JP2000163296A - Time stamp device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To automatically add information capable of certifying the date and hour in which a file is prepared when the file is prepared and saved. SOLUTION: For instance, a date and hour certification data producing part 16 that is hermetically sealed in a card shape is connected to a computer, and date and hour certification data at the time when a file produced by the computer is saved is produced. The part 16 has a clock part, enciphers date and hour shown by the clock part with an internally stored secret key and produces date and hour certification data. The part 16 also has an abnormality detection function and eliminates the secret key when it detects abnormality due to illegal behavior. A computer controlling part 11 adds the date and hour certification data produced by the part 16 to a file and saves it in an external storing part 13.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a time stamp apparatus for giving a file (document) created by a personal computer or the like a date when its validity is guaranteed.

[0002]

2. Description of the Related Art Conventionally, when a file (document) is created by a personal computer or the like, data indicating the date and time of creation is stored together with the file. When a file is created, the creation date and time can be entered in the file to confirm the date and time.

Here, in order to prove the date and time of file creation, the file is authenticated by a digital signature of a witness or an authentication organization. For example, suppose you discover a new law of physics, write its contents in a document, and save it to a file. Data indicating the date and time when the file was saved is added to this file, and this data can be easily falsified. Even if the date and time when the physical law of the invention was found is written in the file, it can be easily falsified. Therefore, neither of them proves the date and time.

[0004] As a method for proving this date and time,
For example, a digest of the file (created by a hash function, etc., created from the entire contents of the file and representing the contents of the file) is sent to a trusted witness (or certificate authority), and the witness It is conceivable to add data indicating the date and time (date and time of processing) to the digest data, encrypt it with the secret key of only the witness, and send it back.

[0005]

As described above, if a public key corresponding to a private key possessed only by a witness is used, anyone can view (process) the digest of the file and the witness
Date and time data can be restored, and the restored digest
If the digests recreated from the original file match, it can be proved that the file existed at that date and time.

However, in such a method, in order to prove the date and time of creation of the file, it is necessary to send data to a witness or a certificate authority, which is very inconvenient. In addition, what can be proved is the date and time when a witness or a certificate authority views and processes the file.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and has a time stamp capable of automatically adding information for certifying the creation date and time of a file when the file is created and saved. It is intended to provide a device.

[0008]

A time stamp apparatus according to the present invention comprises a date and time data generating means for generating current date and time data, and a date and time data generated by the date and time data generating means which is encrypted by a predetermined method. It is provided with a date and time certifying means for creating proof data, and a date and time certifying means for adding the date and time proof data created by the date and time certifying means to a file.

According to such a time stamp apparatus,
When a file requiring date and time certification is saved, the date and time data generated in the apparatus is encrypted and added to the file as date and time certification data. Therefore, without sending data to a witness or certificate authority,
The file creation date and time can be certified, and the certification date is not delayed from the actual creation date and time.

Further, the time stamp apparatus of the present invention includes a date and time data generating means for generating current date and time data, and data indicating the contents of the file to be saved when saving a file requiring date and time certification. And get
Date and time certifying means for creating date and time certifying data for the file by adding date and time data generated by the date and time data generating means to the data indicating the file contents and encrypting the data by a predetermined method; Date and time proof adding means for adding the date and time proof data created by the creating means to the file.

According to such a time stamp device,
When saving a file that requires date and time certification, date and time data generated in the device is added to the data indicating the contents of the file to be saved, and the encrypted data is used as the file with date and time certification data. Is added to Therefore, the file creation date and time can be certified without sending data to a witness or a certificate authority, and the certification date is not delayed from the actual creation date and time.

In this case, the verification of the certification date and time is performed by decrypting the date and time certification data to obtain data indicating the contents of the file and the date and time data, and newly creating data indicating the contents of the file obtained by the decryption. This can be done by comparing data indicating the contents of the file.

Further, according to the present invention, as a defense against the modification of the apparatus, an abnormality detecting means for detecting an abnormal state of the apparatus, and when the abnormal state is detected by the abnormality detecting means, the date and time certifying means is used. Fraud prevention means for canceling the creation processing of the date and time proof data.

With this, it is possible to detect, as an abnormal state, tampering of the date and time data generated by the date and time data generating means, an act of directly changing the date and time data generating means and the date and time certifying means, and the like. Such information can be prevented from being fraudulent by, for example, erasing information necessary for encryption when creating the data. In addition, by creating the cause when such an abnormal state is detected as history data, and encrypting and storing it,
Fraud can be found from the history data.

According to the present invention, a command encrypted by the predetermined method is received, and the command is decrypted to judge its validity as a measure against the unauthorized operation when the apparatus is initialized or adjusted. And a control unit for executing predetermined initialization processing or adjustment processing when the command is valid.

[0016] Thus, at the time of initialization or adjustment of the apparatus, it is possible to prevent an unauthorized act by another person, such as changing the date and time data by an illegally operated command.

[0017]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing a configuration of a time stamp apparatus according to one embodiment of the present invention. here,
1 shows a configuration when the present invention is applied to a computer such as a personal computer.

The time stamp apparatus according to the present embodiment provides a function of certifying a save date and time as a creation date and time of the file when a file requiring the certification date and time is saved. As will be described in detail later, the date and time indicated by the present apparatus must be correct in order to prove the file creation date and time with the present apparatus. That is, for example, it must be devised so that it is impossible for somebody to commit fraud and arbitrarily change the date and time indicated by the apparatus. Therefore, in addition to the configuration for the date and time certifying operation, which is the object of the present invention, a configuration for preventing fraud is required.

