time stamp processing device is cut off, the validity period of the time audit certificate after the power is resupplied If it is within, you can continue issuing time stamps.
In addition, by making the local timepiece detachable, maintenance becomes easy, it is economical, and time accuracy can be guaranteed. And when the local clock replacement timing, that is, several days before the label disappears, when an error occurs in the time comparison, an error is output when the time deviation is out of the allowable range due to the time audit. it can.
In addition, in order to prevent an undesirable time stamp from being continuously issued due to a significant shift in the clock after the audit, checking is performed based on the time of the two clocks so that an illegal time stamp is not issued. be able to.

It is a figure which shows the structure of the time stamp system by one embodiment of this invention. It is a functional block diagram of the time stamp apparatus by the embodiment. It is a figure which shows the example of the data which the encryption time label holding | maintenance means of the local timepiece part by the embodiment hold | maintains. It is a figure which shows the example of the data which the encryption time label holding means of the time stamp process part by the same embodiment hold | maintains. It is a figure which shows the example of the time stamp control flag which the time stamp issue control means by the embodiment hold | maintains. It is a figure which shows the outline | summary processing flow of the time stamp apparatus by the embodiment. It is a figure which shows the time initialization process flow of the time stamp apparatus by the embodiment. It is a figure which shows the time production | generation transmission processing flow of the time stamp apparatus by the embodiment. It is a figure which shows the time setting process flow of the time stamp apparatus by the embodiment. It is a figure which shows the time comparison processing flow of the time stamp apparatus by the embodiment. It is a figure which shows the time audit process flow of the time stamp apparatus by the embodiment. It is a figure which shows the time audit certificate expiration date check processing flow of the time stamp apparatus by the embodiment. It is a figure which shows the time stamp issuing process flow of the time stamp apparatus by the embodiment. It is a figure which shows the time audit certificate presence / absence confirmation processing flow of the time stamp apparatus by the embodiment. It is a figure which shows the timepiece identification confirmation processing flow of the time stamp apparatus by the embodiment. It is a figure which shows the hardware structural example of the local timepiece part by the embodiment. It is a figure which shows the hardware structural example of the local timepiece part by the embodiment. It is a figure which shows the hardware structural example of the time stamp process part by the embodiment. It is a figure which shows the hardware structural example of the time stamp apparatus by the embodiment. It is a figure which shows the structural example of the tamper resistant local timepiece by the embodiment. It is a module block diagram of the tamper resistant local timepiece shown in FIG. FIG. 21 is a diagram for explaining unauthorized operation detection of the tamper resistant local timepiece shown in FIG. 20.

Explanation of symbols

10. Time stamp device 20. Local clock part (clock part)
21 ... Time setting means (time setting unit)
22a, 22b ... Independent power supply means (power supply)
23a, 23b ... Oscillating means (oscillator)
24a, 24b ... time control means (time control unit)
25a ... Time A temporary holding means 25b ... Time B temporary holding means 26a, 26b ... Encrypted time label holding means 27 ... Signal transmission means (signal transmission section)
30 ... Time stamp processing unit 31 ... Signal receiving means (signal receiving unit)
32: Decoding means (time acquisition unit)
33a, 33b ... Encrypted time label holding means (encrypted time holding unit)
34 ... Local clock identification number confirmation means (erasing section)
35a ... Time A holding means 35b ... Time B holding means 36 ... Time stamp issuance control means 37 ... Time audit control means (time audit control section)
38 ... Signature key / certificate holding means 39 ... Time audit certificate holding means 40 ... Time comparison means 41 ... Time stamp creating means (time stamp creating section)
42 ... Signature means 43 ... Time stamp time confirmation means 50 ... Communication means 51 ... Time stamp reception / output means 52 ... Display means (output part, notification part)
70 ... Time Auditing Bureau System 80 ... Client Terminal

Claims (15)

