JP5135511B2 - Time information processing apparatus and time information processing method - Google Patents

Description

The present invention, time information processing equipment relates及 Beauty time information processing method, for example, relates to those utilizing transmission information that is transmitted over the network.

With the rapid advancement of information technology in recent years, so-called paperless conversion of public documents and private documents into digital documents converted into digital information has been promoted.
In addition, the so-called electronic document law has been enforced in order to improve the legal status given to electronic documents created in this way.
As described above, time certification (date certification) such as date of issue is important for electronic documents having legal status, and time stamp systems that perform time certification are used.

FIG. 14 is a diagram showing a part of a network configuration of a conventional time stamp system.
A TSA 102 (TSA: Time-stamping Authority) is a time stamp station provided with a time stamp server, and is arranged so as to be connectable to client terminals 103, 103,... Via a network such as the Internet.
A time stamp server of the TSA 102 (hereinafter referred to as TSA 102) has a built-in clock device for issuing a time stamp, and issues a time stamp according to the time output by the clock device.
The client terminal 103 is a terminal that requests the TSA 102 to issue a time stamp for the electronic document.

The procedure for issuing a time stamp is roughly as follows.
First, the client terminal 103 transmits to the TSA 102 the hash value of the electronic document for which the time stamp is issued.
The TSA 102 receives this hash value and measures the time at the time of reception by the clock device.
Then, the TSA 102 calculates a hash value of data obtained by adding information such as the measured time to the received hash value, encrypts the hash value with the private key of the TSA 102, generates an electronic signature, Time stamp data including the received hash value, time, and other information is returned to the client terminal 103.

On the other hand, the time stamp confirmation procedure is generally performed as follows.
First, the electronic signature of the time stamp data is decrypted using the public key corresponding to the secret key of the TSA 102, and the hash value is extracted therefrom. Then, the received hash value, time, and other information hash values are compared with the hash value extracted from the electronic signature. If both users are identical, the time stamp data is issued by the TSA102, and it can be confirmed that the contents of the time stamp data has not been tampered with. Next, a hash value of the electronic document is calculated and compared with the received hash value included in the time stamp data. If the two match, it can be confirmed that the TSA 102 issued the time stamp at the time in the time stamp data of this electronic document.
This is because it is possible to confirm that the electronic signature is encrypted with a private key that only the TSA 102 can know by decrypting the electronic signature with this public key and confirming the hash value match. Furthermore, it is possible to confirm that the electronic document has not been tampered with by matching the hash value in the time stamp data with the hash value calculated from the electronic document.

The TA 101 is a time audit station provided with a time distribution server that audits the time of the clock device of the TSA 102 and distributes the time, and is arranged so as to be connectable to the TSA 102 via a network such as the Internet.
The time distribution server of TA 101 (hereinafter referred to as TA 101) includes a clock device therein, and periodically audits the time of the clock device of TSA 102 using this.
First, TA 101 asks TSA 102 to transmit the time measured by the clock device of TSA 102, and compares the time with the time of the clock device of TA 101. Then, the TA 101 writes an error due to the comparison in the time audit certificate and transmits it to the TSA 102. In this way, TA 101 delivers time to TSA 102 due to an error.

The TSA 102 receives the time audit certificate, corrects its own clock device based on the error described therein, and further sets the activation period of the time stamp issuing function specified by the time audit certificate. Here, the activation period is a period in which the time stamp can be issued based on the time corrected by the time audit certificate. When the audited time has an error of a predetermined value or more, the TA 101 can set the activation period to 0 and stop the time stamp issuing function of the TSA 102.
In this way, by auditing the time of the clock device of the TSA 102 with the TA 101, the time of the TSA 102 can be kept at a predetermined accuracy. In addition, it is possible to prevent the TSA 102 and the client terminal 103 from colluding and changing the time.

In order to prevent falsification of the delivery time, the communication path between the TSA 102 and the TA 101 is encrypted using a technique such as SSL (Secure Sockets Layer) or TLS (Transport Layer Security), and the delay of the communication path is corrected. As a communication protocol, NTP (Network Time Protocol) standardized for time distribution is used.
As described above, as a technique for auditing the time of the TSA 102, there is the following “system and method for providing a trusted third-party clock and a trusted local clock”.

Special table 2003-519417 gazette

  This technique audits the time of a local clock (corresponding to TSA 102) by an authenticated master clock (corresponding to TA101).

However, for example, the conventional time stamp is time-corrected according to the delivered time regardless of the accuracy of the delivery time of TA101.
Therefore, even if the TSA 102 has a policy regarding accuracy such as “the time stamp time accuracy is within 500 [ms]”, depending on the accuracy of the TA 101, such a policy cannot be observed. Was possible.

Furthermore, the accuracy of the delivery time varies depending on the delivery route of the reference time, and the TSA 102 does not consider the difference in accuracy due to these delivery routes.
For example, as shown in FIG. 1, when using a more complex system including a plurality of TA1 and TA2 that audit TSA, and NTA1 and NTA2 (NTA: National Time Authority) that further audit these TAs, for example, The accuracy of distribution time varies depending on the time distribution route, such as when auditing NTA 1 → TA 2 → TSA, or NTA 1 → TA 1 → TSA.
For example, when auditing NTA1 → TA2 → TSA and delivering the time, the accuracy of TSA by the audit is 550 [ms] obtained by adding the accuracy of TA2 of 450 [ms] to the accuracy of NTA1 of 100 [ms]. It exceeds 500 [ms], which is a policy related to the accuracy of TSA.
In other words, these problems occur because it is not performed in one information processing apparatus to evaluate transmission information received from another information processing apparatus and perform control according to the evaluation. .

  Therefore, an object of the present invention is to calculate transmission path information transmitted via a network and control devices according to the calculation result. For example, the accuracy of time to be distributed is evaluated, and functions such as time correction, time stamp issuance, time distribution, and priority setting are controlled according to the evaluation.

In order to achieve the above object, the present invention receives a reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, and time information from the time distribution server. A time information processing device for use in a network configured using the time information processing device, wherein the time information is received from a plurality of time distribution servers, the accuracy from the reference time server via the time distribution server. Time information dependent on a transmission path to the processing device, a time information receiving means for receiving and storing a time audit certificate including the transmission path information for specifying the transmission path, and for each stored time audit certificate , Accuracy acquisition means for acquiring and storing the accuracy of the time information using the transmission path information, a clock device for outputting a time for issuing a time stamp, Comprising: a clock unit correcting means of憶time information to select the best ones accuracy good to correct the time of the clock device, and a timestamp issuing means for issuing a time stamp by using the corrected clock unit Provided is a time information processing apparatus characterized by the above (first configuration).

In the first configuration, when the stored accuracy does not satisfy a predetermined condition, the time stamp issuing unit may be stopped ( second configuration).