As shown in FIG. 1, this apparatus comprises a computer control unit 11, a main storage unit 12, an external storage unit 13, a display unit 14, an input unit 15, and a date and time proof data creation unit 16.

The computer control section 11 is composed of, for example, a microprocessor and controls the entire apparatus. Here, the computer control section 11 creates a digest of a file to be saved and sends it to the date and time proof data creating section 16. In response to an instruction from the date and time proof data creation unit 16, processing such as displaying the occurrence of an abnormality and saving the date and time proof data created by the date and time proof data creation unit 16 by attaching it to a file is performed.

The main storage section 12 is a memory which is constituted by, for example, a DRAM or the like and is used by the computer control section 11 for processing. The external storage unit 13 is composed of, for example, a hard disk device, a floppy disk device, a CD-ROM, or the like, and stores large-volume non-volatile data which is slower than the main storage unit 12. The external storage unit 13 stores a program describing the processing procedure of the present apparatus. This program is downloaded to the main storage unit 12 at startup. The computer control unit 11 reads the program downloaded to the main storage unit 12 and executes a predetermined process.

The display unit 14 is composed of a display device such as a CRT or an LCD, and displays data. Input unit 15
Is composed of a keyboard, a mouse, and the like, and is used by a user to give instructions to a computer and to input data.

The above is the configuration of a general-purpose computer.
The date and time proof data creation unit 16 is a part that provides functions unique to the present invention.

The date and time proof data creating section 16 is hermetically sealed so as to be an independent space. Although the shape may be any shape, it is assumed that the shape is, for example, a card shape. In this case, the internal circuit is completely sealed by the card case, and only the terminal for exchanging signals with the computer control unit 11 and the terminal for the power supply are outside. These terminals are connected to the computer controller 11 and the power supply on the computer board. A gas (for example, nitrogen) having a component different from that of air is loaded in a space sealed in a card shape.

FIG. 2 shows the internal configuration of the date and time proof data creating unit 16 in the sealed card shape.

The date and time certification data creation unit 16 includes a date and time certification data creation LSI 21, an external interface unit 22, a power supply protection unit 23, an environment measurement unit 24, and a backup power supply unit 2.
5 is comprised.

The date / time proof data creation LSI 21 is a one-chip LSI that realizes the central part of the date / time proof data creation function.
It is. The external interface unit 22 is an interface unit for the date / time proof data creation LSI 21 to exchange signals with the computer control unit 11.
Besides, in addition to the role of the interface of the normal signal, it has a function of detecting when an abnormal signal is given to the terminal from outside (from outside the card) to the date and time certification data creating unit 16. When it is detected that an abnormal signal is given from the outside, it outputs an external IO abnormal signal and notifies the date / time proof data creation LSI 21 of the fact. For example,
If a high voltage is applied to the signal terminal outside the card to attempt to change the internal clock, this is detected and the date and time proof data creating unit 16 has been subjected to an illegal operation (possible possibility). Be informed).

The power supply protection unit 23 includes a date and time certification data creation L
This is a part that protects the power supplied to the SI 21 and stabilizes the power so that it can operate normally even if the power varies to some extent. Also, it has a function of detecting when an abnormal power is supplied from the outside. When it is detected that abnormal power is supplied from the outside, an external power error signal is output, and the date and time certification data creation LSI 21
Inform This is also to notify that an abnormal high voltage or low voltage is applied to the power supply and the clock is going to be out of order.

The environment measuring section 24 is a section for detecting a change in an internal environment sealed in a card shape or a change in an environment outside the card. If there is an abnormality in the environment, an environmental abnormality signal is output and the fact is notified to the date and time proof data creation LSI 21. Specifically, the environment measuring unit 24 includes a gas sensor, an optical sensor, a temperature sensor, a force (strain) sensor, and the like.

For example, when the card is opened in order to check the inside of the date and time proof data creating unit 16, the sealed gas comes out and the normal air flows. The gas sensor detects the environmental change at this time. When the card is opened, light enters, and an optical sensor detects an environmental change at this time. When the card is exposed to high or low temperature to cause a malfunction, the temperature change is detected by a temperature sensor. If the card cannot be opened but a force is applied to cause a malfunction, a force (strain) sensor detects the environmental change at this time. These sensors detect an improper operation that causes an abnormality in the operation of the date / time proof data creation unit 16 and output an environmental abnormality signal to the date / time proof data creation LSI 21 to notify the user of the fact.

In addition, any other sensor capable of detecting an environmental abnormality can be provided in the environment measuring section 24 to provide the same function as described above.

The backup power supply unit 25 is composed of, for example, a battery, and is used as a power supply for operating a clock inside the date and time certification data creation LSI 21 when no external power is supplied.

FIG. 3 shows the internal structure of the date and time proof data creation LSI 21.

The structure shown in FIG. 3 is sealed by a one-chip LSI package or the like. Among them, the LSI external interface unit 32, the LSI power supply protection unit 33, the LSI environment measurement unit 34, and the LSI backup power supply unit 35 are the external interface unit 22, power supply protection unit 23, environment measurement unit 24, backup power supply It has a function similar to that of the unit 25.