A time stamp device comprising: a clock unit that generates time; and a time stamp processing unit that generates time stamp data using the time generated by the clock unit;
The clock unit is
Power supply,
An oscillating unit that receives supply of electric power from the power source and generates an oscillation signal having a constant period;
A time control unit that generates a time from an oscillation signal generated by the oscillation unit;
A time setting unit that sets the time only once in the time control unit and prohibits the setting of the time thereafter,
A signal transmission unit that outputs transmission data including time information generated by the time control unit at regular intervals, and
The time stamp processing unit
A signal receiving unit for receiving transmission data output at regular intervals from the signal transmitting unit;
A time acquisition unit for acquiring time information from transmission data received by the signal reception unit;
A time audit control unit that transmits time information acquired by the time acquisition unit to a time audit station system, receives time audit certificate data for the transmitted time information, and writes the time audit certificate data to the time audit certificate holding unit;
An expiration date obtained from the time audit certificate data stored in the time audit certificate holding unit when the time stamp request is received from the client terminal and the time acquired by the time acquisition unit when the time stamp request is received A time stamp generating unit that generates time stamp data according to the time and returns the data to the client terminal.
A time stamp device characterized by that.   The time stamp apparatus according to claim 1, wherein the clock unit and the time stamp processing unit have tamper resistance. The time setting unit receives the time setting request, and sets the time to the time control unit when information indicating that the initial setting of the time has been performed is not set in the storage unit included in the clock unit. In addition, information indicating that the initial setting of time has been performed is written in the storage unit.
The time stamp apparatus according to claim 1 or 2, wherein The time stamp generating unit generates time stamp data further setting the time audit certificate data;
The time stamp device according to any one of claims 1 to 3, wherein the time stamp device is provided.   The time acquisition unit determines that the acquired time information is correct when the acquired time information is a time advanced from a previously acquired time. The time stamp device according to any one of the items. The signal transmission unit outputs transmission data including encrypted time information that is the encrypted time,
The time acquisition unit decrypts information of an encryption time set in the transmission data;
The time stamp apparatus according to claim 1, wherein the time stamp apparatus is characterized in that: The clock unit is
An encryption time holding unit that holds information in which the time and the encryption time of the time are associated with each other;
The signal transmission unit reads the encryption time information corresponding to the time generated by the time control unit from the encryption time holding unit, and outputs transmission data including the read encryption time information.
The time stamp apparatus according to claim 6.   The time acquisition unit transmits the transmission data when the encryption time information set in the transmission data received by the signal reception unit is not the encryption time information set in the transmission data received in the past. The time stamp apparatus according to claim 6, wherein the time stamp device is determined to be valid.   The time stamp apparatus according to any one of claims 1 to 8, wherein the clock unit and the time stamp processing unit are detachable.   The time stamp processing unit further includes an erasing unit that erases the time audit certificate data stored in the time audit certificate holding unit when the replacement of the clock unit is detected. 9. The time stamp device according to 9.   The time stamp processing unit further includes an output unit that outputs an error when information indicating that the time is significantly shifted is set in the time audit certificate data received by the time audit control unit. The time stamp device according to any one of claims 1 to 10, wherein   The said time stamp process part is further provided with the notification part which notifies that an expiration date is near, when it becomes a predetermined period until the expiration date of the said clock part. A time stamp device according to any of the above sections.   12. The computer device connected to the client terminal via a network, the clock unit, and a hardware security module as the time stamp processing unit. The time stamp device according to the section.   13. The time stamp device according to claim 1, wherein the time stamp device is a hardware security module connected to the client terminal by a connector. A time stamp method used in a time stamp device including a clock unit that generates time, and a time stamp processing unit that generates time stamp data using the time generated by the clock unit,
In the watch part,
The oscillation unit receives supply of power from the power source included in the clock unit and generates an oscillation signal at regular intervals,
The time control unit generates a time from the oscillation signal generated by the oscillation unit,
The time setting unit sets the time only once in the time control unit, and thereafter prohibits the time setting,
While the signal transmission unit outputs transmission data including time information generated by the time control unit at regular intervals,
In the time stamp processing unit,
The signal receiving unit receives transmission data output at regular intervals from the signal transmitting unit,
The time acquisition unit acquires time information from the transmission data received by the signal reception unit,
The time audit control unit transmits the time information acquired by the time acquisition unit to the time audit station system, receives the time audit certificate data for the transmitted time information, and writes it to the time audit certificate holding unit,
The time stamp creation unit receives a time stamp request from the client terminal, and the time acquired by the time acquisition unit when the time stamp request is received is stored in the time audit certificate holding unit. If it is within the expiration date obtained from the data, the time stamp data is generated according to the time and sent back to the client terminal.
A time stamp method characterized by that.

Images