In the first configuration or the second configuration, the time stamp issuing means includes a time stamp when there is an error in the stored time information that is greater than or equal to a predetermined value from the time output by the timepiece device. Can also be configured to stop issuing ( third configuration).
In any one configuration from the first configuration to the third configuration, it may be configured to include time information distribution means for distributing time information using the corrected output of the timepiece device ( Fourth configuration).
In the fourth configuration, the time information distribution means starts time distribution when the stored time information includes an error that is less than a predetermined value with respect to the time output from the timepiece device. ( 5th structure) can also be comprised.
In the fourth configuration or the fifth configuration, a distribution destination authentication unit that authenticates a distribution destination that distributes time information is provided, and the time information distribution unit is authenticated by the distribution destination authentication unit It is also possible to configure so that the time information is distributed ( sixth configuration).
In any one of the first configuration to the sixth configuration, the timepiece correction unit corrects the time of the timepiece when the accuracy of the selected time information satisfies a predetermined accuracy. ( Seventh configuration).
In any one configuration from the first configuration to the seventh configuration, when the accuracy of the selected time information does not satisfy a predetermined condition, the time information is requested from another time distribution server. It can also be configured ( eighth configuration).
In any one configuration from the first configuration to the eighth configuration, it is also possible to set the priority of the time distribution server that distributed the time information used for the correction of the timepiece device ( Ninth configuration).
In any one configuration from the first configuration to the ninth configuration, the accuracy acquisition unit includes the reference time server existing on the transmission path specified by the stored transmission path information, and the time It is also possible to acquire the accuracy of the time defined by the reference time server and the time distribution server from the distribution server, and acquire the accuracy of the time information from the acquired accuracy ( tenth configuration). .
In the tenth configuration, when the time accuracy is acquired from the reference time server and the time distribution server, the reference time server and the time distribution server may be authenticated (the eleventh configuration). ).
The present invention also provides a reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, a time information processing device that receives time information from the time distribution server, Time information processing apparatus used in a network configured using the above-described information, and a transmission path from a plurality of the time distribution servers to the time information processing apparatus with accuracy from the reference time server through the time distribution server Time information receiving means for receiving and storing the time audit certificate including the transmission path information for specifying the transmission path, and the transmission path information for each stored time audit certificate. Accuracy acquisition means for acquiring and storing the accuracy of the time information using, a timepiece device for outputting a time for issuing a time stamp, and a timepiece using the timepiece device A time stamp issuing means for issuing a stamp, and a priority setting means for setting a priority to the time distribution server, and the time of the timepiece device using the most accurate time among the stored time information. Time information characterized in that at least one of correction, setting of time stamp issuance by the time stamp issuing means, or setting of priority of the time distribution server by the priority setting means is selected and performed. A processing apparatus is provided (a twelfth configuration).
In any one of the first configuration to the twelfth configuration, a time distribution server authenticating unit that authenticates the time distribution server is provided, and the time information receiving unit authenticates the time distribution server. In some cases, it may be configured to receive time information (a thirteenth configuration).
The present invention also provides a reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, a time information processing device that receives time information from the time distribution server, A time information processing method used in a time information processing device used in a network configured using the method, the time information processing device for issuing a time information receiving means, an accuracy obtaining means, and a time stamp A timepiece device that outputs a time, and a timepiece correction means, wherein the time information receiving means has a plurality of time distribution servers, and the accuracy from the reference time server to the time distribution server via the time distribution server. Time information reception that receives and stores time information that depends on a transmission path to the information processing device and a time audit certificate that includes the transmission path information that identifies the transmission path And an accuracy acquisition step in which the accuracy acquisition means acquires and stores the accuracy of the time information using the transmission path information for each stored time audit certificate, and the timepiece correction means, provides time information processing method characterized in that it consists of a clock unit correcting step of correcting the time of the clock device to select the best ones accuracy good out of the storage time information (fourteenth Constitution).
The present invention also provides a reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, a time information processing device that receives time information from the time distribution server, A time information processing method used in a time information processing device used in a network configured using the method, the time information processing device for issuing a time information receiving means, an accuracy obtaining means, and a time stamp A clock device that outputs a time, a time stamp issuing unit that issues a time stamp using the clock device, and a priority setting unit that sets a priority of a server device, and the time information receiving unit includes The accuracy depends on a transmission path from the plurality of time distribution servers to the time information processing device via the time distribution server from the reference time server. Time information receiving step for receiving and storing a time audit certificate including transmission path information for specifying the transmission path, and the accuracy acquisition means for each stored time audit certificate An accuracy acquisition step of acquiring and storing the accuracy of the time information using transmission path information, and correcting the time of the timepiece device using the most accurate of the stored time information, the time A selection execution step for selecting and performing at least one of the setting of the time stamp issuance by the stamp issuing means or the setting of the priority of the information distribution server by the priority setting means. A characteristic time information processing method is provided ( fifteenth configuration).
In another embodiment of the present invention, information transmitted via the network is transmitted via a plurality of servers, routers, switches, etc. in the network. Depending on the route taken by the information to be transmitted, the information is transmitted earlier, later, or wrongly, and the information to be transmitted differs depending on the route. Therefore, regarding the information transmitted via the network, transmission route information that shows what route the information has taken is provided, and by calculating the transmission route information, the difference due to the route of the information to be transmitted is calculated. Provided is an information processing apparatus capable of correcting or correcting. In addition, an information processing apparatus is provided that can perform correction, correction, and selection of whether or not to use by calculating transmission path information even when the transmitted information is used secondarily.

  According to the present invention, it is possible to calculate time accuracy information, which is transmission route information transmitted through a network, and to perform control based on the calculation result. For example, it is possible to evaluate the accuracy of the delivered time and perform control according to the evaluation.

(1) Outline of Embodiment The following describes an embodiment in which transmission path information is calculated and controlled according to the calculation result.
The TSA can evaluate the accuracy of the time distributed from the TA and perform an operation according to the evaluation result.
For example, when the error of the delivery time is within an allowable value, the TSA corrects the time of the clock device using this delivery time, sets the activation period of the time stamp issuing function, or the delivery time error Is not within the allowable value, the time stamp issuing function can be stopped, or time audit can be requested from another TA. Note that the activation period is a period in which a certain function can be used.
Also, since the accuracy of the time delivered from the TA depends on the transmission path of NTA → TA → TSA, the TSA of this embodiment sends the time delivered from the TA by inquiring NTA and TA for accuracy. Assess the accuracy of
As described above, the TSA according to the present embodiment can select an operation according to the accuracy of distribution time, and can evaluate the accuracy of distribution time depending on the transmission path. Therefore, the operation can be selected by the transmission route of the delivery time. That is, when there are a plurality of TAs, the transmission route of information transmitted from the NTA to the TSA is different, and the error in the distribution time is different. This error comparison (calculation) can be performed, and control can be performed to select the path having the smallest error based on the result of the comparison (calculation).
In addition, items related to the accuracy of the delivered time include the speed of information transmission, etc., and this information transmission speed is compared with a predetermined value, or the speed of information transmission by route is compared, and the speed is high Can choose to use that information, use that information if it is the same, or not use that information if it is slow.

(2) Details of Embodiment FIG. 1 is a diagram illustrating an example of a system configuration of a time stamp system according to the present embodiment.
As shown in the figure, the time stamp system includes a plurality of client terminals, a TSA that is a time stamp authority that issues time stamps to these client terminals, and a time audit authority TA1 that performs a time audit of the TSA, TA2 and national time distribution stations NTA1 and NTA2 that perform time audits of TA1 and TA2 are arranged to be connectable by a network.
Hereinafter, when TA1 and TA2 are not particularly distinguished from each other, they are simply referred to as TA, and when NTA1 and NTA2 are not particularly distinguished from each other, they are simply referred to as NTA.

The NTA is a time distribution station that distributes a reference time, and is positioned at the top of the time distribution.
The NTA can measure an extremely accurate time by providing an atomic clock, etc., and audits the time output by the TA clock device and issues a time audit certificate to the TA.
The time audit certificate includes an error in the time measured by the time audit, and the TA corrects its own clock device using this. That is, the TA corrects the clock device according to the time delivered by the NTA.
The TA performs a time audit of the TSA using a clock device corrected with the distribution time from the NTA, and performs a time distribution to the TSA using a time audit certificate.

The TSA receives a time audit from the TA, corrects its own clock device using the time distributed from the TA, and issues a time stamp to the client terminal according to the time output by the clock device. The time stamp issuance method is the same as the conventional method.
For example, the client terminal calculates a hash value of the electronic document, transmits it to the TSA, and asks the TSA to issue a time stamp.

In the present embodiment, two NTAs and TAs are provided, and one TSA is provided. However, more NTAs, TAs, and TSAs can be provided.
In addition, a more complicated network can be formed, for example, by installing a TA between TA1 and TSA.

The accuracy of time distributed by these server devices (NTA, TA, TSA) is shown as an example in the figure.
That is, NTA1 is 100 [ms], NTA2 is 50 [ms], TA is 400 [ms], TA2 is 450 [ms], and TSA is 500 [ms].
The accuracy of NTA is the accuracy with respect to UTC (Coordinated Universal Time), and means that the error from UTC at the time of delivery by NTA is within the accuracy.
The time distributed by the NTA is used as a reference time when the server device on the downstream side of the network corrects and synchronizes the clock. In this way, the NTA constitutes a reference time server.

In addition, the accuracy of time distributed from the TA to the TSA is relative accuracy based on the time distributed from the NTA to the TA. That is, the accuracy from UTC is obtained by adding the accuracy of time distributed from TA to TSA to the accuracy of time distributed from NTA to TA. (Note that the TSA policy regarding the time accuracy of the time stamp should not contradict the accuracy from this UTC.)
As described above, the accuracy range of the output time is accumulated as going to the downstream side of the network, and the accuracy varies depending on the transmission route of the time distribution.

For example, when the transmission route of the delivery time is NTA2 → TA1 → TSA, the accuracy of the time when the TSA is delivered from TA1 is 50 + 400 = 450 [ms], and when NTA1 → TA1 → TSA, 100 + 400 = 500 [ms ].
In addition, when the delivery time is transmitted through the route of NTA1 → TA2 → TSA, the time when the TSA is delivered from TA2 is 100 + 450 = 550 [ms], and depending on the delivery time transmission route, the TSA guarantee In some cases, the accuracy of 500 [ms] cannot be maintained.

Therefore, the TSA is configured to evaluate the accuracy of the time distributed from the TA including the change in accuracy due to the transmission route of the distribution time, and perform various appropriate operations according to the evaluation. .
The time audit certificate transmitted from the TA to the TSA in order for the TSA to evaluate the change in accuracy due to the transmission path includes information for specifying the transmission path of the delivery time.
Since the time audit certificate of the present embodiment has so-called traceability that can track through which transmission route the time has been distributed in this way, it will be abbreviated as “training information” below. To do.