In the figure, the part preceded by "LSI"
An abnormality in the date and time proof data creation LSI 21 is detected. If the above-mentioned "LSI" is not attached, an abnormal action on the card is detected. However, if the card is successfully opened by bypassing this and an attempt is made to directly act on the date / time proof data creation LSI 21 directly, As the next defense mechanism, L
SI external interface unit 32, LSI power supply protection unit 3
3. The LSI environment measurement unit 34 and the LSI backup power supply unit 35 function.

In some cases, however, it is better to provide a sensor different from that described above in order to form a one-chip LSI. However, here, it is assumed that the sensor has the same detection function as described above. For example, a package in which the LSI is sealed is opened, and the LSI is opened.
When light is applied to look at the I circuit, the optical sensor of the LSI environment measuring unit 34 notifies the light by an LSI environment abnormal signal. In addition, a gas sensor informs that the sealed gas comes out and air flows in, and so on.

The LSI control section 31 is a CPU for controlling the operation of the present invention. RAM 36, ROM 37, Fl
The ash memory units 38 are memories used by the LSI control unit 31 for processing. The ROM unit 37 stores an operation program of the LSI control unit 31. The RAM unit 36 is used for work during processing. Fla
The sh memory unit 38 can read, write, and delete data according to an instruction from the LSI control unit 31. Even if power is not supplied to the date and time certification data creation LSI 21, the data is not erased.

The date and time certification data creation LSI 21
Is provided with three clock sections 39a to 39c (clock section 1, clock section 2, and clock section 3). These are timers for counting the date (year, month, day) and time (hour, minute, second). Each of the clock sections 39a to 39c has the same function,
They are arranged at different positions of the SI, and are controlled by different control signals from the LSI controller 31. Ideally, it is better that each of the source oscillation circuits serving as a counting source is provided separately in the LSI.

It should be noted that only one source oscillation circuit is provided outside,
A configuration in which this is shared by the three clock units 39a to 39c may be used, but is vulnerable to fraud.

According to such measures, even if a person who intends to cheat succeeds in changing the date and time of the clock section, it is located at a different position and controlled by a different control signal.
It is impossible to simultaneously deviate three clock sections 39a to 39c having different source oscillation circuits by the same amount.

When creating the date and time certification data, the LSI control section 31 has three clock sections 39a to 39c at regular time intervals.
Is checked, and if the difference is equal to or greater than a certain tolerance, it is determined that there is an abnormality (illegal).

Next, the operation of the present apparatus will be described.

(File Save Process) First, the operation of the file save process executed by the present apparatus will be described.

FIG. 4 is a flowchart showing the operation of the file saving process when the user operates the computer to save a file. This file saving process is performed, for example, when the user clicks “Save” in the file menu of the word processing software displayed on the display unit 14 with the mouse of the input unit 15 in order to save (save) a file created by a personal computer. It is started to, for example. The left side of FIG. 4 shows the processing of the computer control unit 11, and the right side shows the processing of the date and time proof data creating unit 16.

As shown in FIG. 4, when the user instructs to save the file by clicking "Save" in the file menu of the word processing software (step A11),
The computer controller 11 first creates a digest of the file to be saved (step A1).
2). The digest is data created from file data, representing data of all files. Different files create different digests from the files. For example, it is created from a file using a function called a hash function or a message summarization function. A simple method is to take a checksum.

After creating the digest of the file to be saved, the computer control section 11 sends this to the date and time proof data creating section 16 (step A13).

The date and time proof data creating unit 16 detects the date and time when the file was saved with reference to the clock units 39a to 39c (clock units 1, 2, and 3) shown in FIG. At this time, since the clocks 39a to 39c indicate three dates and times, it is possible to take an average of these, take one of them, or adopt all three, but before that, the dates and times indicated by these are considered. Needs to be checked for correctness. This is performed by checking whether or not the difference between the date and time indicated by the three clock units 39a to 39c is within a preset allowable range (step A14).

If the difference between the date and time indicated by the clock units 39a to 39c exceeds a preset allowable range, the date and time proof data creation unit 16 determines that there has been an abnormality such as falsification of the date and time data. An irregularity detection process is performed to prevent fraud (steps A14 → A15). The operation at the time of abnormality detection will be described later with reference to FIG.

On the other hand, if the difference between the date and time indicated by the clock units 39a to 39c is within a preset allowable range, the date and time proof data creation unit 16 will determine the current date and time based on the date and time obtained from the clock units 39a to 39c. Data is created and added to the digest of the file sent from the computer controller 11 (steps A14 → A16).

Next, the date and time proof data creating unit 16 checks whether or not the time stamp private key has been deleted (step A17). The time stamp private key is used to encrypt date and time certification data (file + date and time), and is stored in the flash memory unit 38 in the present embodiment (see FIG. 6). Only the date and time certification data creation unit 16 has this time stamp private key. The fact that the timestamp private key has been erased means that
It means that something went wrong in the past. That is, when there is an abnormality, the time stamp private key is erased in order to prevent creation of unauthorized date and time proof data thereafter (see FIG. 5).

If the private key for time stamp has been deleted, the date and time proof data creation unit 16 determines that the creation of the date and time proof data is impossible due to the occurrence of an abnormality, and notifies the computer control unit 11 of the fact (step). A17 → A
18 or step A15 → A18).

Computer control unit 11 receiving this notification
Saves only the file in the external storage unit 13 and displays a message to the effect that an abnormality has occurred in the date and time proof data creation unit 16 on the display unit 14 to warn the user (step A19).

