WO2008061389A1 - Dispositif et procédé de gestion de documents - Google Patents

Dispositif et procédé de gestion de documents Download PDF

Info

Publication number
WO2008061389A1
WO2008061389A1 PCT/CH2007/000587 CH2007000587W WO2008061389A1 WO 2008061389 A1 WO2008061389 A1 WO 2008061389A1 CH 2007000587 W CH2007000587 W CH 2007000587W WO 2008061389 A1 WO2008061389 A1 WO 2008061389A1
Authority
WO
WIPO (PCT)
Prior art keywords
journal
document
time stamp
signature
timestamp
Prior art date
Application number
PCT/CH2007/000587
Other languages
German (de)
English (en)
Inventor
Patrick Richter
Jürg BIRCHER
Original Assignee
Uptime Products Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Uptime Products Ag filed Critical Uptime Products Ag
Publication of WO2008061389A1 publication Critical patent/WO2008061389A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp

Definitions

  • the present invention relates to a document management apparatus and method according to the preambles of independent claims 1 and 11.
  • the invention relates specifically to an audit-proof document management system (DMS), ie the capture, storage, management, making available and retrieving of such documents, so that in particular the integrity and storage time of the stored documents can be determined in a binding manner.
  • DMS document management system
  • Documents are understood here to be systemically closed units of data which form a contextual unit. As far as paper documents are concerned, these can be letters, forms, administrative files, receipts or even entire books.
  • multimedia files (such as a photograph) can represent documents in a broader sense.
  • dynamic data groups are not to be understood as "documents", as they are typically managed in database systems which map continuously changing contents which do not form a uniform context on the screen or ephemeral data sets, in particular if they are purely technical functions and not intended for a single person
  • a document is characterized by the following typological features: formal unity (structure, design), document order (order, logical affiliation, Version etc.), communicative content, document character (legal properties, editing options, archival eligibility, etc.), time (creation, modification date, last access, archiving time, etc.), personal data (creator, distributor, reader, person responsible, etc.).
  • the document implicitly or explicitly contains this information or it is associated with the document as attributes or linked to it.
  • a digital document can be present as a directly readable string, which is coded according to standardized character sets (so-called Coded Information Documents (Cl-D)) or as an image file or as a non-coded data set (so-called NCI-D, ie Non Coded Information Documents).
  • Cl-D Coded Information Documents
  • NCI-D non-coded data set
  • document management systems differ fundamentally from the so-called database management system, which in turn can provide supporting functions for a document management system, but which concern a different problem level.
  • the present invention serves equally the management of digitized paper-based documents as well as the management of electronic documents, which under the term of electronic document management (EDM) represent a subset in the field of document management systems.
  • EDM electronic document management
  • document management in the narrower sense which is primarily intended to cover the administrative functions of large document databases.
  • document management systems in the narrower sense are described in ISO standard 10166 for Document Filing & Retrieval (which, however, is not significant in practice).
  • the information managed by DMS in the narrower sense is document-oriented. Their management, especially access and presentation, are determined by document features.
  • DMS Document Management Systems
  • ECM Enterprise Content Management Systems
  • No. 5,742,807 discloses a system and a method in which electronically stored documents are identified by means of document attributes by means of a one-way hash function and are managed via a hash storage location intermediate index for the document management system. This intermediate index is used for allocating and finding document attributes in memory.
  • Document US 6,810,404 shows a method to process documents of various types (paper based and electronic documents) in a computerized system.
  • the system is used to record, manage and archive such documents, with their document attributes being analyzed and checked for preconditions with a view to archiving the documents, in order to check the archiving capability of the document.
  • an archive index is formed and the document may be moved from a first to a second memory area.
  • This system deals with the archivability of a document, but also does not provide a solution for a revision-proof DMS. From JP 2001 2431 19A2 it is known to check the data integrity when transferring between two memory areas for document groups. However, that solution does not allow for document integrity or authenticity for each document in an archive store.
  • the invention uses for this purpose a method for document management for audit-proof archiving with the following method steps:
  • journal this timestamp signature as a journal entry in a journal file; 4. repeating steps 1 to 3 above for at least one more or a plurality of documents and forming a journal file with journal entries of the time stamp signatures of the corresponding documents;
  • the data volume containing the hash value of the digital document and the internal time stamp with a signature of a server (internal timestamp signature), information about the hash function or the relevant algorithm and Document information (file ID, document or document component information and version number) provided.
  • the corresponding journal entry is provided with an identifier about the respective journal and / or journal segment (journal ID and journal segment ID).