Here, the configuration of the training information will be described with reference to each diagram of FIG.
FIG. 2A is a diagram illustrating an example of a logical configuration of training information issued by the TA to the TSA.
As shown in the figure, the training information includes basic information, time information, transmission path information, TA signature information, and the like.
The basic information is basic information about the tray information itself, and includes the issue time, version, issue destination, issue source, signature algorithm, serial number, validity period, and the like.

The version information is information for specifying the version of the tray information. The issue destination is information for identifying the TSA that is the issue destination of the tray information. The issuer is information that identifies the TA that issued the tray information.
The signature algorithm is information for specifying the algorithm used for the TA signature information, and the TSA can know the algorithm used for the TA signature information by using this.
The serial number is a serial number of the tray information.
The expiration date is an expiration date of the training information set by the TA, and the TSA performs function control using the training information within the range of the expiration date.

The time information is information based on the result of the time audit and includes an audit time, a time error, a communication delay, an activation period, a leap second, a time audit certificate policy, and other information. The activation period can be omitted if it is the same period as the expiration date. In this case, the expiration date is treated as the activation period.
The audit time is the time when the TA has performed the time audit of the TSA.
The time error is a time error between TSA and TA measured by the TA by time audit. The TSA corrects the time of its own clock device using this error. That is, TA delivers time in the form of errors.

The communication delay is a delay time due to the communication path between TSA and TA.
The activation period is a period in which the TSA can issue a time stamp by the timepiece device corrected by the tray information. The TSA can set the activation period written in the training information.
The time audit certificate policy includes, for example, information about the policy such as the accuracy of time distributed by the TA. As a result, the TSA can know the accuracy of the TA delivery time (relative to the NTA).

The transmission path information includes information for specifying a transmission path until the NTA reference time is transmitted to the TA. That is, the transmission path information is traceability information that identifies the transmission path at the reference time.
The TSA can evaluate the accuracy with respect to the UTC of the time distributed from the TA by specifying the transmission route of the reference time from the transmission route information and referring to the policy regarding the accuracy of the server device on the transmission route. .
The TA signature information includes information for specifying a TA signature algorithm, a TA signature value, and the like.
The TSA calculates the signature value of the tray information using this signature algorithm, and can confirm whether the tray information has been tampered with by checking the identity with the signature value of the TA.

2B to 2D are diagrams illustrating an example of a logical configuration of transmission path information.
The example of FIG.2 (b) is a case where both the transmission path | route and the precision of each server apparatus are contained in transmission path | route information.
The transmission path is represented by writing the server devices (NTA, TA) that transmitted the reference time in the transmission order.
As shown in the figure, in this example, time distribution is made from NTA1 to TA1, and it is shown that TA1 has corrected the time, and the accuracy of NTA1 is (100 [ms]). It has been shown.
Since the accuracy of TA1 is described in the time information (time audit certificate policy) of the tray information, the TSA can evaluate the accuracy of UTC delivered from TA1 by adding these accuracy. it can.

That is, when the accuracy described in the time information is 400 [ms], the accuracy of the time distributed from TA1 is evaluated as 100 + 400 = 500 [ms] (less than), which is a policy regarding the accuracy of TSA. It satisfies less than a certain 500 [ms].
As described above, when accuracy is described in the transmission route information, the TSA can obtain an evaluation value of accuracy of distribution time from the train information.

The example of FIG. 2C is a case where the transmission path information includes both the transmission path and the URL (Uniform Resource Locators) of the server device on the transmission path.
As shown in the figure, in this example, it is shown that time distribution is performed from NTA 1 to TA 1, and further, for NTA 1, a URL is shown.
The TSA can access NTA1 using this URL and inquire about the accuracy of NTA1.
The TSA can evaluate the accuracy of the time distributed from TA1 by adding the accuracy of NTA1 thus acquired and the accuracy of TA1 written in the time information of the train information.
Note that when accessing other server devices such as NTA1 and TA1 in order to make an accuracy inquiry, the TSA authenticates these to prevent spoofing and the like. For example, there is a method of performing authentication such as SSL or TLS, NTA1 or TA1 giving an electronic signature to information on accuracy, and TSA confirming the electronic signature.

The example of FIG. 2D shows a case where more server devices exist on the transmission path, which are not shown in FIG.
As shown in the figure, this example shows that time was delivered from NTA1 to TAx, time was further delivered from TAx to TAy, time was delivered from TAy to TA1, and then time was delivered to TSA. The URL for inquiring each server device for accuracy is described. In this way, the TSA can be provided with a time distribution function.
In this case, the TSA inquires NTA1, TAx, and TAy about the accuracy using the URLs of these server devices, and evaluates the accuracy of the time distributed from TA1 using this and the accuracy of TA1.
Further, as shown in FIG. 2B, the accuracy of NTA1, TAx, and TAy may be written instead of the URL.

The example of FIG. 2 (e) shows a case where the tray information is configured in a nested form.
As shown in the figure, in this example, the transmission information of TA training information includes training information transmitted from NTA to TA.
The train information transmitted from the NTA to the TA is train information transmitted from the NTA to the TA when the TA has received a time audit from the NTA.
The TSA can extract the train information transmitted from the NTA to the TA from the train information received from the TA, and use these to evaluate the accuracy of the distribution time with respect to the UTC.

The example in the figure is a case where time is distributed as NTA → TA → TSA. However, when time is distributed via NTA → TAx → TAy → TSA and many more server devices, TAx is NTA The TAE includes the tre information including the tre information transmitted from the TAx to the TAx, and the TAy includes the tre information transmitted from the TAx (including the tre information transmitted from the NTA to the TAx). To issue.
In this way, the server apparatus on the transmission path transmits the tray information including the tray information transmitted from the server apparatus directly above to the server apparatus directly below, so that all the tray information across the time distribution transmission path can be obtained. It can be transmitted downstream. And TSA can evaluate the precision with respect to UTC of a delivery time by extracting and analyzing upstream tray information from tray information.

Although the method for evaluating the accuracy of time using the transmission path information has been described above, it can also be configured as follows.
For example, when the TA performs time distribution to the TSA, the TA adds the accuracy of the NTA and its own accuracy and records this in the tray information.
That is, the TA evaluates the accuracy with respect to UTC at the time of delivery by the TA. In this case, the TSA can receive the accuracy already evaluated with respect to the reference time from the TA.

It is also possible to collect a policy regarding the accuracy of delivery time of each NTA and each TA, prepare a reference server prepared for browsing, and configure the TSA to request the reference server to evaluate the accuracy of delivery time. it can.
In this case, the TSA transmits the transmission path described in the transmission path information to the reference server, evaluates the accuracy at the reference server, and returns it to the TSA, so that the TSA can obtain the accuracy of the time distributed from the reference server. Can be obtained.

FIG. 3 is a functional block diagram for explaining the functions of TA and TSA according to the present embodiment.
The TA includes an authentication unit 10, a tray information transmission unit 11, a time audit unit 12, and the like.
The TA has the same configuration as a conventional TA when the train information transmitting unit 11 is a time audit certificate transmitting unit.
On the other hand, the TSA includes an authentication unit 20, a tray information reception unit 21, a comparison determination unit 22, an operation control unit 23, a clock unit 24, a time stamp unit 25, a communication control unit 26, an authentication information table 28, a tray information table 29, a policy. It is composed of an information table 30, an action table 31, and the like.

First, the relationship and function between the TA authentication unit 10 and the TSA authentication unit 20 will be described.
The authentication unit 10 communicates with the authentication unit 20 as follows to authenticate whether the TSA is a valid server device.
When performing a time audit, the authentication unit 10 requests authentication information from the authentication unit 20.
The time audit can be performed from the TA to the TSA, or the TSA can request the TA to perform the time audit.
On the other hand, the authentication unit 20 reads the authentication information from the authentication information table 28 and transmits it to the authentication unit 10.

The authentication unit 10 recognizes that the TSA is a legitimate TSA by confirming a match between the authentication information of the TSA stored in advance and the authentication information transmitted from the TSA. For example, by performing authentication using SSL or TLS or authentication using other authentication information, it is possible to prevent impersonation of TSA.
Further, if the TSA side is configured to authenticate the TA, it is possible to prevent impersonation of the TA.
Here, the authentication information includes, for example, certificate information, key information, certificate revocation information, etc. used for authentication in SSL or TLS, and information (certificate information, etc.) used when generating tray information. included. These pieces of information are associated with each other by the authentication information table, and the train information issued by the authenticated TA is always transmitted to the authenticated TSA.
Note that the key or certificate used for SSL or TLS may be the same as the key or certificate used when generating the tray information. In this case, management of keys and certificates can be facilitated, communication procedures can be facilitated, and the amount of data handled can be reduced.
In addition, the association between keys and certificates used for SSL and TLS and keys and certificates used when generating tray information is based on a database or configuration file, and cannot be changed by TA or TSA itself. There is a method of using the key for encryption or digital signature.

