JP2014042214A - Data certification system and data certification server - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a data certification system capable of further reducing load of processing for extending an expiration date of a long-term signature data.SOLUTION: A data certification system comprises: an original certification information generation unit which generates original certification information for certifying non-alteration of an original file and original verification information for certifying the validity of the original certification information; a hash value calculation unit which calculates an original certification information hash value which is a hash value of the original certification information and an original verification information hash value which is a hash value of the original verification information; a route hash value calculation unit which calculates a route hash value between a plurality of the original certification information hash values and the original verification information hash value; a route hash value certification information generation unit which generates route hash value certification information for certifying the non-alteration of the route hash values and route hash value verification information for certifying the validity of the route hash value certification information; and an extension unit which extends the expiration dates of the route hash value certification information and the route hash value verification information.

Description

  The present invention relates to a data certification system and a data certification server.

  Conventionally, in order to prove non-falsification of an electronic document, a method of giving an electronic signature is known (for example, see Patent Document 1). A method for extending the expiration date of an electronic signature is also known. A service for storing various data in a data center is known.

Special Table 2003-533940

  However, in the conventionally known technology, when the expiration date of the long-term signature data is extended (when the ES-A is extended), all the originals of the extension target long-term signature data and all the ES-A files are accessed. It is necessary to perform extension processing, and it is necessary to acquire time stamps for all ES-A files. Therefore, when the number of originals increases, there is a problem that the processing load for extending the validity period of the electronic signature increases.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a data certification system and a data certification server that can further reduce the processing load for extending the expiration date of long-term signature data.

  The present invention is an original proof information generating unit for generating original proof information for proving non-falsification of an original file and original verification information for certifying the validity of the original proof information, and a hash value of the original proof information A hash value calculation unit that calculates an original verification information hash value and an original verification information hash value that is a hash value of the original verification information, and a plurality of roots of the original verification information hash value and the original verification information hash value A root hash value calculation unit that calculates a hash value, root hash value certification information that proves that the root hash value has not been falsified, and root hash value verification information that proves the validity of the root hash value certification information Extending the validity period of the root hash value certification information generation unit, the root hash value certification information, and the root hash value verification information And length portion, a data verification system, characterized in that it comprises a.

  Further, in the data certification system of the present invention, the original certification information generation unit generates a plurality of the original certification information within a predetermined period, and the root hash value calculation unit calculates the root hash for each predetermined period It is characterized by doing.

  In the data certification system of the present invention, the original certification information generation unit generates the original certification information using the same time stamp signature key within the predetermined period.

  Further, the present invention verifies non-falsification of the root hash value certification information based on the root hash value verification information, verifies non-falsification of the root hash value based on the root hash value certification information, and Based on the hash value, verifies non-falsification of the plurality of original certification information hash values and the original verification information hash value, and based on the plurality of original certification information hash values and the original verification information hash value, a plurality of A data certification system comprising: a verification unit that verifies non-falsification of the original certification information and the original verification information, and verifies non-falsification of the original file based on the original certification information.

  The present invention also provides an original proof information generating unit for generating original proof information for proving non-falsification of an original file, and original verification information for proving the validity of the original proof information, and a hash value of the original proof information A hash value calculation unit that calculates an original verification information hash value that is a hash value of the original verification information, a plurality of the original verification information hash values, and the original verification information hash value A root hash value calculation unit that calculates the root hash value of the root hash value, root hash value certification information that proves that the root hash value has not been falsified, and root hash value verification information that proves the validity of the root hash value certification information. A root hash value certification information generation unit to generate, and extend the validity period of the root hash value certification information and the root hash value verification information. An extension portion which is data certification server, characterized in that it comprises a.

  According to the present invention, the original proof information generating unit generates original proof information that certifies that the original file has not been tampered with, and original verification information that certifies the validity of the original proof information. The hash value calculation unit calculates an original certificate information hash value that is a hash value of the original certificate information and an original verification information hash value that is a hash value of the original verification information. The root hash value calculation unit calculates a root hash value between a plurality of original certification information hash values and an original verification information hash value. In addition, the root hash value certification information generation unit generates root hash value certification information that proves that the root hash value has not been falsified, and root hash value verification information that proves the validity of the root hash value certification information. The extension unit extends the validity period of the root hash value certification information and the root hash value verification information.

  With this configuration, when extending the validity period of a long-term signature, there is no need to access the original file or the original certification information, and the extension process is performed only by accessing the root hash value certification information and the root hash value verification information. be able to. Therefore, even when the number of original files increases, it is possible to further reduce the processing load for extending the expiration date of long-term signature data.

It is the block diagram which showed the structure of the long-term signature system in one Embodiment of this invention. It is the schematic which showed the data structure of the long-term signature format in this embodiment. It is the schematic which showed the procedure in which the long-term signature system 1 in this embodiment produces | generates long-term signature data. It is the schematic which showed the relationship between the original in this embodiment, ES-A which is the information which proves the original tampering, root hash value hash_root of ES-A, and TST1 which is the time certificate of hash_root . It is the schematic which showed the data structure of the format of ERS in this embodiment. It is the schematic which showed the data structure of ERST in this embodiment. It is the schematic which showed the detailed procedure in which the long-term signature system in this embodiment produces | generates long-term signature data. It is the schematic which showed the procedure in which the long-term signature system in this embodiment extends the expiration date of long-term signature data. In this embodiment, it is the schematic which showed the data structure of the format of ERS after extending an expiration date once. In this embodiment, it is the schematic which showed the data structure of ERST after extending an expiration date once. It is the schematic which showed the detailed procedure of the process which the long-term signature system in this embodiment extends the term of long-term signature data. It is the schematic which showed the procedure in which the long-term signature system in this embodiment verifies non-falsification of long-term signature data. It is the schematic which showed the detailed procedure in which the long-term signature system in this embodiment verifies non-falsification of long-term signature data. It is the block diagram which showed the structure of the long-term signature system in case the client terminal in this embodiment has a function of a long-term signature server.