If the time stamp private key is not erased and no abnormality is detected, the date and time proof data creating unit 16 uses the time stamp private key in the flash The digest to which the date and time data is added is encrypted (step A17 → A2)
0), and sends the encrypted data to the computer control unit 11 as date and time proof data for the file (step A21). Since a method of encryption using a secret key is known, a detailed description thereof will be omitted here.

Upon receiving the date and time certification data from the date and time certification data creating unit 16, the computer control unit 11 adds the date and time certification data to the file and saves it in the external storage unit 13 (step A22). Thus, when a user creates a file and serves it, the data (encrypted data) certifying the date and time at that time
Is added to the file and stored. In this case, the date and time proof data is data encrypted with the time stamp private key, and cannot be created by anyone, so it can be trusted. To restore the date and time certification data, a public key for a time stamp is required.

(Abnormality Detection Processing) Next, the abnormality detection processing executed in step A15 in FIG. 4 will be described. The processing at the time of detecting an abnormality is also executed when various abnormal signals are generated, in addition to the time of saving the file.

FIG. 5 is a flowchart showing a processing operation when an abnormality is detected.

The L provided in the date and time proof data creation unit 16
The SI control unit 31 detects a difference between the date and time obtained from the clock units 39a to 39c that exceeds an allowable range,
SI external interface unit 32, LSI power supply protection unit 3
3. When various abnormal signals output from the LSI environment measuring unit 34 or the like are received, the processing being executed is interrupted, and the processing at the time of abnormality detection as described below is executed.

That is, if the private key for the time stamp is known to another person, the date and time proof data can be created by the other person without permission. It is necessary to erase the private key for the time stamp as soon as possible. The time stamp private key is stored in a predetermined area of the flash memory unit 38 (see FIG. 6).

In this embodiment, the time stamp private key is required for encrypting the history data indicating that an abnormal signal has occurred, so that the LSI control unit 31 finishes encrypting this history data. Until the process, the time stamp private key stored in the flash memory unit 38 is loaded into an internal register (step B11). LS
Unlike the Flash memory unit 38, the data in the register of the I control unit 31 disappears when the power supply is lost.
This is more secure than storing a time stamp private key in the memory unit 38. In the present embodiment, to save power, when no processing is performed, the power supplies other than the clock unit are turned off.

When the time stamp private key is loaded from the flash memory unit 38 into the register of the LSI control unit 31, the LSI control unit 31 immediately deletes the data of the time stamp private key from the flash memory unit 38 (step B12). . Thereafter, the LSI control unit 31 creates the date and time indicated by the clock units 39a to 39c (clock units 1, 2, and 3) and the event status, that is, the data indicating "abnormality", as the history data. This history data indicates that an abnormal signal has occurred. LSI
The control unit 31 encrypts this using the time stamp private key on the register, and stores the encrypted history data in F
Writing is performed in a predetermined area of the flash memory unit 38 (step B13).

After writing the history data, the LSI controller 31
Erases the time stamp private key on the register (step B14).

As described above, when an abnormality is detected, the secret key for the time stamp, which is a key for decryption, is promptly erased so that the date and time proof data cannot be created by another person, thereby protecting against unauthorized acts. I do.

FIG. 6 shows data in the flash memory unit 38.

The flash memory unit 38 stores a time stamp private key, a time stamp public key, a manufacturer public key, a time stamp public key certificate, and history data 1 to n.
Data storage areas 38a-3 for storing respective data of
8e are provided.

The secret key for the time stamp stored in the data storage area 38a of the flash memory unit 38 and the public key for the time stamp stored in the data storage area 38b are keys that are paired in the public key cryptosystem. Of these, the time stamp private key is used for encrypting the date and time proof data (digest of the document file + date and time) and for encrypting various status information. The time stamp public key is used for restoring the date and time certification data, which is publicly disclosed.

The manufacturer public key stored in the data storage area 38c is a public key corresponding to the manufacturer private key possessed only by the company that manufactured the date and time proof data creation unit 16. This manufacturer public key is used for decrypting a clock adjustment command and a write command of a time stamp public key certificate encrypted with the manufacturer private key (see FIGS. 10 and 11).

The time stamp public key certificate stored in the data storage area 38d is a certificate indicating that the time stamp public key is genuine, and describes the expiration date of the public key, the manufacturer, and the like. (See FIG. 7). This time stamp public key certificate is made public. The history data 1 to n stored in the data storage area 38e indicate the history of the state in the date and time proof data creation unit 16.

FIG. 7 shows the data structure of the time stamp public key certificate.

The timestamp public key certificate includes, in addition to the timestamp public key and the expiration date of the date / time proof data creation unit 16, the serial number, the LSI serial number, as well as manufacturer information (eg, manufacturer name), certificate creation, and the like. The date, time, and digital signature are described.

When the manufacturer has manufactured the date and time proof data creating unit 16, the manufacturer publishes the time stamp public key certificate. Since the time stamp public key certificate has the manufacturer's digital signature, the digital signature part is restored with the manufacturer's public key and compared, so that the manufacturer described in the certificate guarantees It can be seen that this is a time stamp public key. Thereby, when a fake manufacturer manufactures the date and time proof data creation unit 16, it can be seen.

In addition, information such as a serial number is also added to the time stamp public key certificate in consideration of other conveniences.

(File Creation Date Confirmation Process) Next, a process for confirming the file creation date and time will be described.

FIG. 8 is a flowchart showing the operation of the file creation date / time confirmation processing. This file creation date and time confirmation processing is performed by the computer control unit 11.