The TA time auditing unit 12 is a functional unit that performs time auditing of the clock unit 24 of the TSA.
The time audit unit 12 requests the TSA to transmit the time of the clock unit 24 after authenticating the TSA, and the TSA transmits the output value of the clock unit 24 to the TA.
Then, the TA compares the time received from the TSA with the time of its own clock device, and measures the error.
The TA train information transmission unit 11 generates train information including the time error measured by the time audit unit 12, and transmits this to the TSA.

The train information receiving unit 21 of the TSA receives the train information transmitted from the TA and stores it in the train information table 29.
An example of the logical configuration of the training information table 29 is shown in FIG. As shown in the figure, the tray information table 29 is configured from items such as “issue time”, “issuer”, “issue destination”, “attribute (type)”, and “attribute (value)”. .
The tray information receiving unit 21 extracts these items from the tray information and stores (registers) them in the tray information table 29.

“Issuance time” is the time when the tray information is issued.
The “issuer” is the issuer of the tray information, and is TA1 in the example of the figure. For example, if it is training information addressed from TA2 to TSA, it will be TA2, and if it is training information addressed from NTA1 to TA1, it will be NTA1.
“Issuance destination” is a recipient of the tray information, and is TSA in the example of the figure. For example, if it is training information addressed from TA2 to TSA, it will be TSA, and if it is training information addressed from NTA1 to TA1, it will be TA1.

“Attribute (type)” and “attribute (value)” are attribute types and attribute values. “Attribute (type)” represents the type of attribute, and “attribute (value)” represents the attribute value.
“Attribute (type)” relates to basic information and includes issue time, version, issue destination, issuer, signature algorithm, serial number, validity period, etc., and “time (information)” relates to audit time, time error, communication There are delay, activation period, leap second, delivery time accuracy and so on.

The TSA also includes an accuracy evaluation function unit 27 that evaluates the accuracy of the time distributed from the TA using the transfer information of the train information, and the accuracy evaluation function unit 27 converts the evaluation value into the train information. Store in table 29.
In this case, “attribute (type)” is “accuracy of distribution time”, and the accuracy of distribution time is stored as “attribute (value)”.
In addition to the time-related attribute, various attributes such as a country in which the information processing apparatus is installed and a business entity that operates a service are possible.
For example, when “attribute (type)” is a country, “attribute (value)” is a country name such as Japan. When “attribute (type)” is a business entity, “attribute (value)” is a business entity name such as XX Corporation.
For example, regarding various types of accreditation given to business entities, information processing devices, businesses and services, etc., when “attribute (type)” is the type of accreditation, “attribute (value)” is ○ It is an identification name or identification number that identifies the type of certification, such as certification or XX mark of XX association. Further, when “attribute (type)” is an authorization number, “attribute (value)” is an authorization number for identifying the order of authorization and the subject of authorization. When “attribute (type)” is a valid period of certification, “attribute (value)” is a valid period of certification.
When transmitting information related to various types of certification, for example, it is possible to handle only information that passes through a reliable transmission path, or to convey that it is a certified business entity or information processing device. Can be further improved in terms of handling information in the transmission path, such as a connection condition to a reliable transmission path.
The authorization in this case includes certification obtained between parties on the transmission path such as an entity that transmits information and an information processing apparatus in addition to certification obtained from a third party organization.

Here, the accuracy evaluation function unit 27 will be described in more detail. The accuracy evaluation function unit 27 analyzes the transmission path from the reference time distributed by the NTA to the arrival at the TSA using the transmission path information of the tray information received from the TA, and uses this to analyze the time distributed from the TA. Assess the accuracy of UTC.
For example, as shown in FIG. 2B, the accuracy evaluation function unit 27 evaluates the accuracy of the time distributed from the transmission route information when it can be evaluated. In addition, as shown in FIG. 2C, when the URL of the server device on the transmission path is obtained, the server device is accessed using this to collect the accuracy of each server device, and these are added. Calculate accuracy for UTC.

As described above, in the training information table 29, the information described in the training information is organized and stored for each attribute.
In the example of the figure, the attribute type is “Offset”, which means a time error measured by time audit. The attribute value is “300”, which means that the time error was 300 [ms].

The comparison determination unit 22 (FIG. 3) compares the tray information stored in the tray information table 29 with the policy information stored in the policy information table 30 and stores the comparison value in the policy information table 30.
The policy information is information that is determined using a determination formula for each attribute (type) stored in the tray information, such as a magnitude relationship with a certain reference value. The TSA determines an operation to be performed based on this determination value.

As shown in FIG. 4B, a plurality of policy information is set in the policy information table 30, and each policy information includes “policy number”, “issuer”, “issue destination”, “attribute”. (Type) ”,“ Attribute (Value) ”,“ Judgment Formula ”,“ Determination Result ”, and the like.
Among these, “policy number” to “judgment formula” are set in the tray information table 29 in advance, and “judgment result” is output by the comparison judgment unit 22 as a judgment result.

The “policy number” is a unique number assigned to each policy information and constitutes identification information of the policy information.
The “issuer” to “attribute (type)” are the same as those in the training information table 29.
The “attribute (value)” is a reference value for determining the attribute value of the tray information with the “determination formula”. This attribute value is compared with the attribute value of the tray information table 29.
The “determination formula” is a determination formula that is determined by comparing the attribute value of the tray information with the reference value (“attribute (value)” of the policy information).
The “determination result” is a result of determining an attribute value by a determination formula.

The comparison determination unit 22 combines the combination of “issuer”, “issue destination”, and “attribute (type)” of the tray information stored in the tray information table 29 and the “issuer” of the policy in the policy information table 30, “ Matches “issue” and “attribute (type)”.
If there is a match, both “attributes (values)” are determined according to the “determination formula” of the policy information, and the determination result is output to the “determination result” of the policy information. As a result, the policy information table 30 is updated.
As a judgment formula, there are magnitude relations of attribute values such as =,>, <, and a case of taking a value.

In the example of FIG. 4B, for the policy with policy number 1, the determination result is “2” and takes a value. For the policy with policy number 2, the determination result is “T (True)”, indicating that the attribute value of the tre information and the value of the policy attribute satisfy the determination expression “<”. Yes. When the determination formula is not satisfied, the determination result is “F (False)”.
Note that “=” in the determination formula is used to determine whether or not the attribute values of the two are equal, and “<” determines whether or not the attribute value of the policy information is greater than the attribute value of the tray information. ">" Is the opposite.

In addition, instead of the accuracy evaluation function unit 27 described above, an equivalent function can be provided to the comparison determination unit 22.
In this case, as shown in FIG. 2B, when the accuracy of the time distributed from the transmission path information can be evaluated, the comparison / determination unit 22 thereby calculates the accuracy with respect to UTC. Then, the comparison determination unit 22 stores the accuracy determination value in the policy information table 30.
Further, as shown in FIG. 2C, when the URL of the server device on the transmission path is obtained, the comparison / determination unit 22 uses this to access each server device and records the accuracy of each server device. Request information.
In response to this, the tray information transmitted by each server device is stored in the tray information table 29 by the tray information receiving unit 21. The comparison / determination unit 22 calculates the accuracy of the distribution time with respect to UTC using these training information, and stores the determination value in the policy information table 30.
Thus, without providing the accuracy evaluation function unit 27, the comparison determination unit 22 can have a function of evaluating the accuracy of the delivery time.

  The operation control unit 23 (FIG. 3) uses the operation information of the action table 31 to determine whether the determination result determined by the comparison determination unit 22 satisfies a predetermined condition, and operates using the determination result. The operation parameters that determine the operation contents of the function unit (the clock unit 24, the time stamp unit 25, the communication control unit 26, etc.) and the function unit are determined.

As shown in FIG. 4C, a plurality of pieces of operation information (actions) are set in the action table 31, and the operation information includes “action number”, “action (function module designation)”, “action ( Parameter specification) ”and other items.
The “action number” is a unique number assigned to each operation information, and constitutes identification information of the operation information.
The “conditional expression” is a conditional expression for determining whether or not the policy information determination result satisfies a certain condition.
“Action (functional module designation)” designates a functional unit (functional module) that performs an operation when the conditional expression is satisfied.
“Action (parameter specification)” is an operation parameter that defines the operation content (operation mode) of the specified functional unit.

For example, when the functional unit is the clock unit 24, the operation content is “correction of the clock device using the received tray information” or “do not correct the clock device using the received tray information”. and so on.
When the functional unit is the time stamp unit 25, the operation contents include “set the activation period described in the received tray information”, “turn on the time stamp issuance function”, “time stamp issuance” "Turn off features".
Furthermore, when the functional unit is the communication control unit 26, the operation content includes “connect to the server apparatus using a URL described in the tray information”.
The operation information defined by the action number 1 shown in the example of FIG. 4C is “if the determination result of policy 1 is less than 10 and the determination result of policy 2 is T (conditional expression) ), And the time stamp portion 25 is set (function portion designation) and turned on (operation content).