  Hereinafter, an embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing the configuration of the long-term signature system in this embodiment. In the illustrated example, the long-term signature system 1 includes a long-term signature server 2, a client terminal 3, a time stamp server 5, and repository servers 6 and 7. The devices included in the long-term signature system 1 are connected via the Internet 4 so that they can communicate with each other.

  The long-term signature server 2 includes a CPU (Central Processing Unit) 21, a ROM (Read Only Memory) 22, a storage unit 23, an input / output I / F 24, a RAM (Random Access Memory) 25, a display unit 26, And a communication control unit 27.

  The CPU 21 is a central processing unit that performs information processing and control of each unit of the long-term signature server 2 according to a program stored in the storage unit 23 or the like. In the present embodiment, long-term signature data is created while communicating with the client terminal 3, the time stamp server 5, and the repository servers 6 and 7.

  The ROM 22 is a read-only memory and stores basic programs, parameters, and the like for the long-term signature server 2 to operate. The RAM 25 is a random access memory and temporarily stores data used when the long-term signature server 2 creates long-term signature data by communicating with the client terminal 3 or the like.

  The storage unit 23 is configured using, for example, a large-capacity storage device such as a hard disk, and stores an OS (Operating System) for operating the long-term signature server 2, a program for generating long-term signature data, and the like. To do. The display unit 26 includes a display device using a liquid crystal display, for example, and displays various screens for the person in charge of the long-term signature server 2 to operate the long-term signature server 2.

  The input / output I / F 24 includes, for example, input / output devices such as various operation switches, a keyboard, and a mouse, and an operator or the like can operate the long-term signature server 2 using the input / output I / F 24. The communication control unit 27 communicates with the client terminal 3, the time stamp server 5, the repository servers 6 and 7, etc. via the Internet 4. The Internet 4 may be another form of communication network. The long-term signature server 2 can receive an electronic signature value, a hash value of original data (hereinafter referred to as an original hash value), a public key certificate, and the like from the client terminal 3 by the communication control unit 27.

  The client terminal 3 includes a CPU 31, a ROM 32, a storage unit 33, a communication control unit 34, a RAM 35, a display unit 36, and an input / output I / F 37.

  The CPU 31 is a central processing unit that performs information processing and control of each unit of the client terminal 3 in accordance with a program stored in the storage unit 33 or the like. In the present embodiment, transmission / reception of various information to / from the long-term signature server 2 and electronic signature using a secret key are performed.

  The ROM 32 is a read-only memory and stores basic programs, parameters, and the like for the client terminal 3 to operate. The RAM 35 is a random access memory, and temporarily stores, for example, data used when the client terminal 3 creates an electronic signature or an original hash value while communicating with the long-term signature server 2.

  The storage unit 33 is configured using, for example, a large-capacity storage device such as a hard disk, and an OS for operating the client terminal 3, a secret key for performing an electronic signature, and a public key corresponding to the secret key Public key certificate, original data subject to long-term signature, etc. are stored. The original data is, for example, an electronic document created by a word processor or a text editor, and various data files such as image data and audio data.

  The program for the client terminal 3 to create long-term signature data may be configured to be downloaded from the long-term signature server 2 each time it is created, or may be stored in advance in the storage unit 33 and stored. Can also be configured to use.

  The display unit 36 includes a display device using a liquid crystal display, for example, and displays various screens for the user of the client terminal 3 to operate the client terminal 3.

  The input / output I / F 37 includes input / output devices such as a keyboard, a mouse, and an IC card reader / writer. The IC card reader / writer connects the IC card and mediates communication between the client terminal 3 and the IC card. The IC card is an information processing apparatus including a CPU, ROM, RAM, EEPROM (Electrically Erasable and Programmable ROM), and stores, for example, user authentication information for authenticating a user who uses the client terminal 3 Yes. In addition, the client terminal 3 can be configured to store a private key, a public key certificate, and the like in an IC card and digitally sign using the private key of the IC card.

  The communication control unit 34 communicates with the long-term signature server 2 via the Internet 4. Transmission of a hash value, transmission of an electronic signature value, etc. to the long-term signature server 2 is performed using the communication control unit 34.

  The time stamp server 5 is a server that issues time stamps, and is installed in a TSA (Time Stamping Authority). The time stamp server 5 has an accurate clock that is corrected according to the time distributed by the time distribution station. When the time stamp server 5 receives electronic data to be issued as a time stamp, the time stamp server 5 adds the current date and time by the clock. A time stamp is issued by electronic signature (encryption) with a time stamp private key.

  The repository server 6 is a server installed in a TSA-CA (Time Stamping Authority Certificate Authority) and corresponds to a public key certificate used for time stamp verification (a secret key used for the time stamp). Revocation information of public key certificate) is provided. Since public key certificates not listed in the revocation information have not been revoked, it is possible to confirm the validity of the public key certificate and confirm the validity of the time stamp with the valid public key certificate. it can.

  The repository server 7 is a server installed in a CA (Certificate Authority) and is a public key certificate (public key corresponding to a private key of the client terminal 3) used for verification of an electronic signature performed by the client terminal 3. Certificate revocation information. Since the public key certificate not listed in the revocation information has not been revoked, the validity of the public key certificate is confirmed by this, and the validity of the electronic signature performed by the client terminal 3 using the valid public key certificate is confirmed. Sex can be confirmed. The revocation information provided by the repository server 6 and the repository server 7 is updated regularly or irregularly (for example, every 24 hours).