As the time stamp public key, a public key used in advance is used. Further, the date and time proof data creation unit 16 may be inquired. In this case, the date / time proof data creation unit 16 answers the request for disclosing the time stamp public key, but never discloses the time stamp private key to the outside. Further, the date and time proof data creation unit 16 may be requested to provide a time stamp public key certificate.

When confirming the certification date and time of the file, the computer control unit 11 calls the file to be confirmed from the external storage unit 13 and uses the time stamp public key to certify the date and time attached to the file. By decrypting the data, the digest of the file and the date and time data that were the source of the date and time proof data are restored (step C11). The digest and date / time data of the restored file are stored in a predetermined area of the main storage unit 12. Since a method of decryption using a public key is known, a detailed description thereof will be omitted here.

Next, the computer control section 11 newly creates a digest of the file and stores it in the main storage section 1.
2 is stored in a predetermined area (step C12). Then, the newly created digest is compared with the restored digest, and it is determined whether or not they match (step C13).

If the newly created digest matches the restored digest, the computer control unit 11 determines that the file and its creation date and time are valid and displays the restored date and time data on the display unit 14. Is displayed to notify the user that the file has been created at that date and time (step C13 → C14). on the other hand,
If the newly created digest does not match the restored digest, the computer control unit 11 determines that the file is falsified or the date and time data is falsified, and notifies the display unit 14 to that effect. Display and warn the user (Step C13 → Step C)
15).

As described above, by restoring the date and time certification data with the public key, the digest of the file and the date and time data are obtained. At the same time, a new digest is created and the two are compared. The exact date and time of creation can be confirmed.

(Date and Time Certification Data Creation Unit Initialization Process) Next, a process for initializing the date and time certification data creation unit 16 at the time of manufacturing will be described.

FIG. 9 is a flowchart showing the operation of the date and time proof data creation unit initialization processing. When the date and time proof data creation unit 16 is completed (sealing is completed) and power is supplied thereto, an initialization process is started. Since there is a backup power supply, this initialization process is performed only at the time of manufacturing. It is assumed that the capacity of the backup power supply unit 25 shown in FIG. 2 is large enough to continue to operate during the expiration date of the date and time certification data creation unit 16.

Here, even when the initialization process is being performed, if an abnormality is detected, the operation at the time of abnormality detection is performed.
That is, in order for the initialization to be completed normally, the date and time proof data creation unit 16 must be completed and sealed.

As shown in FIG. 9, when the power is turned on,
All data in the flash memory unit 38 is erased (step D11). As a result, even if there is a manufacturer (company) who intends to commit fraud, it is impossible to rewrite the flash memory unit 38 with the content intended by the fraudulent person.

With the entire data in the flash memory section 38 deleted, the manufacturer public key is received, and
Write to a predetermined area of the sh memory unit 38 (step D
12). Further, it receives a clock adjustment command encrypted with the manufacturer secret key (step D13).

The clock adjustment commands are transmitted from the clock units 39a to 39c (clock unit 1, clock unit 1,
This is a command for setting the date and time of the clock unit 2 and the clock unit 3). The date and time data to be set is included, but some promise is made for the entire command. For example, 128
For example, a long command code composed of bits or the like is determined, complement data is added to date and time data, and the entire parity is calculated and added. This clock adjustment command is encrypted using a manufacturer secret key which is strictly managed so that the manufacturer does not leak it, and is sent to the date and time proof data creation unit 16.

The date and time proof data creation unit 16 decrypts this with the manufacturer's public key, and checks whether or not the promise is kept (step D14). Specifically, it is necessary to check whether a long command code composed of, for example, 128 bits completely matches, whether the relationship between the date and time data and its complement data is correct, whether the parity is correct, and the like. By such a check, it is understood that the manufacturer who sent the clock adjustment command is the manufacturer.

The clock adjustment process at this time will be described later with reference to FIG. This clock adjustment processing is performed not only when the power is turned on during manufacturing, but also when a clock adjustment command is received. When the clock is adjusted, the date and time immediately before the adjustment and the date and time after the adjustment are left as a history.

Next, the date / time proof data creation unit 16 generates a time stamp private key and a time stamp public key (step D15), and writes these in a predetermined area of the flash memory unit 38 (step D16). . Also, the date and time indicated by the clock units 39a to 39c (clock unit 1, clock unit 2, clock unit 3) at the present time, and the event status, that is, data indicating the "time stamp key generation" are created as history data, and The data is encrypted with the stamp private key and written in a predetermined area of the flash memory unit 38 (step D17). Thereafter, the time stamp public key is output to the outside and made public (step D18). Next, a time stamp public key certificate write command encrypted with the manufacturer private key is received (step D19). Then, the date and time proof data creating unit 16 performs a process of writing the time stamp public key certificate according to the command (step D20). The time stamp public key certificate write command also has the same mechanism as the clock adjustment command, and only the manufacturer can send this command. In this case, the mechanism of the command is a secret known only to the manufacturer. However, if the management is performed so that no one knows both the mechanism and the manufacturer's secret key, fraud within the manufacturer can be further prevented.

The writing process when the command for writing the time stamp public key certificate is received will be described later with reference to FIG. At this time, the history is left.

(Clock Adjustment Processing) Next, the operation of the clock adjustment processing executed in step D14 of FIG. 9 will be described. Note that this clock adjustment process is executed when a clock adjustment command is received, even at a time other than the initial time.