Returning to FIG. 3, the clock unit 24 is a functional unit for controlling a time device for issuing a time stamp. The clock unit 24 receives the time audit from the time audit unit 12 of the TA, transmits the time, outputs the time recorded in the time stamp unit 25, or corrects the clock device using the distribution time. To do.
The time stamp unit 25 is a functional unit that issues a time stamp using the time measured by the clock unit 24.
The communication control unit 26 is a functional unit for communicating by connecting the TSA to another server device or the like.

After determining the condition in the action table 31, the operation control unit 23 causes these functional units to perform an operation specified by the operation parameter using the determination result.
For example, the operation control unit 23 instructs the clock unit 24 to correct the clock device based on the determination result in the action table 31, or causes the time stamp unit 25 to turn on / off the time stamp issuing function, Alternatively, the communication control unit 26 is connected to another server device.

As described above, the TSA according to the present embodiment receives the time information (delivery time) from the time delivery server (TA) and stores the time information receiving means (tre information receiving unit 21), Accuracy acquisition means for acquiring and storing the accuracy of the stored time information (accuracy evaluation function unit 27), a clock device for outputting time (clock unit 24), and when the stored accuracy satisfies a predetermined condition, Clock device correcting means for correcting the time of the clock device using the stored time information (operation control unit 23), and time stamp issuing means (time stamp unit 25) for issuing a time stamp using the corrected clock device. ) Is provided.
Here, a comparison unit (comparison determination unit 22) that determines whether or not the stored accuracy satisfies a predetermined condition may be provided, and the timepiece correction unit may be configured to operate according to the determination result.

The TSA according to the present embodiment receives transmission information whose attribute value (accuracy, etc.) is determined by a transmission path and stores it in a storage device, and the received transmission information. The attribute acquisition means (train information receiving unit 21) that acquires the attribute value of the received data and stores it in the storage device, compares the stored attribute value with a predetermined reference value (comparison determination unit 22), and performs a predetermined operation based on the comparison result. An operation function unit selecting unit (operation control unit 23) for selecting an operation function unit for performing the operation, and an operation unit for operating the selected operation function unit using the stored transmission information (operation control unit 23). The information processing apparatus is also configured.
Note that the TSA according to the present embodiment has an attribute value (accuracy) determined by a transmission route of distribution time, but the target of the information processing apparatus can be wider.
In other words, the information processing apparatus “uses information transmitted from a series of routes comprehensively”, “uses information obtained from a plurality of transmission routes”, “uses information obtained from transmission routes” Use it to perform actions on other information processing devices ”and“ use that action to receive transmission information from other information processing devices and operate based on the transmission information ”. It can be applied to all things.

Next, the basic operation of the TSA configured as described above will be described with reference to the flowchart of FIG. In the following, functional units used for information processing are shown in parentheses. It is assumed that authentication has already been performed.
First, TA performs time audit of TSA, and TSA (train information receiving unit 21) receives train information describing the result (step 5).
The TSA (train information receiving unit 21) stores the received train information in the train information table 29 and updates the train information table 29 (step 10).
Next, the TSA (comparison determination unit 22) compares the tray information stored in the tray information table 29 with the policy information stored in the policy information table 30 (step 15), and compares the comparison result with the policy information table 30. To update the policy information table 30 (step 20).

Next, the TSA (operation control unit 23) refers to the action table 31 and determines whether or not the determination result of the policy information table 30 satisfies the conditional expression of the action information.
Then, the TSA (operation control unit 23) determines an operation function unit to be operated and an operation to be performed based on the determination result (step 30).
The TSA (operation control unit 23) causes the function unit to perform an operation (step 35).

  As described above, the TSA can analyze the contents of the tray information and perform various operations according to the analysis results. Here, as a specific example, the TSA uses an evaluation value of accuracy with respect to UTC at the delivery time. A case where the clock device is corrected will be described.

In the following description, for the sake of simplicity, it is assumed that NTA2 is not provided in FIG.
Also, one of TAi and TAj is TA1, and the other is TA2. That is, when TAi is TA1, TAj is TA2, and when TAi is TA2, TAj is TA1. Thus, TA1 and TA2 are equal and can be interchanged.

The example described with reference to the flowchart of FIG. 6 is based on the time distributed from the TA when the accuracy of the time distributed from the TA to the UTC (the sum of the NTA accuracy and the TA accuracy) is less than 500 [ms]. When the correction of the unit 24 is performed and the accuracy is not less than 500 [ms], the time distribution is requested to another TA.
In this embodiment, since the TSA can receive time distribution from a plurality of TAs, the TSA prioritizes the TA that receives time distribution as primary, secondary, and the like. As a result, the TSA can perform control such as accepting only time distribution from a TA with a higher priority, or making a time audit request to a TA with a higher priority.

The flowchart will be described below.
TAi performs time auditing of the TSA, and transmits the training information describing the result to the TSA (step 100).
The TSA (train information receiving unit 21) receives the train information from TAi and stores it in the train information table 29 (step 200).

Next, the TSA (comparison determination unit 22) refers to the tray information table 29 and the policy information table 30, and updates the policy information table 30.
Here, in the policy information table 30, a determination formula is set for determining whether or not the accuracy of the time distributed by the tray information (the sum of the accuracy of NTA1 and TAi) is less than 500 [ms]. The (comparison / determination unit 22) determines accuracy using this determination formula, and outputs the determination result to the policy information table 30.

Next, the TSA (operation control unit 23) refers to the policy information table 30, compares it with the action table 31, and causes the functional unit defined in the action table 31 to perform an operation.
In the action table 31, when the accuracy is less than 500 [ms], the time correction is performed at this delivery time, the activation period of the time stamp issuing function is set, and the TA is set as primary. It is prescribed.

If the accuracy of the TAi delivery time (the sum of NTA1 and TAj accuracy) is less than 500 [ms] (step 205; Y), the TSA (operation control unit 23) sends the time to the clock unit 24 at this delivery time. Correction is performed (step 220), and the activation period of the time stamp issuing function is set in the time stamp unit 25 (step 225).
Then, TSA (operation control unit 23) sets TA used for time correction, that is, TAi to primary, and sets TAj to secondary (step 230).

  On the other hand, in the action table 31, if the accuracy of the time distributed from TAi is not less than 500 [ms], the time distribution is received from TAj, and if this accuracy is less than 500 [ms], this distribution time Is used to perform time correction and the like.

Therefore, when the accuracy of the delivery time received from TAi is not less than 500 [ms] (step 205; N), the TSA (operation control unit 23) controls the communication control unit 26 to access TAj, and TAj Request the training information (step 210).
In response to this, TAj performs time audit of the TSA, and transmits the train information describing the result to the TSA (step 300).
The TSA (train information receiving unit 21) receives this train information and stores it in the train information table 29.
Next, the TSA (comparison determination unit 22) refers to the tray information table 29, and according to the determination formula of the policy information table 30, the accuracy of time distributed from TAj (the sum of the accuracy of NTA1 and TAj) is 500 [ms. ] Is determined. Then, the determination result is output to the policy information table 30.

Next, the TSA (operation control unit 23) refers to the policy information table 30 and compares it with the action table 31.
In the action table 31, when the accuracy is less than 500 [ms], the time correction is performed at this delivery time, the activation period of the time stamp issuing function is set, and the TA is set as primary. Operation is specified. On the other hand, when the accuracy of the distribution time is not less than 500 [ms], it is specified not to perform the operation.

When the accuracy of the TAj delivery time (the sum of NTA1 and TAj accuracy) is less than 500 [ms] (step 215; Y), the TSA (operation control unit 23) sends the time to the clock unit 24 at this delivery time. Correction is performed (step 220), and the activation period of the time stamp issuing function is set in the time stamp unit 25 (step 225).
Then, the TSA (operation control unit 23) sets TA used for time correction, that is, TAj to primary, and sets TAi to secondary (step 230).

On the other hand, when the accuracy of the TAj delivery time (the sum of the accuracy of NTA1 and TAj) is not less than 500 [ms] (step 215; N), the TSA (operation control unit 23) does not perform time correction or the like. End the operation.
In this case, when the activation period set when the time is corrected last time elapses, the TSA stops the time stamp issuing function. For this reason, if the policy is not less than 500 [ms], which is a policy related to the accuracy of TSA, it is possible to stop issuing time stamps.

As described above, according to this policy, when the accuracy of time delivered from a TA does not satisfy a predetermined value (500 [ms]), the TSA accesses another TA to satisfy the predetermined accuracy. Can be obtained.
With this configuration, for example, even when the TSA changes a policy regarding accuracy, a TA that matches the policy can be searched.

If the TSA policy (including policies for accuracy and other policies) changes the policy without permission, the following measures can be taken.
Access control (password, authentication by IC card, etc.) is performed so that policy settings can be changed only by an administrator authorized by the TA.
Under the policy setting agreed in advance between TA and TSA, hard coding is performed in the software so that the policy setting is not falsified.
The TSA side is limited so that only specific function control (for example, time correction) can be set.
The TSA side does not have an active authority to control the functional unit, but has only a passive authority such as “reject reception of training information when the policy does not match the TSA policy”.