  • the document meta data is preferably also stored.
  • journal entry ID can be stored with each journal entry, assigned to the document and stored in a memory area
  • this Jour ⁇ aleintrags-ID is preferably returned to the document (mapping).
  • additional attributes and / or properties for the document V are stored with each journal entry, such as a document ID, which allows a fast and efficient assignment of journal entry and document.
  • This document ID is also preferably returned to the document or its document container.
  • the first data set is preferably assigned a unique number or a unique document ID in addition to the hash value of the digital document and the internal time stamp. It is also possible to add a serial number and / or special metadata and / or additional time information to the first data set.
  • a preferred embodiment of the method provides that not only the hash value of the respective journal is transmitted to the certified time stamp company, but alternatively or cumulatively the complete journal.
  • the inventive device for document management for audit-proof archiving has a computer / server for creating timestamps and / or timestamp signatures for each document to be stored, a journalization unit for recording the timestamps and / or timestamp signatures to a uniform journal file and a communication connection a certified time stamp company (TSA).
  • TSA certified time stamp company
  • this communication connection can be made by the server itself or by a separate computing / communication unit.
  • the journaling unit be one with the server.
  • a variant of the invention provides that at intervals in addition to the time stamp signatures for the documents or instead of these interval time stamp signatures. stored for the entire journal file in the journal file.
  • the server generates a timestamp signature for the entire journal file at intervals after several documents to be stored or even after each document, up to the respective time / content status of the journal file.
  • journal entries can be journalized within a journal within a journalization unit, and only then stored in a final journal, the timestamp signature being obtained only for the final journal.
  • a searchable index is preferably additionally stored in or together with the journal file.
  • FIG. 2a shows a document management system with a time stamp signature method according to the invention
  • FIG. 2b shows a second embodiment of a document management system with a time stamp signature method according to the invention
  • FIG. 2c shows a third exemplary embodiment of a document management system with a time stamp signature method according to the invention
  • Fig. 5 is a schematic diagram for explaining the verification process with respect to the embodiment of Figure 2c
  • the invention relates to the portion of a DMS that relates to the storage and archiving of documents.
  • Functionality, terminology and system structure of such DMS are assumed to be known in the following.
  • the invention is, for example, in connection with the document management system ARTS® of UPTIME products AC, CH-8004 Zurich, (http://www.uptime.ch), which covers the areas of document capture, processing, archiving and document retrieval includes, usable. Under Archiving, the permanent storage of documents, i.d.R.
  • scanned documents in particular paper-based documents, such as letters, incoming invoices, delivery notes, signatures, policies, etc., or outgoing documents, such as customer letters, receipts, etc., which are stored in a known manner (still commonly referred to as "COLD (Computer Output on Laserdisk) method).
  • COLD Computer Output on Laserdisk
  • a challenge with such archiving processes is the guarantee of the so-called revision security as well as the assurance that the archived documents are legible and retrievable even after a long time, ie after ten years or more.
  • revision security which as a rule presupposes the fulfillment of defined criteria such as data integrity, temporal assignability, definiteness of the archiving procedure according to national legislation, presents problems if the archiving costs per document should be affordable.
  • a temporal verification is required.
  • time stamps and digital signature procedures which are issued by a certified independent authority (usually called electronic signature procedures), are required for a large number of documents to be archived
  • electronic signature procedures are required for a large number of documents to be archived
  • TSA Time Stamp Authonty
  • PKI time stamp Authonty
  • FIG. 1 shows a conventional archival process, obtaining a digital signature from a certified publisher of timestamp signatures ("Timestamp Company"), here designated TSA (Time Stamp Authonty).
  • TSA Timestamp Authonty
  • Such a digital signature contains a timestamp for verifying the documents Further data, which is explained in more detail below
  • Em Paper-bound document 1 is digitized in a first step to a document V and stored in a Reposito ⁇ um 10
  • This digital document V is a so-called Fingerp ⁇ nt 2 assigned by in known
  • a hash function eg SHA-I
  • a hash value H is calculated for the document.
  • the fingerprint is also supplemented by a random number, a nonce N.
  • the corresponding unique value of the fingerprint 2 represents the content of the document V (and thus of the document 1).
  • this fingerprint 2 is supplemented by an internal time stamp T.
  • the first data group 3 (T + H + N) is now transmitted to the TSA.
  • the TSA adds to this data group 3 an accurate time, ie a verified time stamp VT of the TSA, and, if necessary, additional authentication information AI.
  • These data are finally encrypted with a TSA key, usually using an asymmetric encryption method.