FIG. 10 is a flowchart showing the operation of the clock adjustment process.

Upon receiving the clock adjustment command encrypted with the manufacturer secret key, the date and time proof data creation unit 16
The manufacturer public key is read from the sh memory unit 38, and the received clock adjustment command is restored using the manufacturer public key (step E11).

Here, the date and time proof data creating unit 16 checks whether or not the restored clock adjustment command is an official command (step E12). This is to check whether or not the promise determined by the manufacturer has been kept, as described above. In other words, if the manufacturer decides a long command code composed of 128 bits or the like for the clock adjustment command, adds complement data to the date and time data, or calculates and adds the entire parity, etc. After restoring the command in the date and time proof data creation unit 16, the correctness of the command code is checked by checking whether the command code completely matches, the relation between the date and time data and its complement data is correct, and the parity is correct. Judge.

As a result, when it is determined that the command is not a formal command, the date and time proof data creating unit 16 executes an abnormality detection process (steps E12 to E13). Regarding this abnormality detection process, as described in FIG.
The time stamp private key on the flash memory unit 38 is quickly erased to prevent others from creating date and time proof data without permission, thereby protecting against fraud.

On the other hand, if it is determined that the command is an official command, the date and time proof data creating unit 16 sets the date and time indicated by the clock units 39a to 39c (clock unit 1, clock unit 2, and clock unit 3) at the present time. Event status, that is, data indicating "clock adjustment" is created as history data, which is encrypted with a time stamp private key and written into a predetermined area of the flash memory unit 38 (step E12 → step E14). 39a to 39c are set to the date and time specified by the command (step E15). further,
The date and time proof data creation unit 16 sets the clock units 39a to
The date and time indicated by 39c and the data indicating the event status, ie, "clock adjustment" are created as history data, and this is encrypted with a secret key for a time stamp and written in a predetermined area of the Flash memory unit 38, so that the time before clock setting is completed. And save the history after setting (step E1
6).

As described above, when setting the clock, only when the validity of the clock adjustment command is checked and it is found that there is no illegality, the clock units 39a to 39c are set to the date and time specified by the command. In addition, by keeping the history at that time, it is possible to prevent others from setting the clock illegally.

(Time Stamp Public Key Certificate Writing Process) Next, the operation of the time stamp public key certificate writing process executed in step D204 of FIG. 9 will be described.

FIG. 11 is a flowchart showing the operation of the time stamp public key certificate writing process.

Upon receiving the time stamp public key certificate write command encrypted with the manufacturer private key, the date / time proof data creation unit 16 reads the manufacturer public key from the flash memory unit 38, and To restore the time stamp public key certificate write command (step F11).

Here, the date and time proof data creation unit 16 checks whether or not the restored time stamp public key certificate write command is an official command (step F).
12). In this case, similarly to the clock adjustment command, the validity is determined by checking whether or not the promise determined by the manufacturer is kept.

As a result, when it is determined that the command is not a formal command, the date and time proof data creation unit 16 executes an abnormality detection process (steps F12 to F13). Regarding this abnormality detection process, as described in FIG.
The time stamp private key on the flash memory unit 38 is quickly erased to prevent others from creating date and time proof data without permission, thereby protecting against fraud.

On the other hand, when it is determined that the command is an official command, the date and time proof data creating unit 16 writes the time stamp public key certificate into a predetermined area of the Flash memory unit 38 in accordance with the command (step E1).
4). Thereafter, the date and time proof data creating unit 16 sends the current clock units 39a to 39c (clock unit 1, clock unit 2, clock unit 3).
Is created as history data, and data indicating the event status, that is, “certificate write”, is encrypted with a secret key for a time stamp, and written in a predetermined area of the flash memory unit 38 to obtain a history. (Step F15).

As described above, when writing the time stamp public key certificate, the validity of the time stamp public key certificate write command is checked and only when it is found that there is no illegality, the command is followed. The time stamp public key certificate is written, and the history at that time is also left, thereby preventing unauthorized writing of the certificate by others.

FIG. 12 shows the structure of the history data.

All the history data is encrypted with the time stamp private key, but in this figure, the data before encryption is shown for simplicity. The first four rows of the data example are history data of initialization at the time of manufacturing.

When the operation is started, the history data whose event status is “date and time recording” is written at regular time intervals. Here, an example is described in which a history is left at every hour (18:00, 19:00). At around 19:00 on October 21, 1999, the manufacturer receives a "date and time adjustment" command to adjust the date and time of each clock to 19: 2, and adjusts the clock. In this example, the clock units 39a to 39c (clock units 1, 1)
The date and time difference between (2) and (3) is exaggerated for easy understanding.

After adjusting the date and time, if there is no abnormality,
The clocks 39a to 39c indicate the same date and time, respectively. However, if there is any wrongdoing from outside and the date and time are falsified, the difference between the date and time indicated by the three clocks 39a to 39c exceeds the allowable range. That is, it is detected as an abnormal state. In this example, since there is a difference between the date and time data at around 9:18 on May 1, 2001,
It can be seen that an abnormality has occurred. If an abnormality is detected, the secret key for time stamp is promptly erased to prevent others from creating date and time proof data, thereby protecting against illegal acts.

The history data is stored in the date and time proof data creating unit 1
6 can be withdrawn at any time and decrypted with the public key for the time stamp. In this case, since the history data is encrypted with the time stamp private key, only the date and time proof data creation unit 16 can create it. Therefore, it can be said that this history data is reliable.