In the example described in the flowchart of FIG. 7, when time is distributed from one TA, the accuracy is compared with the accuracy of the distribution time of the other TA received last time, and the one with higher accuracy is adopted. It is. If the accuracy of the distribution time changes depending on the line conditions, etc., a route through a highly accurate transmission path is adopted.
In the following description, the same step numbers are assigned to the same steps as those in FIG. 6 to simplify the description.
TAi performs time audit on the TSA, and transmits to the TSA training information describing the audit result and delivery time (step 100).
The TSA (train information receiving unit 21) receives the train information from TAi and stores it in the train information table 29 (step 200).

Next, the TSA (comparison determination unit 22) refers to the tray information table 29 and the policy information table 30, and updates the policy information table 30.
Here, in the policy information table 30, which is the accuracy of the delivery time previously received from TAj (the sum of the accuracy of NTA1 and TAj) or the accuracy of the delivery time received from the current TAi (the sum of the accuracy of NTA1 and TAi)? The determination formula for determining whether or not it is correct is set, and the TSA (comparison determination unit 22) performs this determination and outputs the determination result to the policy information table 30.

Next, the TSA (operation control unit 23) refers to the policy information table 30, compares it with the action table 31, and performs an operation defined in the action table 31.
In the action table 31, if the time distributed from TAi this time is more accurate, the time is corrected at this time, the activation period of the time stamp issuing function is set, and this TA is set as primary. The operation is defined as follows.

If the time distributed from TAi this time is more accurate (step 235; TAi), the TSA (operation control unit 23) causes the clock unit 24 to perform time correction at this time (step 220), and further the time An activation period of the time stamp issuing function is set in the stamp unit 25 (step 225).
Then, TSA (operation control unit 23) sets TA used for time correction, that is, TAi to primary, and sets TAj to secondary (step 230).

  On the other hand, in the action table 31, when the time delivered from the previous TAj is more accurate, the time is delivered from TAj, which is higher than the accuracy of the time received from the previous (ie, step 200) TAi. In such a case, the operation is defined so as to perform time correction using this time.

Therefore, if the time received from the previous TAj is more accurate (step 235; TAj), the TSA (operation control unit 23) controls the communication control unit 26 to access TAj, and stores the training information in TAj. Request (step 210).
In response to this, TAj performs a time audit of the TSA, and transmits to the TSA the training information describing the result and delivery time (step 300).
The TSA (train information receiving unit 21) receives the train information and stores it in the train information table 29.

  Next, the TSA (comparison / determination unit 22) refers to the tray information table 29, and according to the determination formula of the policy information table 30, which of the time delivered from the previous TAi and the time received from the current TAj is more accurate? judge. Then, the determination result is output to the policy information table 30.

Next, the TSA (operation control unit 23) performs the operation defined in the action table 31 with respect to the policy information table 30 and the action table 31 in the same manner as in step 235.
That is, when the accuracy of the time distributed from TAj this time is more accurate (step 240; TAj), the TSA (operation control unit 23) causes the clock unit 24 to perform time correction at this time (step 220). ) Further, the activation unit of the time stamp issuing function is set in the time stamp unit 25 (step 225).
Then, the TSA (operation control unit 23) sets TA used for time correction, that is, TAj to primary, and sets TAi to secondary (step 230).

On the other hand, when the accuracy of the time delivered from the previous TAi is more accurate (step 240; TAi), the TSA (operation control unit 23) ends the operation without performing time correction or the like.
Then, when the activation period set when the time is corrected last time has passed, the TSA stops the time stamp issuing function.

In the example described in the flowchart of FIG. 8, the TA with the correct delivery time is set as the primary. In the flowchart of FIG. 8, TAj is omitted.
First, TAi performs time auditing on the TSA, and transmits to the TSA training information describing the audit result and delivery time (step 100).
The TSA (train information receiving unit 21) receives the train information from TAi and stores it in the train information table 29 (step 200).

Next, the TSA (comparison determination unit 22) refers to the tray information table 29 and the policy information table 30, and updates the policy information table 30.
Here, in the policy information table 30, which is the accuracy of the delivery time previously received from TAj (the sum of the accuracy of NTA1 and TAj) or the accuracy of the delivery time received from the current TAi (the sum of the accuracy of NTA1 and TAi)? The determination formula for determining whether or not it is correct is set, and the TSA (comparison determination unit 22) performs this determination and outputs the determination result to the policy information table 30.

Next, the TSA (operation control unit 23) refers to the policy information table 30, compares it with the action table 31, and performs an operation defined in the action table 31.
In the action table 31, if the time delivered from TAi this time is more accurate, TAi is set as primary, and if the time delivered from the previous TAj is more accurate, TAj is set as primary. The operation is defined as follows.

If the time distributed from TAi this time is more accurate (step 245; TAi), TSA (operation control unit 23) sets TAi to primary and TAj to secondary (step 255).
On the other hand, when the time delivered from the previous TAj is more accurate (step 245; TAj), the TSA (operation control unit 23) sets TAj to primary and TAj to secondary (step 250). .

The example described in the flowchart of FIG. 9 is for correcting the time with the correct TA when the accuracy of at least one of TAi and TAj is less than 500 [ms].
First, TAi performs a time audit of the TSA, and transmits the train information describing the result to the TSA (step 100).
In the TSA, the tray information receiving unit 21 receives this tray information and stores it in the tray information table 29.
Thus, when receiving the training information from TAi, TSA requests the training information from TAj (step 210).
In response to this, TAj performs a time audit of the TSA, and transmits to the TSA the training information describing the audit result and the delivery time (step 300).

Next, the TSA (comparison determination unit 22) refers to the tray information table 29 and the policy information table 30, and updates the policy information table 30.
Here, in the policy information table 30, a determination formula for determining whether or not the accuracy of time distributed from the TA is less than 500 [ms] is set, and the TSA (comparison determination unit 22) It is determined whether or not the accuracy of the distributed time is less than 500 [ms], and the determination result is output to the policy information table 30.
Furthermore, in the policy information table 30, a determination formula for determining which delivery time is more accurate is set, and the TSA (comparison determination unit 22) outputs the determination result to the policy information table 30.

Next, the TSA (operation control unit 23) refers to the policy information table 30 and compares it with the action table 31.
The action table 31 does not operate when the accuracy of both the delivery times of TAi and TAj is not less than 500 [ms], and when at least one of them is less than 500 [ms], the more accurate delivery time The operation is regulated so as to correct the time and set the activation period of the time stamp issuing function.

Therefore, the TSA (operation control unit 23) refers to the policy information table 30, and if the accuracy of both distribution times is not less than 500 [ms] (step 260; N), the TSA (operation control unit 23) does not operate and corrects the time. Not performed. In this case, the TSA stops the time stamp function after the current active period has elapsed.
On the other hand, when the accuracy of at least one of the delivery times is less than 500 [ms] (step 260; Y), the time correction is corrected in the clock unit 24 by the more accurate delivery time (step 265). 25, the activation period of the time stamp issuing function is set (step 225).
In this example, when selecting the correct delivery time, it is confirmed that the accuracy of the delivery time is less than 500 [ms].
As a result, it is possible to correct the TSA time based on the more accurate delivery time from the TA, excluding TAs that do not satisfy the condition that the delivery time accuracy is less than 500 [ms].

In the example of the flowchart of FIG. 10, when both TAi and TAj require time auditing, and the accuracy of at least one of the delivery times is less than 500 [ms], time correction is performed using the more accurate delivery time. Is to do.
First, the TSA requests training information from both TAi and TAj (step 270).
In response to this request, TAi performs a time audit of the TSA, and transmits the train information describing the result to the TSA (step 105).
In response to this request, TAj also performs time auditing of the TSA, and transmits the train information describing the result to the TSA (step 305).

The TSA (train information receiving unit 21) receives these train information and stores them in the train information table 29.
The following operations are the same as those in the example of FIG.
In the example of FIG. 9, the time audit is requested from TAj triggered by the time audit received from TAi, but in the example of FIG. 10, the time audit is requested from TSA to TAi and TAj.

The operation example performed by the TSA according to the training information has been described above, but an example in which the following operation is performed can also be adopted.
For example, it is assumed that the TSA receives time distribution from TA1, TA2, and TA3. When TSA had TA1 perform time audit, it was audited that the time error of TSA was 100 [ms]. In parallel with this, TSA and TA3 have time audits, and it is assumed that the error is 1000 [ms].
In this way, when the audit result greatly differs depending on the TA, it is considered that an abnormality has occurred at the time of the TSA or TA, and the TSA stops the time stamp function.

Hereinafter, an example of such an operation will be described with reference to the flowchart of FIG.
In this example, for example, when the error between TA1 and TSA, the error between TA2 and TSA, and the error between TA3 and TSA are all less than 500 [ms], the TSA performs time correction and time The activation period of the stamp unit 25 is set to a finite value.
If at least one is not less than 500, the activation period of the time stamp unit 25 is set to 0 and the time stamp issuing function is stopped.
In the flowchart, TA1 to TA3 are omitted.