  Next, the format of long-term signature data (long-term signature format) will be described. FIG. 2 is a schematic diagram showing the data structure of the long-term signature format in the present embodiment. The long-term signature data in this embodiment is described using an XML (Extensible Markup Language) language according to the rules of XAdES (XML Advanced Electronic Signatures).

  The ES is composed of the following elements: KeyInfo, signature target property, SignedInfo, and SignatureValue. In KeyInfo, a public key certificate of a public key corresponding to the private key used by the client terminal 3 for the electronic signature is set. The public key certificate includes, for example, a public key, a public key owner, a certificate authority, a certificate authority signature, and the like. In the signature target property, the hash value of the public key certificate is set. In SignedInfo, an original hash value and a hash value of a signature target property (hereinafter, a signature target property hash value) are set. In SignatureValue, a signature value obtained by signing SignedInfo by the client terminal 3 with a secret key is set. In this way, the client terminal 3 signs the SignedInfo with an electronic signature, whereby the KeyInfo, the signature target property, and the SignedInfo are signed.

  The ES-T is configured with the ES and the signature time stamp as elements. An STS (signature time stamp) issued to the ES is set as the signature time stamp. The STS is obtained by giving the current date and time to the hash value of the SignatureValue in the time stamp server 5 and digitally signing it with the private key of the time stamp server 5.

  ES-XL (ES-XLong) is configured with the ES-T and verification information as elements. The verification information is configured using a certificate group and a revocation information group. The certificate group includes a public key certificate of the private key used for the signature by the client terminal 3 and a public key certificate on the certification path of the public key certificate of the private key used by the time stamp server 5 for the time stamp. Has been. In this certification path, the root certificate authority issues a self-signed certificate, the root certificate authority issues a certificate to the child certificate authority, the child certificate authority issues a certificate to the grandchild certificate authority,... The end certificate authority verifies the verification of the public key certificate back to the root certificate authority in a certificate trust chain in which a certificate is issued to an individual or certificate owner. The revocation information group is composed of revocation information of a public key certificate.

  The ES-A is configured with the ES-XL and ATS described above as elements. ATS (Archive Time Stamp) is created by a predetermined method from ES-T verification information, original hash value, electronic signature by client terminal 3, time stamp (STS) by time stamp server 5, etc. A hash value is included, and the validity of the ES-XL can be verified by ATS.

Next, a method for creating long-term signature data will be described. FIG. 3 is a schematic diagram illustrating a procedure in which the long-term signature system 1 in the present embodiment generates long-term signature data.
(Step S101) The CPU 32 of the client terminal 3 operates as the document management function unit 321. The document management function unit 321 inputs an original file to which a long-term signature is added to the ES-A creation function unit 322.
(Step S <b> 102) The CPU 32 of the client terminal 3 operates as the ES-A creation function unit 322. The ES-A creation function unit 322 calculates a hash value (original hash value) of the original file input in the process of step S101. Thereafter, the ES-A creation function unit 322 transmits the calculated original hash value and the signer certificate used for the long-term signature to the long-term signature server 2 via the communication control unit 34. The signer certificate used for the long-term signature may be a certificate designated by the user or a predetermined certificate.

  (Step S103) The CPU 21 of the long-term signature server 2 operates as the ES-A creation function unit 211. The ES-A creation function unit 211 creates an ES-A based on the original hash value and the signer certificate transmitted in step S102. Specifically, the ES-A creation function unit 211 acquires a time stamp from the time stamp server 5 via the communication control unit 27, acquires signer certificate revocation information from the repository server 7, and the repository server 6 To obtain TSA certificate revocation information. Then, using each piece of acquired information, an ES-A is created based on the original hash value and the signer certificate.

(Step S104) The ES-A creation function unit 211 stores the ES-A created in the process of step S103 in the storage unit 23, and transmits the ES-A to the client terminal 3 via the communication control unit 27.
(Step S105) The ES-A creation function unit 322 inputs the ES-A transmitted in the process of step S104 to the document management function unit 321.
(Step S106) The document management function unit 321 associates and stores the original file and the ES-A input in the process of step S105.

  The ES-A of the original file can be created by the processing in steps S101 to S106 described above, and the created ES-A file can be stored in the long-term signature server 2 and the client terminal 3.

  (Step S <b> 107) The CPU 21 of the long-term signature server 2 operates as the ERST creation function unit 212, creates an ERST from the ES-A at regular intervals (for example, every day), and stores the created ERST in the storage unit 23. Specifically, the ERST creation function unit 212 acquires the TSA certificate revocation information from the repository server 6 and the time stamp from the time stamp server 5 through the communication control unit 27 at regular intervals. Then, the ERST creation function unit 212 creates an ERST using each acquired information, and stores the created ERST in the storage unit 23. The ERST includes a root hash from a plurality of ES-A and TSA certificate verification information and a TST (Time Stamp Token) of the root hash, and the plurality of ES-A and TSA certificate verification information is not tampered with. It is information to prove. Details of ERST will be described later.

  Next, the ERST generated by the ERST creation function unit 212 will be described. FIG. 4 shows the relationship between the original in this embodiment, ES-A that is information proving non-falsification of the original, the root hash value hash_root of ES-A, and TST1 that is the time certificate of hash_root. FIG. In the illustrated example, originals 1 to 5 are shown. In addition, ES-A1 is shown as information that proves that the original 1 has not been tampered with. Similarly, ES-A2 to ES-A5 are shown as information proving non-falsification of the original 2 to the original 5. Also, TSA certificate verification information is shown. The TSA certificate verification information is information that proves the validity of the ATS included in ES-A1 to ES-A5.