[0109] Although it is not normally possible, even if another person can send the date and time adjustment command, since how much the date and time can be changed remains as a history, an illegality is found by the history data at that time. can do. Even in such a case, it can be seen that the date and time proof data created before the unauthorized adjustment is performed is reliable. As described above, the history data guarantees the reliability of the date and time certification data.

In the above-described embodiment, the expiration date of the date and time proof data creating unit 16 is provided, and a backup power supply that can operate during the expiration date is provided. However, for example, a backup power supply having a fixed capacity is used to constantly monitor the power supply voltage. In such a manner, when it is detected that the remaining power of the power supply is insufficient, it is determined that the life of the date and time proof data creating unit 16 has expired, the secret key for the time stamp is deleted, and the history as backup power consumption is left. Is also good.

Although the date / time proof data creation unit 16 is sealed in a card shape and connected to the computer board, it is also possible to connect only the LSI for date / time proof data creation directly to the computer board. In this case, LS
The I package corresponds to the case. Further, when the date and time proof data creation unit 16 is sealed in a card shape, the date and time proof data creation unit 16 may be attached to an interface mechanism of the computer instead of being directly connected to the computer board. For example, the connection is made by a mechanism similar to a PC card, and the date and time proof data creation unit 16 is configured to be detachable.

Although the history data is created by the date and time proof data creating section 16, it need not always be created.

Although the time stamp public key certificate is also provided in the date and time proof data creation unit 16, it need not be provided. There may be an example in which only a time stamp public key certificate is provided and no time stamp public key is provided. There may be an example in which both the time stamp public key certificate and the time stamp public key are not stored inside. However, in this case, the date and time proof data creation unit 1
It is essential that the manufacturer manage and publish the time stamp public key corresponding to No. 6.

Although the date and time of the clock section can be adjusted after the manufacture, it is not necessary to adjust the date and time after the manufacture if the clock section has sufficient accuracy.

The data is read and written by using the flash memory. However, the data is not limited to the flash memory, but may be any nonvolatile memory that can be read and written directly by the date and time proof data creating unit 16.

Also, the LSI for date and time proof data creation is one.
Although a chip LSI has been described, a plurality of LSIs may be used. However, in this case, security is slightly reduced.

Also, when saving a file, date and time certification data is always added.
It is also possible to adopt a configuration in which whether or not to add the date and time proof data can be arbitrarily selected. As described above, when the date and time proof data creation unit 16 is configured to be detachable like a PC card, the date and time proof data can be automatically added only when the card is inserted.

Although the public key cryptosystem is used as the data cryptosystem, the public key cryptosystem and the common key cryptosystem may be combined. Further, the digest of the file is encrypted with the private key for the time stamp, but the entire file may be encrypted.

Although the date and time certification data is added to the file and saved, it is also possible to save the date and time certification data and the file separately. Furthermore, the date and time proof data is added when the user instructs to save the file. Alternatively, the date and time proof data may be added when the file is automatically saved.

It is preferable to use a unique time stamp private key for each date / time proof data creation unit 16, but a certain number of date / time proof data creation units 16 use the same time stamp private key. Is also good. However, in this case, the manufacturer generates a time stamp private key, which is used by each date and time proof data creation unit 16 of the same group.
Will be written to the Flash memory unit 38 of
The risk of external leakage of the timestamp private key is higher than in the case where a unique key is used for each date and time certification data creating unit 16.

Further, by using a public key cryptosystem and deleting a private key for a time stamp to prevent creation of unauthorized date and time proof data, for example, using an asymmetrical conversion processing algorithm, In addition, a program (algorithm) for one-way conversion processing is installed in the system, and when an abnormality occurs, the same function can be realized by deleting the program.

The date and time proof data creation unit 16 and the computer control unit 11 may be integrated.

As a mechanism for detecting an environmental abnormality, the date and time proof data creation unit 16 is sealed and a gas sensor is provided. However, no gas sensor is provided, and the date and time proof data creation unit 16 is unsealed. You may put it in a case. In this case, any case may be used.
Further, although weakened against fraud, various abnormality detection mechanisms may be omitted.

Although the secret key for time stamp is deleted when an abnormality is detected, a configuration in which a different key is rewritten is also possible. In this case, a person who examines the data on the Flash memory unit 38 due to fraudulent acts gets a fake key.

[0125] Although the history data is kept at regular intervals, the history may be left at the timing of creating the date and time certification data. At this time, a file name or a digest similar to a file digest may be added to the history.

In short, the present invention is not limited to the above embodiment, and various changes can be made without departing from the gist of the present invention.

Further, the methods described in the above-described embodiments and the like include, for example, a magnetic disk (floppy disk, hard disk, etc.), an optical disk (CD-RO) as a program that can be executed by a computer.
(M, DVD, etc.), a semiconductor memory, etc., and can be applied to various devices, or transmitted by a communication medium and applied to various devices.

[0128]

As described above in detail, according to the present invention, when a created file is saved, information for automatically certifying the date and time when the file was saved is added.
A reliable date and time can be proved without any troublesome work such as calling a witness or accessing a certificate authority as in the past. Moreover, when a witness or a certificate authority is used, only the date and time after the date and time when the file was created can be certified. However, the date and time when the file was created can be certified by using the apparatus of the present invention.