First, after completing the authentication, TSA (train information receiving unit 21) receives time audit from TA1 and receives train information (step 275).
Upon receiving the training information from TA1, the TSA (training information receiving unit 21) requests the training information from TA2, receives the time audit after completing the authentication, receives the training information from TA2, and enters the training information table 29. Store (step 280).
Further, the TSA (train information receiving unit 21) requests the train information from the TA 3, receives a time audit, receives the train information from the TA 3, and stores it in the train information table 29 (step 285).

Next, the TSA (comparison / determination unit 22) checks the time error between the clock device of TA1 and the clock unit 24 using the tray information received from TA1, and determines whether this error is less than 500 [ms]. The determination result is stored in the policy information table 30.
Similarly, the TSA (comparison / determination unit 22) checks the time error between the clock device of TA2 and TA3 and the clock unit 24 using the tray information received from TA2 and TA3, and this error is less than 500 [ms]. And the determination result is stored in the policy information table 30.

The TSA (operation control unit 23) refers to the policy information table 30 and determines whether any time error is less than 500 [ms] (that is, time error between TA1 and TSA <500 [ms], and TA2 -Time error between TSA <500 [ms] and time error between NTA3 and TSA <500 [ms]) are determined (step 290).
If any time error is less than 500 [ms] (step 290; Y), the TSA (operation control unit 23) causes the clock unit 24 to perform time correction (step 220), and further causes the time stamp unit 25 to perform time correction. An activation period of the time stamp issuing function is set (step 225).
On the other hand, if there is even one time error that is not less than 500 [ms] (step 290; N), the TSA (operation control unit 23) causes the clock unit 24 to perform time correction (step 220). ) The activation period of the time stamp issuing function is set to 0, and the time stamp issuing function of the time stamp unit 25 is stopped (step 226).

In this example, the TSA receives time distribution from TA1 to TA3. Thus, when receiving time distribution from a plurality of TAs, which time is used for time correction is the number of samples (distribution time), There are various methods depending on the time required for sample collection. For example, in order to remove the variation, it is possible to calculate an average value of the distribution time after excluding those having the maximum and minimum time errors, and to correct the clock unit 24 using the average value. .
As described above, in this example, time information is received and stored from a plurality of time distribution servers (TA), and among these time information, there is an error that is more than a predetermined value with respect to the time output by the clock unit 24. In such a case, the issue of the time stamp is stopped.

In the above example, the TSA performs operation control according to the train information. However, the TA may be configured to perform operation control according to the train information from the NTA.
For example, when a new TA is installed or when an alternative TA is installed at the time of TA failure, the time of the timepiece device may not be stabilized immediately after that. Conventionally, the person in charge observes the operation status of the TA, and when it becomes stable, time distribution is manually started.
In this embodiment, when the TA receives time audits from a plurality of NTAs and the time error from a certain number of NTAs (for example, 5 out of 7) falls within the allowable range, time distribution is automatically performed. Configure to start with.

More specifically, when TA requests time audit from NTA1 to NTA7 and receives an audit that the error is less than 500 [ms] from five or more of these seven NTAs, Start time distribution.
There are various types of time correction, such as using the average of the times distributed from the NTA except for the maximum and minimum times.

As described above, the TA can be configured to control the function by evaluating the accuracy of the time distributed from the NTA similarly to the TSA.
The TA configuration in this case is the same as the TSA, the tray information receiving unit 21, the comparison determination unit 22, the operation control unit 23, the tray information table 29, the policy information table 30, the action table 31, the clock unit 24, and the communication control unit. 26 and a time audit unit 12 may be further provided.
Then, a discriminant for determining whether or not the TA operation is stable is set in the policy information table 30, and the action when the TA operation is stabilized (TSA audit start) and the TA operation are stored in the action table 31. If the operation when it is not stable (continuation of time audit from NTA) is set, it is possible to make TA perform the above determination and operation.

Hereinafter, an example of the operation of the TA will be described using the flowchart of FIG.
First, after the authentication is completed, the TA (train information receiving unit 21) requests the train information from each NTA of the NTA1 to NTA7, receives a time audit, and receives and stores the train information from each NTA (step) 405).
At this time, the TA evaluates the accuracy of the delivery time of each NTA in the same way as the TSA, and if the accuracy of the delivery time of the NTA does not comply with the policy of the TA, processing such as excluding the NTA from the target is performed. Do.
Next, the TA (comparison / determination unit 22) examines the time error between the clock device of each NTA and its own clock unit 24 using these training information, and determines whether or not the time error is less than 500 [ms]. And output to the policy information table 30.

Next, the TA (operation control unit 23) determines whether there are 5 or more of the 7 NTAs whose time error with the clock unit 24 is less than 500 [ms].
The TA (operation control unit 23) further determines whether or not the current time of the TA is after a predetermined date and time.
This predetermined date and time is set in advance in order to secure a minimum necessary time until the TA is stabilized.

TA (operation control unit 23) is a timepiece when the time difference with 5 or more of 7 NTA is less than 500 [ms] and the current time of TA is after a predetermined date and time (step 410; Y). The time is corrected by the unit 24 (step 415), and the activation period of the time distribution function is set by the time audit unit 12 (step 420).
In addition, when the NTA with a time error of less than 500 [ms] with NTA is less than 5 out of 7 or when the time error with 5 or more of 7 NTA is less than 500 [ms], If the current time is not after the predetermined date and time (step 410; N), the NTA (operation control unit 23) causes the clock unit 24 to correct the time (step 415), and then the activation period of the time audit unit 12 Is set to 0, and the time distribution function of the time audit unit 12 is stopped (step 430).

In this case, the TA receives time information (training information) from the time distribution server (NTA) and stores it, and accuracy acquisition means (accuracy evaluation function) that acquires and stores the accuracy of the stored time information. Unit 27), a clock device that outputs time (clock unit 24), and a clock device correction that corrects the time of the clock device using the stored time information when the stored accuracy satisfies a predetermined condition The timepiece device includes means (operation control unit 23) and time information distribution means (time audit unit 12) for distributing time information using the corrected output of the timepiece device.
The TA in this example receives and stores time information from a plurality of time distribution servers (NTA), and among these time information, an error from the time output by the clock unit 24 is less than a predetermined value. When there is a predetermined value or more, time distribution is started.
In addition, a time stamp unit 25 may be provided in the TA so that both time distribution and time stamp issue can be performed.

FIG. 13 is a diagram illustrating an example of a hardware configuration of the TSA.
As shown in the figure, the TSA includes a CPU (Central Processing Unit) 51, a ROM (Read Only Memory) 52, a RAM (Random Access Memory) 53, a display unit 54, an input unit 55, a storage unit 56, an input / output I / O. An F (interface) 57, a communication control unit 26, a hardware security unit 59, and the like are included.

The CPU 51 performs various calculations according to programs stored in the ROM 52, the RAM 53, the storage unit 56, and the like, and controls each part of the TSA.
The ROM 52 is a read-only storage device, and stores basic programs and parameters for operating the TSA.
The RAM 53 is a readable / writable storage device, and it is possible to secure a working area when the CPU 51 communicates with a TA or a client terminal to perform information processing.

The display unit 54 is configured by a display device such as a CRT (Cathode Ray Tube) display, a liquid crystal display, or a plasma display, for example, and displays various types of information when an operator performs maintenance work on the TSA, for example. .
The input unit 55 includes input devices such as a keyboard and a mouse, and is used, for example, to operate the TSA when an operator performs maintenance work of the TSA.
The display unit 54 can display an edit screen for editing the policy of the TSA, and the operator can edit the determination formula of the policy information table 30 by operating the input unit 55. As a result, for example, the policy regarding time accuracy can be changed from 500 [ms] to 400 [ms].

  The storage unit 56 is configured by a large-capacity storage device such as a hard disk device, for example, and various programs such as a program for operating the TSA as a time stamp server, various programs such as an OS (Operating System), and log data. Data is stored.

The input / output I / F 57 is an interface for connecting to an external storage device or other peripheral devices, for example.
The communication control unit 26 is a functional unit that connects the TSA and the network, and connects the TSA to a TA or a client terminal.

The hardware security unit 59 is a hardware security module that is difficult to analyze from the outside. The CPU 60, the ROM 61, the RAM 62, the EEPROM (Electrically Erasable and Programmable ROM) 63, the internal clock 64, and the like are formed therein. ing. The EEPROM 63 can be replaced with another nonvolatile memory.
Although the TSA function can be realized by a hardware configuration of a standard information processing apparatus, the hardware security unit 59 has functions for issuing a time stamp, such as issuing a time stamp and correcting the time of the clock unit 24. Higher security can be achieved by making it difficult to seal and analyze and tamper from the outside.