  Further, hash1 is shown as the hash value of ES-A1. Similarly, hash2 to hash5 are shown as hash values of ES-A2 to ES-A5. Further, hash6 is shown as the hash value of the TSA certificate verification information. Also, a value hash1-2 obtained by calculating hash1 and hash2 using the hash function SHA512 is shown. Similarly, a value hash3-4 calculated using hash function SHA512 for hash3 and hash4, and a value hash5-6 calculated using hash function SHA512 for hash5 and hash6 are shown. In addition, a value hash_root that takes the route of hash1-2, hash3-4, and hash5-6 is shown. That is, in the example shown in the figure, a hash hash tree of the hash values of ES-A1 to ES-A5 and the hash value of the TSA certificate verification information is created, and the root hash value hash_root is generated.

  Also, TST1 is shown as the time certificate of hash_root. Thereby, it can be proved that hash_root exists at the date and time when TST1 is generated. Moreover, since hash_root is the root hash of hash1 to hash6, it can be proved that hash1 to hash6 existed at the date and time when TST1 was generated. Moreover, since hash1 to hash6 are hash values of ES-A1 to ES-A5 and TSA certificate verification information, ES-A1 to ES-A5 and TSA certificate verification information existed at the date and time when TST1 was generated. I can prove that. The TSA certificate verification information is information that proves that the ATS included in ES-A1 to ES-A5 is valid. Therefore, when TST1 is generated before the expiration date of the TSA certificate verification information expires, ES-A1 to ES-A5 exist at the date and time when the TSA certificate verification information is generated until the expiration date of TST1 expires, and Can prove that it was effective.

  The ERST generated by the ERST creation function unit 212 includes the hash value and the root hash value described above. Therefore, it is possible to prove non-falsification of ES-A using ERST. FIG. 5 is a schematic diagram showing the data structure of the ERS format (ERS format) in the present embodiment. The ERS format in this embodiment includes EncryptionInformation, SupportingInformationList, and ArchiveTimeStampSequence. Also, ArchiveTimeStampSequence includes ArchiveTimeStamp Chain 1. Further, ArchiveTimeStamp Chain 1 includes DigestMethod, CanonicalizationMethod, and ArchiveTimeStamp1. Further, ArchiveTimeStamp 1 includes HashTree, TimeStamp, and Attributes. Further, TimeStamp includes TimeStampToken (TST1) and Cryptographic InformationList.

  FIG. 6 is a schematic diagram showing a data structure of ERST in the present embodiment. In the illustrated example, the ERST includes a list of file names and all hash values used for the Merkle Hash Tree, data necessary for ATS verification, ERS-TST, and ERS-TST information. A list of file names and all hash values used for the Merkle Hash Tree is No. And the file name, the hash value of ES-A, and the corresponding original file name, and the data of each data item is stored in association with each row.

  The data item “No.” stores a file name number. The data item “file name” stores the file name of ES-A. The data item “ES-A hash value” stores the hash value of ES-A. The data item “corresponding original file name” stores the original file name corresponding to ES-A. In the illustrated example, the value stored in the data item “No.” in the row 101 is “1”, the value stored in the data item “file name” is “ES-A1.xml”, The value stored in the data item “ES-A hash value” is “hash1”, and the value stored in the data item “corresponding original file name” is “1.pdf”. This is no. The file name of 1 is “ES-A1.xml”, the hash value of ES-A is “hash1”, and the corresponding original file name is “1.pdf”. The other rows are as illustrated. The file name “ES-A_VerifyInfo.zip” is a ZIP compression of the TSA certificate certification path (root certificate, intermediate certificate) file, TSA certificate and certification path revocation information (CRL / ARL) file. It is. Therefore, nothing is stored in the “corresponding original file name” associated with the file name “ES-A_VerifyInfo.zip”. In the illustrated example, it is described in a tabular format, but the present invention is not limited thereto, and may be described in a text format or a CSV format.

  Data necessary for ATS verification is, for example, ES-A_VerifyInfo. zip. ES-A_VerifyInfo. As described above, zip is a ZIP compression of the TSA certificate certification path (root certificate, intermediate certificate) file, TSA certificate and certification path revocation information (CRL / ARL) file. ERS-TST is, for example, tst1. tst, which is binary data of TST. The ERS-TST information is, for example, tst1. tst. It is XML or TXT data in which the expiration date of TST is described.

  Note that ERS is an evidence record format defined in RFC6283. The contents of the values set in each format are defined in RFC6283. The ERS is created for each leaf of the hash tree, but there are many parts common to the elements constituting the ERS in all the leaves (ES-A1 to ES-A5 and ES-A_VerifyInfo) of the tree. Therefore, in this embodiment, each ERS (XML) is not created immediately, but common parts are collectively managed (ERS), and the ERS (XML) is constructed and output when necessary.

  ERS (ERS table) is not defined in RFC 6283, is unique to this embodiment, and is a table having information for dynamically generating a plurality of ERS. In this embodiment, an example is shown in which ERST is ZIP-compressed. However, the present invention is not limited to this, and the contents may be managed by a database.

  Next, a detailed procedure of a method for creating long-term signature data will be described. FIG. 7 is a schematic diagram showing a detailed procedure for generating long-term signature data by the long-term signature system 1 in the present embodiment. In the following procedure, the ES-T creation procedure and the ES-A creation procedure are omitted. That is, the process starts from the process of creating the ES-A by the long-term signature server 2 and transmitting the created ES-A to the client terminal 3.