  • the document V and the time stamp signature 4 are archived individually or jointly in the DMS in a data container V, 4. In this way, the time and integrity of the document V can be checked at a later time by means of the time stamp signature 4 It will be appreciated by those skilled in the art that, in the context of this per se known process, especially the inclusion of the TSA for each individual document brings with it the aforementioned disadvantages and problems.
  • a document 1 is, if not already present as a digital document, scanned or digitized to a digital document V, in the present example, for example, as a PDF file.
  • a fingerprint 2 is formed for the document V from a hash value H and a nonce N.
  • the fingerprint is assigned an internal time stamp Ts.
  • Internal timestamp Ts is understood to mean a time stamp which is generated by the company using / operating the DMS.
  • this time stamp from a central, in-house or independent UTC synchronized server 5 awarded.
  • this server 5 does not have the quality of a TSA because its operation is not done by a publicly-certified institute.
  • the invention makes it possible to associate with each document T or its fingerprint, in addition to the internal time stamp T s, a sequential number (serial number / ID), special metadata or additional time information (cf., for example, the embodiment described below according to FIG.
  • the server 5 creates a preferably encrypted by means of a private key ks 1 of the server 5 certificate representing a signed internal time stamp IT n - corresponding to an internal timestamp signature - which is typically a maximum of 100-200 bytes.
  • This signed, but not TSA-certified, time stamp IT n does not meet the auditability criteria by itself.
  • a public key k s (not shown in the figure) of the server 5, the hash value, and the internal time stamp Ts can be extracted from a repository 10 or by individual clients at a later time.
  • the signing can also be omitted by means of the private key ks "1 , for example if an immediate certification of the document is not required (eg very short chronological sequence of journal files) or not (eg for very large transaction volumes) signed internal timestamp IT n only the data H, N and Ts, and is used in this form for the subsequent journaling.
  • the respective signed internal time stamps IT n are chronologically journalized, preferably in a uniform journal file 7.
  • Each journal entry comprises per document V the data of the internal time stamp IT n .
  • each journal entry can contain additional information, such as a journal entry ID JEID n , an identifier for the respective document class (dependent on the respective DMS), as well as other attributes and properties for the document T (depending on the DMS).
  • the journal entry ID JEID n and / or a journal ID JID n can be added to the container file of the document V so as to make it possible at a later date to easily assign the document to its internal timestamp signature IT n .
  • each joool file in turn has a journal ID JID n for uniquely identifying each journal.
  • this journal ID JID n makes it possible to identify the relevant journal J n at a later point in time if a specific document needs to be verified and whose journal entry data is required for this purpose. If required, the journal ID JID n can also be used to record the chronology of the journals or other classification criteria and information.
  • journal 7 After expiration of a certain time interval or after detecting a predefined number of internal timestamp signatures IT n , the respective journal 7 is completed. Such a time interval may be, for example, an hour, a day or a month. Immediately after completing the journal 7, it will be saved as a single file, unless it has already been entered as a journal file during the journal entry. This is necessary, for example, if the journal entries are recorded individually on a database basis. This journal file 7 is in turn provided with a time stamp signature 9 via a TSA (or a TSA server).
  • TSA or a TSA server
  • a fingerprint method is here also used in which a hash function and optionally a nonce or the Journal ID JID is uniquely identified and this amount of data 8 from hash value (and nonce or journal-ID) of TSA in order timestamped n the journal file and signing is transmitted.
  • the journal file itself may be assigned additional time stamps by the server 5, which represent, for example, the beginning and the end of the journal, or further metadata.
  • the respective journal files 7 as well as the The associated time stamp signatures 9 of each journal file 7 and the journal ID JID n are stored here in a common repository 10. It can be seen from FIG. 2 a that here also the digital documents T are stored in the same repository 10.
  • each individual document T (and hence a paper bound document 1 identified thereby) is verifiable as to its integrity via a signature associated therewith, and at the same time by means of the authenticatable journal file 7 provided by a TSA with a Timestamp signature 9 is provided, even its authenticity is established (the term authenticity is here not to be understood in the sense of a personal verification).
  • the system is thus able to ensure audit security with high performance, while at the same time the transaction volume with the TSA is massively reduced in accordance with the task and the data traffic between the local server and the TSA is correspondingly low.
  • an index is created which makes it possible to quickly find and verify the documents via the fingerprints, serial numbers of the documents or time ranges with regard to the document retrieval.
  • the corresponding journal file 7 is retrieved via the fingerprint of the corresponding document and the associated internal timestamp signature IT n of the document V is determined.