The CPU 60 operates in accordance with programs stored in the ROM 61, RAM 62, and EEPROM 63, issues a time stamp to the hash value transmitted from the client terminal, receives a time audit from the TA, etc. The unit 24 is corrected, or communicates with the CPU 51 to operate in cooperation with the CPU 51.
The ROM 61 stores basic programs and parameters for operating the hardware security unit 59.
The RAM 62 provides a working area when the CPU 60 issues a time stamp or corrects the time.
The internal clock 64 is a clock device for issuing a time stamp, and in addition to a method of correcting the time of the internal clock 64 when correcting the time, there is a method of correcting a software clock using the internal clock 64. is there. In this case, the clock used for the time stamp is a software clock.

In the EEPROM 63, the CPU 60 issues a time stamp, corrects the time, or stores other programs, an authentication information table 28, a tray information table 29, a policy information table 30, an action table 31, and a time Various data such as information (serial number, time stamp information issued last time, time audit certificate information received last time) used when issuing a stamp or correcting time are stored.
By executing the program stored in the EEPROM 63 by the CPU 60, each functional unit such as the authentication unit 20, the tray information receiving unit 21, the comparison determination unit 22, the operation control unit 23, the clock unit 24, and the time stamp unit 25 is configured. The The clock unit 24 includes an internal clock 64 and a clock control function realized by a program. More specifically, this clock control function reads the time of the internal clock 64 or corrects it according to an instruction from the operation control unit 23.

  Although the hardware configuration of the TSA has been described above, the hardware configuration of the TA and NTA is the same as that of the basic TSA. As another form, in the case of TA, since it is required to maintain the time with high accuracy, it is highly accurate to use an atomic clock or GPS (Global Positioning System) instead of the clock in the hardware security module. Use a clock device.

The following effects can be obtained by using the TSA described above.
(1) The accuracy with respect to UTC at the time of delivery from TA can be evaluated, and operation control according to the evaluation can be performed.
(2) From the NTA to the TSA, it is possible to specify a transmission path through which the reference time is transmitted.
(3) The accuracy of the delivery time with respect to UTC can be evaluated using the reference time transmission path.
(4) It is possible to search for a TA that matches a policy such as accuracy.
(5) Comparing data (train information) obtained from a certain route with policy information set in itself, and performing state update / function control or data reliability check according to the comparison result it can.

It is the figure which showed an example of the system configuration | structure of the time stamp system which concerns on this Embodiment. It is a figure for demonstrating the structure of tray information. It is a functional block diagram for demonstrating the function of TA and TSA which concern on this Embodiment. It is a figure for demonstrating the logical structure of various tables. It is a flowchart for demonstrating the basic operation | movement of TSA. It is a flowchart for demonstrating the operation example of TSA. It is a flowchart for demonstrating the operation example of TSA. It is a flowchart for demonstrating the operation example of TSA. It is a flowchart for demonstrating the operation example of TSA. It is a flowchart for demonstrating the operation example of TSA. It is a flowchart for demonstrating the operation example of TSA. It is a flowchart for demonstrating the operation example of TA. It is the figure which showed an example of the hardware structure of TSA. It is the network figure which showed a part of network structure of the conventional time stamp system.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Authentication part 11 Tre information transmission part 12 Time inspection part 20 Authentication part 21 Tre information reception part 22 Comparison determination part 23 Operation control part 24 Clock part 25 Time stamp part 26 Communication control part 27 Accuracy evaluation function part 28 Authentication information table 29 Information table 30 Policy information table 31 Action table

Claims (15)

A reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, and a time information processing device that receives time information from the time distribution server. A time information processing device used in a network,
Time including accuracy information that depends on a transmission path from a plurality of the time distribution servers to the time information processing apparatus via the time distribution server from the reference time server, and transmission path information that identifies the transmission path Time information receiving means for receiving and storing the audit certificate;
For each stored time audit certificate, accuracy acquisition means for acquiring and storing the accuracy of the time information using the transmission path information;
A clock device that outputs a time for issuing a time stamp;
A timepiece device correcting means for selecting the most accurate one of the stored time information and correcting the time of the timepiece device;
Time stamp issuing means for issuing a time stamp using the corrected clock device;
A time information processing apparatus comprising: If the storage time accuracy does not satisfy a predetermined condition, the time information processing apparatus according to claim 1, characterized in that stopping the timestamp issuing means. The time stamp issuing means stops issuing a time stamp when there is an error in the stored time information that is not less than a predetermined value with respect to the time output by the timepiece device. The time information processing apparatus according to claim 1 or 2 . The time information processing unit according to any one of claims 1 to 3 , further comprising a time information distribution unit that distributes time information using the corrected output of the clock device. apparatus. The time information distribution means starts time distribution when the stored time information includes an error that is less than a predetermined value with respect to the time output from the timepiece device, and is greater than or equal to a predetermined value. The time information processing apparatus according to claim 4 . A distribution destination authenticating unit for authenticating a distribution destination for distributing time information is provided, and the time information distributing unit distributes the time information when the distribution destination is authenticated by the distribution destination authenticating unit. The time information processing apparatus according to claim 4 or 5 . The timepiece device correcting means, the accuracy of the selected time information is any one of the preceding claims, characterized in that to correct the time of the clock unit when satisfying a predetermined accuracy to claim 6 The time information processing apparatus according to claim. If the precision of the selected time information does not satisfy a predetermined condition, any one of the claims of claims 1 to 7, characterized in that to request time information to other time distribution server The time information processing apparatus described in 1. The time information processing according to any one of claims 1 to 8, wherein a priority of a time distribution server that distributes time information used for correction of the clock device is set. apparatus. The accuracy acquisition means includes the reference time server existing on the transmission path specified by the stored transmission path information, and the time accuracy specified by the reference time server and the time distribution server from the time distribution server. The time information processing apparatus according to any one of claims 1 to 9 , wherein the accuracy of the time information is acquired from the acquired accuracy. 11. The time information processing apparatus according to claim 10 , wherein when the accuracy of time is acquired from the reference time server and the time distribution server, the reference time server and the time distribution server are authenticated. A reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, and a time information processing device that receives time information from the time distribution server. A time information processing device used in a network,
Time including accuracy information that depends on a transmission path from a plurality of the time distribution servers to the time information processing apparatus via the time distribution server from the reference time server, and transmission path information that identifies the transmission path Time information receiving means for receiving and storing the audit certificate;
For each stored time audit certificate, accuracy acquisition means for acquiring and storing the accuracy of the time information using the transmission path information;
A clock device that outputs a time for issuing a time stamp;
A time stamp issuing means for issuing a time stamp using the clock device;
Priority setting means for setting the priority to the time distribution server;
Comprising
Correction of the time of the timepiece device using the most accurate information among the stored time information, setting of time stamp issuance by the time stamp issuing means, or priority of the time distribution server by the priority setting means A time information processing apparatus characterized in that at least one of the settings is selected and performed. It comprises a time distribution server authentication means for authenticating said time distribution server, the time information receiving means, claims 1 to 12, characterized in that to receive the time information when the time distribution server is authenticated The time information processing apparatus according to any one of the preceding claims. A reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, and a time information processing device that receives time information from the time distribution server. A time information processing method used in a time information processing apparatus used in a network,
The time information processing apparatus includes a time information receiving unit, an accuracy acquisition unit, a clock device that outputs a time for issuing a time stamp, and a clock device correction unit.
The time information receiving unit specifies time information whose accuracy depends on a transmission path from the plurality of time distribution servers to the time information processing apparatus from the reference time server through the time distribution server, and the transmission path. A time information receiving step for receiving and storing a time audit certificate including transmission path information to be transmitted;
An accuracy acquisition step in which the accuracy acquisition means acquires and stores the accuracy of the time information using the transmission path information for each stored time audit certificate;
A timepiece correction step in which the timepiece correction means selects the most accurate one of the stored time information and corrects the time of the timepiece;
The time information processing method characterized by comprising. A reference time server that distributes a reference time, a plurality of time distribution servers that synchronize time with the distributed reference time, and a time information processing device that receives time information from the time distribution server. A time information processing method used in a time information processing apparatus used in a network,
The time information processing device includes a time information receiving unit, an accuracy obtaining unit, a clock device that outputs a time for issuing a time stamp, a time stamp issuing unit that issues a time stamp using the clock device, Priority order setting means for setting the priority order of the server device,
The time information receiving unit specifies time information whose accuracy depends on a transmission path from the plurality of time distribution servers to the time information processing apparatus from the reference time server through the time distribution server, and the transmission path. A time information receiving step for receiving and storing a time audit certificate including transmission path information to be transmitted;
An accuracy acquisition step in which the accuracy acquisition means acquires and stores the accuracy of the time information using the transmission path information for each stored time audit certificate;
With
Correction of the time of the timepiece device using the most accurate information among the stored time information, setting of time stamp issuance by the time stamp issuing means, or priority of the information distribution server by the priority setting means A selection execution step that is performed by selecting at least one of the settings of
The time information processing method characterized by comprising.

Images