(Step S1001) The long-term signature server 2 transmits ES-A to the client terminal 3.
(Step S1002) The client terminal 3 receives ES-A transmitted from the long-term signature server 2.
(Step S1003) The ES-A creation function unit 322 of the client terminal 3 inputs the ES-A received in the process of step S1002 to the document management function unit 321.
(Step S1004) The document management function unit 321 of the client terminal 3 stores the ES-A input in the process of Step S1003 together with the original.

  (Step S1005) The long-term signature server 2 outputs the ES-A and the ERS ticket to the ERS waiting folder. The ERS ticket includes “target ES-A file name”, “ATS-TSA-CRL latest issue time”, “ATS-TSA-CRL update predicted time”, and “ATS verification information”. It is a file.

(Step S1006) The long-term signature server 2 inputs the ERS ticket and ES-A exceeding the ATS-TSA-CRL update prediction time described in the ERS ticket into the ERS processing folder.
(Step S1007) The long-term signature server 2 monitors the ERS processing folder periodically (for example, once a day).
(Step S1008) The long-term signature server 2 performs ERS processing. In the ERS process, all ERS tickets in the ERS process folder are confirmed, and ATS verification information (group) is acquired. Normally, when the same TSA station is used, one type of ATS verification information is assumed. However, it is assumed that there are a plurality of TSA CA updates and TSAs, and there are a plurality of types. The ATS verification information includes, for example, “CRL distribution point (URL) described in the TSA certificate used for ATS”, “DN of TSA certificate”, and “DN of CA certificate of TSA certificate”. , “The serial number of the certificate authority certificate of the TSA certificate”.

  (Step S1009) The long-term signature server 2 collects data necessary for ATS verification based on the ATS verification information (group). The data necessary for ATS verification includes “TSA certificate revocation information (CRL)”, “TSA certificate authority certificate (intermediate)”, and “TSA certificate authority certificate (intermediate)”. Revocation information (CRL / ARL) ”,“ TSA certificate authority certificate (root) ”, and“ TSA certificate authority certificate (root) revocation information (CRL / ARL) ”.

(Step S1010) The long-term signature server 2 creates a Merkle Hash Tree from all ES-A files in the ERS processing folder and data necessary for ATS verification, and calculates a root hash value.
(Step S1011) The long-term signature server 2 acquires a time stamp token (ERS-TST) for the root hash value from the time stamp server 5.
(Step S1012) The long-term signature server 2 generates ERS-TST information from the ERS-TST, creates an ERS table based on the ERS-TST and the ERS-TST information, and outputs the ERS table to the ERS table storage folder. The ERS-TST information is information indicating “expiration date of TST”. In addition, the ERS table includes “all ES-A files used”, “data necessary for ATS verification”, “a list of file names and all hash values used for the Merkle Hash Tree (text or CSV)”, and , “ERS-TST” and “ERS-TST information” are, for example, ZIP-compressed files.

  By performing the processing of steps S1001 to S1012 described above, the long-term signature system 1 can create ERS-TST information and an ERS table as long-term signature data and output them to the ERS table storage folder.

  Next, a method for extending long-term signature data (a method for extending certification information proving non-falsification of an original file) will be described. By using a time stamp technique, the ERST validity period can be extended by extending the ERST validity period before the ERST validity period expires. That is, the long-term signature data that proves that the original file has not been tampered with can be extended. Further, by continuing to extend the validity period of the extended ERST before the validity period of the extended ERST expires, the validity period of the long-term signature data can be extended permanently. In the present embodiment, instead of extending the expiration date for each ES-A, the ERS table is generated by collecting ES-A as described above. Then, when extending the validity period of the long-term signature data, the validity period of only the ERST is extended, so that it is possible to further reduce the processing load of the validity period extension.

FIG. 8 is a schematic diagram illustrating a procedure in which the long-term signature system 1 in the present embodiment extends the expiration date of long-term signature data.
(Step S <b> 201) The CPU 21 of the long-term signature server 2 operates as the ERST extension function unit 213, confirms the ERST expiration date every certain period (for example, every month), and extends it before the expiration date expires. Specifically, the ERST extension function unit 213 confirms the expiration date of the ERS-TST described in the ERS-TST information included in the ERS to be confirmed, and performs communication control when it is before the predetermined expiration date. The TSA certificate revocation information for the ERS-TST is acquired from the repository server 6 via the unit 27, and the time stamp is acquired from the time stamp server 5. Then, the ERST extension function unit 213 extends the ERST expiration date using the acquired information.

  FIG. 9 is a schematic diagram showing the data structure of the ERS format (ERS format) after the expiration date has been extended once in the present embodiment. In the present embodiment, the format of the ERS after extending the expiration date includes EncryptionInformation, SupportingInformationList, and ArchiveTimeStampSequence. Also, ArchiveTimeStampSequence includes ArchiveTimeStamp Chain 1. Further, ArchiveTimeStamp Chain 1 includes DigestMethod, CanonicalizationMethod, ArchiveTimeStamp1, and ArchiveTimeStamp2.

  Further, ArchiveTimeStamp 1 includes HashTree, TimeStamp, and Attributes. Further, TimeStamp includes TimeStampToken (TST1) and Cryptographic InformationList. The Cryptographic Information List includes a TSA certificate group and a TSA revocation information group.

  Further, ArchiveTimeStamp 2 includes HashTree, TimeStamp, and Attributes. Further, TimeStamp includes TimeStampToken (TST A1) and Cryptographic InformationList.