  • the journal file concerned for the timestamp IT n in question is sent via a suitable query, eg a time identification or metadata of the document, such as journal ID, document type, etc., called and the timestamp signature IT n read out.
  • a suitable query eg a time identification or metadata of the document, such as journal ID, document type, etc.
  • the respective timestamp signature IT n can be sent directly via the journal entry ID JEID n (if necessary under Incl the journal ID reference).
  • the assignment of the document V to the associated time stamp signature IT n preferably takes place via its fingerprint.
  • the associated hash value and the time stamp can be read out by means of the public key of the TSA and of the server 5 and thus verify verified time and the integrity of the document.
  • the integrity check is performed by comparing the hash value read with the hash value determined via the document to be checked by means of the corresponding hash function.
  • the method according to the invention can be well integrated into DMS in which several representations of the same document exist. It is selectable in these cases, if only the main document, several or all representations of the same document V are provided with a time stamp signature.
  • FIG. 2b shows a further variant of the invention which differs in several ways from the above-described exemplary embodiment.
  • a digital document T should be archived in a revision-proof manner.
  • the digital document T is associated with metadata meta-data (eg keywords, author, creation date, etc.), whereby document V and metadata together in the present case are to be understood as document containers 1 ".
  • a unique document ID DocID is also assigned, similar to the embodiment according to Figure 2a, a hash value is now formed via the document container 1 "and, together with the document ID DocID, from an internal server 5 with an internal time stamp T s so that a timestamp signature IT n is created.
  • the document ID is stored in a database 12.
  • the document V or the document container 1 is stored in a repository 10, which may possibly coincide with the database 1 2.
  • a nonce is no longer provided in this method or a corresponding device If required, a hash value can alternatively be formed only via the actual document V (without metadata and possibly further data).
  • At least one, but usually a plurality of such time stamp signatures IT n are now stored in a journal 7 analogously to the above-described embodiment. 2b may be of the figure, however, be clearly seen that each journal entry IT n instead of having a journal entry identifier with the corresponding document ID DoclD n is indexed, which allows each entry IT n directly to a document container 1 assign ".
  • the locking and signing each Journals 7 within the journalizer 1 1 by means of a timestamp signature can be done in an analogous manner as in the above-described embodiment or according to the options described below:
  • the journals 7, journal ID JID n , the time stamp signatures 9 and other administrative data (such as Public keys, etc.) are stored in the repository 10.
  • journal IDs JID n are also stored in the database 12 and managed and indexed together with the respective document IDs, so that at a later time, using journal ID and document ID, very fast to a specific document 1 'or to a documentcont 1 "the associated journal entry IT n be found and the corresponding verification of the document are made (see. in detail the description below).
  • the inventive method and the corresponding device in this variant is designed so that for each document V, the journal ID JID n is stored not only in the database 12 or in the repository 10, but each document V is returned (mapping).
  • FIG. 2c shows a further embodiment variant of the invention.
  • This variant is distinguished by the possibility of being able to export or verify the document container 1 "or parts thereof detached from the entire journal in a revision-proof manner, as in the above-described examples per document container 1" in the sense of the following statements Journal entry generated.
  • the document container 1 contains the document container 1 "not only a singular document V, but several representations of the document V, here exemplified as each a file in PDF and DOC format of the document shown
  • the document containers 1 may contain any number of document representations Ci, C 2 or additional information, such as meta-data C 3 , for example.
  • the document container 1 can contain components C 1 to C n - or in other words: a document to be journaled in an audit-proof manner can only be formed by a component of the document container 1".
  • various representations of a document each represent one of the components Ci to C n of the document container 1 ".
  • the meta-data C 3 or other document information (such as special file attributes), associated auxiliary documents, etc. can be understood as a special case of a document component C n become.
  • a journal entry JE n is created for each document or document component C n contains the following data:
  • the internal time stamp signature IT n is created similar to the above example, as shown in FIG 2b.
  • a hash value h [C x] or h [C ⁇ ] is a document component C x calculated and this x in the respective associated time stamp signature IT (not shown in Figure 2c) committed.
  • H (C x )... H (Cy) for each of several document components C x ... C y or, in special cases, a common hash value H (C x ... Cy) (the latter not shown and also not described further below) and to store them in the internal timestamp signature IT n .
  • the respective time stamp T 5 and the associated certificate (RSA signature) are in turn supplied by a server 5.
  • the private key k s "] of the server 5 is neither permanently stored internally in the system nor is it available outside the respective process; rather, it is held only in the process memory for the duration of the process.