Further, when the possibility of fraudulent activity is detected, the secret key for the time stamp, which is a key for encryption, is immediately deleted, so that others forge date and time certification data or falsify the original file. It is not possible. Since the secret key for the time stamp is generated in a sealed circuit that is difficult to analyze or cheat from the outside, it cannot be known by others or even the manufacturer. Therefore, even the manufacturer cannot forge the date and time certification data or falsify the original file.

Further, since the date and time certification data can be decrypted with a public key for a time stamp that has been made public, anyone can confirm the certification date and time of a file only with a general computer.

Also, since the command itself sent at the time of initialization or adjustment has a structure known only to the manufacturer and is encrypted with the manufacturer's secret key, it is impossible for another person to change the data by an illegal instruction. Can not.

Further, since the history data encrypted with the time stamp private key remains, an unauthorized act can be found, and the reliability of the date and time proof data is improved.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a time stamp device according to an embodiment of the present invention.

FIG. 2 is a block diagram showing an internal configuration of a date and time proof data creating unit constituting the time stamp device.

FIG. 3 is a block diagram showing an internal configuration of a date and time proof data creation LSI provided in the date and time proof data creation unit.

FIG. 4 is a flowchart showing an operation of a file save process in the time stamp device.

FIG. 5 is a flowchart showing a processing operation when an abnormality is detected in the time stamp device.

FIG. 6 is a diagram showing a Fla provided in the date and time proof data creating unit.
FIG. 4 is a diagram showing data on an sh memory unit.

FIG. 7 is a diagram illustrating a Fla provided in the date and time proof data creating unit.
FIG. 3 is a diagram showing a data configuration of a time stamp public key certificate on an sh memory unit.

FIG. 8 is a flowchart showing an operation of a file creation date / time confirmation process in the time stamp device.

FIG. 9 is a flowchart showing the operation of the date and time proof data creation unit initialization processing in the time stamp device.

FIG. 10 is a flowchart showing the operation of a clock adjustment process in the time stamp device.

FIG. 11 is a flowchart showing an operation of a time stamp public key certificate writing process in the time stamp device.

FIG. 12 is a diagram illustrating a Fl provided in the date and time proof data creation unit.
FIG. 3 is a diagram showing a configuration of history data on an ash memory unit.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 11 ... Computer control part 12 ... Main storage part 13 ... External storage part 14 ... Display part 15 ... Input part 16 ... Date and time certification data creation part 21 ... Date and time certification data creation LSI 22 ... External interface part 23 ... Power supply protection part 24 ... Environment Measurement unit 25 Backup power supply unit 31 LSI control unit 32 LSI external interface unit 33 LSI power supply protection unit 34 LSI environment measurement unit 35 LSI backup power supply unit 36 RAM unit 37 ROM unit 38 Flash memory unit 39a ~ 39c ... clock section

Claims (10)

[Claims] A date and time data generating means for generating current date and time data; a date and time certificate generating means for encrypting the date and time data generated by the date and time data generating means by a predetermined method to generate date and time proof data; A time stamp apparatus comprising: date and time certification adding means for adding date and time certification data created by date and time certification creation means to a file. 2. A date / time data generating means for generating current date / time data, and when a file requiring date / time certification is saved, data indicating the content of the file to be saved is acquired, and the file content is obtained. Date and time data generated by the date and time data generating means, and encrypting the data by a predetermined method, thereby generating date and time proof data for the file; And a date / time proof adding unit for adding the obtained date / time proof data to the file. 3. When confirming the certification date and time of the file, the date and time certification data added by the date and time certification adding means is decrypted to obtain data indicating the contents of the file and date and time data. When the data indicating the obtained file content matches the data indicating the newly created file content, the date and time data obtained by the decryption is provided as a valid date and time, and date and time confirmation means is provided. 3. The time stamp apparatus according to claim 2, wherein 4. An abnormality detecting means for detecting an abnormal state of the apparatus, and a fraud preventing means for stopping a process of creating date and time proof data by the date and time proof creating means when the abnormal state is detected by the abnormality detecting means. The time stamp apparatus according to claim 1 or 2, further comprising: 5. The time stamp apparatus according to claim 4, wherein said abnormality detecting means detects tampering of the date and time data generated by said date and time data generating means as an abnormal state. 6. A plurality of date / time data generating units each of which individually generates date / time data, wherein the abnormality detecting unit compares date / time data generated by the plurality of date / time data generating units, 6. The time stamp apparatus according to claim 5, wherein an abnormal state is detected from a difference between the respective date and time data. 7. The date and time data generating means and the date and time certifying means are contained in a sealed case, and the abnormality detecting means detects an environmental change inside the case or an environmental change outside the case. The time stamp apparatus according to claim 4, wherein the time stamp is detected as a state. 8. The fraud prevention means, when an abnormal state is detected by the abnormality detecting means, erases information for encryption required when the date and time proof creating means creates date and time proof data. 5. The time stamp apparatus according to claim 4, wherein: 9. The apparatus according to claim 1, further comprising a history creating means for creating a cause when the abnormal state of the apparatus main body is detected by the abnormality detecting means as history data, encrypting the history data by a predetermined method, and storing the encrypted data. The time stamp apparatus according to claim 4, wherein 10. When the apparatus is initialized or adjusted, a command encrypted by a predetermined method is received, the command is decrypted, its validity is determined, and if the command is valid, a predetermined command is determined. 3. The time stamp apparatus according to claim 1, further comprising control means for executing an initialization process or an adjustment process.