  FIG. 10 is a schematic diagram showing the data structure of the ERST after the expiration date is extended once in the present embodiment. In the example shown in the figure, the ERST includes a list of file names and all hash values used for the Merkle Hash Tree, data necessary for ATS verification, ERS-TST (1), ERS-TST information (1), It includes verification information necessary for verification of ERS-TST (1), a list of reduced hash trees, ERS-TST (2), and ERS-TST (2) information. The list of file names and all hash values used for the Merkle Hash Tree and the data necessary for ATS verification are the same as in the example shown in FIG.

  ERS-TST (1) is the same as ERS-TST shown in FIG. The ERS-TST information (1) is the same as the ERS-TST information shown in FIG. The verification information necessary for verification of ERS-TST (1) is, for example, tst1_VerifyInfo. zip. tst1_VerifyInfo. Zip is a ZIP compression of a TSA certificate certification path (root certificate, intermediate certificate) file and a TSA certificate and certification path revocation information (CRL / ARL) file.

  The list of ReducedHashTree is No. And a file name and a hash value of ES-A, and stores data of each data item in association with each row.

  The data item “No.” stores a file name number. The data item “file name” stores the file name of the ERS TimeStamp area. The data item “hash value of ERS TimeStamp area” stores the calculated hash value of the ERS TimeStamp area. In the illustrated example, the value stored in the data item “No.” in the row 201 is “1”, the value stored in the data item “file name” is “erst1_ats1_ts.xml”, and the data item The value stored in “Hash value of ERS TimeStamp area” is “hash A1”. This is no. The file name of “1” is “rst1_ats1_ts.xml”, and the hash value of the ERS TimeStamp area is “hash A1”. The other rows are as illustrated.

  ERS-TST (2) is, for example, tst2. tst, which is binary data of TST. The ERS-TST (2) information is, for example, tst2. tst. It is XML or TXT data in which the expiration date of TST is described.

Next, a detailed procedure of processing for extending the term of the long-term signature data will be described. FIG. 11 is a schematic diagram illustrating a detailed procedure of processing in which the long-term signature system 1 according to the present embodiment extends the term of the long-term signature data.
(Step S2001) The long-term signature server 2 monitors the ERS table in the ERS table storage folder periodically (for example, every month).
(Step S2002) The long-term signature server 2 confirms the ERS-TST information and compares it with the process execution time. If the difference is equal to or less than the predetermined time, the long-term signature server 2 inputs the ERS table into the ERS table extension process folder. That is, the ERS table determined to be extended is input to the ERS table extension processing folder.

(Step S2003) The long-term signature server 2 monitors the ERS table extension processing folder periodically (for example, once a day).
(Step S2004) The long-term signature server 2 takes out the ERS-TST from the ERS table (one) existing in the ERS table extension processing folder.
(Step S2005) The long-term signature server 2 confirms the ERS-TST and collects data necessary for the verification of the ERS-TST. The data necessary for the verification of ERS-TST includes “TSA certificate revocation information (CRL)”, “TSA certificate authority certificate (intermediate)”, and “TSA certificate authority certificate”. (Intermediate revocation information (CRL / ARL)), “TSA certificate authority certificate (root)”, and “TSA certificate authority certificate (root) revocation information (CRL / ARL)” It is.

(Step S2006) The long-term signature server 2 creates a TimeStamp (1) area compliant with the ERS format (RFC4998, RFC6283).
(Step S2007) The long-term signature server 2 calculates a hash value for binary data in the TimeStamp (1) area, and obtains a time stamp token (ERS-TST (2)) for the hash value from the time stamp server 5. The binary data in the TimeStamp area includes “ERS-TST” and “data necessary for verification of ERS-TST”, and in the case of XML, conversion based on a predetermined normalization method (Canonicalization Method) is performed. Data.
(Step S2008) The long-term signature server 2 generates ERS-TST (2) information from ERS-TST (2).
(Step S2009) The long-term signature server 2 adds the TimeStamp (1) area, the ERS-TST (2), and the ERS-TST (2) information to the ERS table and outputs them to the ERS table storage folder.

  By performing the processing of steps S2001 to S2009 described above, the long-term signature system 1 can extend the expiration date of the ERS table.

Next, a method for verifying non-falsification of long-term signature data will be described. FIG. 12 is a schematic diagram illustrating a procedure in which the long-term signature system 1 according to the present embodiment verifies non-falsification of long-term signature data.
(Step S301) The CPU 32 of the client terminal 3 operates as the document management function unit 321. The document management function unit 321 inputs, to the ES-A verification function unit 323, an original file for performing non-tampering verification and an ES-A stored in association with the original file.
(Step S302) The CPU 32 of the client terminal 3 operates as the ES-A verification function unit 323. The ES-A verification function unit 323 calculates a hash value (original hash value) of the original file input in the process of step S301. Thereafter, the ES-A verification function unit 323 transmits the calculated original hash value and the ES-A input in step S301 to the long-term signature server 2 via the communication control unit 34.

  (Step S303) The CPU 21 of the long-term signature server 2 operates as the ES-A and ERST verification function unit 214. The ES-A and ERST verification function unit 214 acquires TSA certificate revocation information from the repository server 6. Further, the ES-A and ERST verification function unit 214 reads the ERST stored in the storage unit 23. Then, the ES-A and ERST verification function unit 214, based on the acquired TSA certificate revocation information, the read ERST, the original hash value received in the process of step S302, and the ES-A, Perform non-tampering verification.

(Step S304) The ES-A and ERST verification function unit 214 sends, via the communication control unit 27, the verification result file indicating the result verified in the process of Step S303 and the ERS corresponding to the verification target ES-A. Transmit to the client terminal 3.
(Step S305) The ES-A verification function unit 323 inputs the verification result file and ERS transmitted in the process of step S304 to the document management function unit 321.
(Step S306) The document management function unit 321 stores the verification result file input in step S305 and the ERS in association with each other.

  By the processes in steps S301 to S306 described above, it is possible to verify that the original file has not been tampered with. Further, the verification result of the original file non-falsification and the ERS file can be stored in the client terminal 3.

Next, a detailed procedure of a method for verifying non-falsification of long-term signature data will be described. FIG. 13 is a schematic diagram illustrating a detailed procedure in which the long-term signature system 1 in the present embodiment verifies non-falsification of long-term signature data.
(Step S3001) The document management function unit 321 of the client terminal 3 inputs the original file to be verified and the ES-A file into the ES-A verification function unit 323 verification input folder.
(Step S3002) The ES-A verification function unit 323 of the client terminal 3 monitors the verification input folder periodically (for example, at intervals of 60 seconds).

(Step S3004) The ES-A verification function unit 323 of the client terminal 3 sends a verification request to the long-term signature server 2 when the original file to be verified and the ES-A file are input to the verification input folder in the process of Step S3002. Send to. The verification request includes the hash value of the original file and the ES-A file.
(Step S3005) The long-term signature server 2 receives the verification request transmitted in the process of step S3004.
(Step S3006) The long-term signature server 2 searches the ERS table related to the verification request (ES-A) received in the process of step S3005, and from the found ERS table, “ERS for target ES-A” and its ES-A “ERS for ATS verification information” is generated.

  (Step S3007) The long-term signature server 2 obtains data necessary for verification of the common ERS-TST included in the “ERS for the target ES-A” and the “ERS for ATS verification information” of the ES-A. get. The data necessary for the verification of ERS-TST includes “TSA certificate revocation information (CRL)”, “TSA certificate authority certificate (intermediate)”, and TSA certificate authority certificate (intermediate). "Revocation Information (CRL / ARL)", TSA Certificate Authority Certificate (Root) ", and TSA Certificate Authority Certificate (Root) Revocation Information (CRL / ARL)".

  (Step S3008) The long-term signature server 2 verifies the ERS for the target ES-A generated in Step S3006 based on the data acquired in the process of Step S3007. When ERS is extended, verification of ERS-TST (n) and verification of reduceHashTree are performed. Thereby, it can be confirmed that the ES-A has not been tampered after the time of the first ERS-TST.

  (Step S3009) The long-term signature server 2 verifies the ERS for ATS verification information. When ERS is extended, verification of ERS-TST (n) and verification of reduceHashTree are performed. Thereby, it can be confirmed that the verification information for verifying the ATS of the ES-A has not been tampered after the time of the first ERS-TST.

(Step S3010) The long-term signature server 2 verifies ES-A. Specifically, the following two processes are performed.
(1) The ATS is verified based on the ATS verification information of the ES-A that has not been tampered with since the time of the first ERS-TST. The reference time at this time is the time of the first ERS-TST. Thereby, it can be seen that the verification information of ES-A and ES-A has not been tampered with since ATS time.
(2) The ES-T is verified based on the signer certificate and the STS verification information included in the ES-A that has not been tampered with since the ATS time. The reference time at this time is the ATS time. Thereby, it is understood that the signature has not been tampered after the STS time.
(3) Finally, the original hash value included in the verification request is compared with the original hash value included in ES-A to confirm that they match.

(Step S3016) The long-term signature server 2 transmits a verification request result, which is an ES-A verification result, to the client terminal 3. The verification request result is information including a summary of the verification result and details of the verification result.
(Step S3017) The ES-A verification function unit of the client terminal 3 receives the verification request result transmitted in the process of step S3016.

(Step S3018) The ES-A verification function unit of the client terminal 3 outputs the verification result to the verification result output folder.
(Step S3019) The document management function unit 321 of the client terminal 3 acquires the verification result from the verification result output folder.

  By the processing in steps S3001 to S3019 described above, it is possible to verify that the original file has not been tampered with. Also, the verification result of the original file non-falsification and the ERS file can be stored in the client terminal 3.

  In the known technology, when extending an electronic signature (when extending ES-A), it is necessary to access all originals to be extended and all ES-A files and perform extension processing. It was necessary to obtain a time stamp for the ES-A file. Therefore, when the number of originals increases, there is a problem that the extension process takes time.

  In the present embodiment, as described above, when an original electronic signature is extended and long-term signature data is created, an ERS table is generated by collecting ES-A generated for a certain period. When extending the validity period of the long-term signature data, the validity period of the electronic signature in the ERS table is extended. Thereby, when extending the validity period of the long-term signature data, it is not necessary to access the original or ES-A, and the extension process can be performed only by accessing only the ERS table. Further, it is not necessary to acquire time stamps for all ES-A files, and extension processing can be performed only by acquiring only time stamps for the ERS table. Further, when extending the expiration date of the long-term signature data, it is not necessary to access the original and the ES-A file, so that the processing at the client terminal 3 is not necessary, and the extension processing is performed only by the processing of the long-term signature server 2. It can be carried out. Therefore, even when the number of originals stored in the client terminal 3 increases, the processing load for extending the expiration date of the long-term signature data can be further reduced.

  In the above-described embodiment, the long-term signature server 2 and the client terminal 3 are described as examples of different devices. However, the present invention is not limited to this. For example, the client terminal may have a long-term signature server function. Further, the long-term signature server may have the function of a client terminal.

  FIG. 14 is a block diagram showing the configuration of the long-term signature system when the client terminal has the function of the long-term signature server. In the illustrated example, the long-term signature system 100 includes a client terminal 300, a time stamp server 5, and repository servers 6 and 7. The devices included in the long-term signature system 100 are connected via the Internet 4 so that they can communicate with each other. Further, the time stamp server 5 and the repository servers 6 and 7 are the same as those shown in FIG.

  The client terminal 300 includes a CPU 310, a ROM 320, a storage unit 330, a communication control unit 340, a RAM 350, a display unit 360, and an input / output I / F 370.

  The CPU 310 is a central processing unit that performs information processing and control of each unit of the client terminal 300 in accordance with a program stored in the storage unit 330 or the like. For example, the CPU 310 creates long-term signature data while communicating with the time stamp server 5 and the repository servers 6 and 7. The ROM 320 is a read-only memory, and stores basic programs, parameters, and the like for the client terminal 300 to operate. The RAM 350 is a random access memory, and temporarily stores data used when the client terminal 300 creates an electronic signature or an original hash value, for example.

  The storage unit 330 is configured using, for example, a large-capacity storage device such as a hard disk, an OS for operating the client terminal 300, a secret key for performing an electronic signature, and a public key corresponding to the secret key Public key certificate, original data subject to long-term signature, etc. are stored. The original data is, for example, an electronic document created by a word processor or a text editor, and various data files such as image data and audio data.

  A program for the client terminal 300 to create long-term signature data is stored in advance in the storage unit 330 and used. The display unit 360 includes a display device using a liquid crystal display, for example, and displays various screens for the user of the client terminal 300 to operate the client terminal 300.

  The input / output I / F 370 includes input / output devices such as a keyboard, a mouse, and an IC card reader / writer. The IC card reader / writer connects the IC card and mediates communication between the client terminal 300 and the IC card. The IC card is an information processing apparatus including a CPU, ROM, RAM, EEPROM (Electrically Erasable and Programmable ROM), and stores, for example, user authentication information for authenticating a user who uses the client terminal 3 Yes. In addition, the client terminal 300 can be configured to store a private key, a public key certificate, or the like in an IC card and perform an electronic signature using the IC card private key.

  The communication control unit 340 communicates with the time stamp server 5 and the repository servers 6 and 7 via the Internet 4. The Internet 4 may be another form of communication network.

  The process of the long-term signature system 100 is the same as the process of the long-term signature system 1 described above.

  In addition, all or some of the functions of each unit included in the long-term signature server 2, the client terminal 3, 300, the time stamp server 5, and the repository servers 6 and 7 in the above-described embodiment realize these functions. The program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read into a computer system and executed. Here, the “computer system” includes an OS and hardware such as peripheral devices.

  The “computer-readable recording medium” refers to a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a storage unit such as a hard disk built in the computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory inside a computer system serving as a server or a client in that case may be included and a program that holds a program for a certain period of time. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

  The present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the spirit of the present invention.

  DESCRIPTION OF SYMBOLS 1,100 ... Long-term signature system, 2 ... Long-term signature server, 3,300 ... Client terminal, 4 ... Internet, 5 ... Time stamp server, 6, 7 ... Repository server, 21, 31, 310 ... CPU, 22, 32, 320 ... ROM, 23.33, 330 ... storage unit, 24, 34, 340 ... input / output I / F, 25, 35.350 ... RAM, 26, 36, 360 ... display unit, 27, 37, 370 ... communication control unit, 211 ... ES-A creation function unit, 212 ... ERST creation function unit, 213 .. ERST extension function section, 214... ES-A and ERST verification function section, 321... Document management function section, 322... ES-A creation function section, 323.

Claims (5)

An original certificate information generating unit that generates original certificate information for certifying that the original file has not been tampered with, and original verification information for certifying the validity of the original certificate information;
A hash value calculation unit that calculates an original certificate information hash value that is a hash value of the original certificate information and an original verification information hash value that is a hash value of the original verification information;
A root hash value calculation unit that calculates a root hash value of the plurality of original certificate information hash values and the original verification information hash value;
A root hash value certification information generating unit for generating root hash value certification information for certifying non-falsification of the root hash value, and root hash value verification information for certifying the validity of the root hash value certification information;
An extension for extending the validity period of the root hash value certification information and the root hash value verification information;
A data proof system comprising: The original proof information generating unit generates a plurality of the original proof information within a certain period,
The data certification system according to claim 1, wherein the root hash value calculation unit calculates the root hash for each predetermined period. The data certification system according to claim 2, wherein the original certification information generation unit generates the original certification information using the same time stamp signature key within the predetermined period. Based on the root hash value verification information, verifies non-falsification of the root hash value certification information, verifies non-falsification of the root hash value based on the root hash value certification information, and based on the root hash value, A plurality of the original certification information hash values and the original verification information hash values are verified for falsification, and a plurality of the original certification information and the original verification information hash values are based on the plurality of original certification information hash values and the original verification information hash values. 4. The verification unit according to claim 1, further comprising: a verification unit that verifies non-falsification of original verification information and verifies non-falsification of the original file based on the original certification information. 5. Data certification system. An original certificate information generating unit that generates original certificate information for certifying that the original file has not been tampered with, and original verification information for certifying the validity of the original certificate information;
A hash value calculation unit that calculates an original certificate information hash value that is a hash value of the original certificate information and an original verification information hash value that is a hash value of the original verification information;
A root hash value calculation unit that calculates a root hash value of the plurality of original certificate information hash values and the original verification information hash value;
A root hash value certification information generating unit for generating root hash value certification information for certifying non-falsification of the root hash value, and root hash value verification information for certifying the validity of the root hash value certification information;
An extension for extending the validity period of the root hash value certification information and the root hash value verification information;
A data certification server comprising:

Images