  • algorithm information Al n the required data on the system used in the digest algorithm are stored so that at a later date directly from the Journal entry JE n is traceable with which function the aforementioned hash values were calculated. This makes it possible to replace the hash function at a later point in time in a strain gage according to the invention (eg from SHA-I to SHA-2). It should be noted here the completeness that, if desired, the algorithm information Al n may also be stored only at the level of journal segments or even only the full journal and only with the export of the respective journal entry JE n can be exported (see. see below).
  • the component information Cl n serves to identify the respective document component C x .
  • the file ID (FiIeID) of the document container 1 ", component name and component version are used here for unique identification of a file component, but it is also possible to use a standalone document ID as shown in the above examples.
  • component data CD n are stored in the Journal Entry JE n. This information is used here preferably for later searches directly in a stored journal or journal segment.
  • the component data CD n here include, for example, the meta data C 3 . Scope and type of component data CD n to be stored can be defined system-dependent. For the actual verification process of respective document components, the component data CD n are not necessarily required or not relevant.
  • journal ID JID n and the journal segment ID SID n have to be addressed. This information is fixed at the latest during the actual storage process of the journal entry JE n in the journalization device 1 1.
  • several archiving or working processes Pi to P n can take place within the framework of the DMS.
  • Pi to P m here is a nes Journal segment JS JS 1 to m provided, which are stored in total in a pan-adhering Journal 7 within the Journalmaschines heard 1.
  • each journal segment JS m is identified by a journal segment ID SID n .
  • each journal segment is identified. Since each journal entry JE n is stored in a journal segment, the journal entry JE n can each be assigned a journal ID JID n and a journal segment ID SID n during the storage process. In this way each journal entry JE contains n-mentioned five information packs JID n, n SID, IT n Al n Cl n and CD n.
  • the journal entry JE n contains an RSA signature plus a time stamp Ts.
  • Journal ID JID n and journal segment ID SID n permit the unambiguous assignment of the respective journal entry JE n to a journal segment JS n .
  • journal entries JE n are stored in this manner within a segment Journal JS m.
  • a public key kp m of each work process is stored in each journal segment JS m .
  • the storage of the respective public key k Pm is made encrypted, symmetrical encryption being preferred.
  • each journal segment JS n is signed at its conclusion by a certified time stamp 9 a certified timestamp company TSA.
  • a data set 8 to this TSA transmitted.
  • This data set 8 contains at least one hash value h [k Pm ] of the respective public key kp m .
  • a certified time stamp 9 can be obtained and either the journal 7 can be signed as a whole or the relevant time stamp 9 can be stored multiple times, ie per journal segment JS n . In most cases, obtaining a single certified time stamp 9 and storing it once per entire journal is preferable.
  • journal 7 shown in FIG. 2c is understood as a temporary journal.
  • a temporary journal 7 instead of the above-described symmetric encryption of the respective public keys kpi to kp m, these can also be signed (temporarily for the duration of the process).
  • each journal entry JEi, i to JE m, n has journal ID JID n and journal segment ID SID m
  • the public keys kpi to kp m can be stored separately in the final journal 7 1 , since each journal entry is again stored via its journal segment Index can be assigned.
  • the final journal 7 'thus contains the following data areas: All journal entries JEi 1I to JE m, n (sorted or search optimized), certified timestamp 9 (see below) and all public keys kpi to kp m . These public keys kp m are stored in the final journal 7 'unencrypted, ie the above-mentioned symmetric encryption of the respective public key kp m is optionally resolved.
  • the DMS own document classes are preferably stored in the final journal 7 ', which - together with the data contained in the journal entries (especially meta-data) - wide search options directly in the respective journals 7' allows, which accordingly a self-contained verification and search structure (self- without the actual document or component content itself).
  • the final journal 7 ' unlike a temporary journal 7, the public key kpi to kp m - as briefly mentioned above - need not be additionally encrypted or signed, since the temporal authenticity of the journal 7' secured by a certified timestamp, as explained below.
  • the final journal 7 'thus specified is now provided with a verified time stamp 9'.
  • This contains a hash value over all public keys k P1 to k Pm a certified time stamp and thus serves the temporal verification and integrity check of the journal.
  • an external HSM device high security module
  • carries out the authentication since this is required only per journal and not per document component, and thus largely avoids the aforementioned disadvantages.
  • the journal (s) 7 are again stored in a repository 10, which in the present embodiment also forms the storage area for the document containers or document components.
  • FIG. 3 now shows the method sequence of the archiving process according to the invention in a flow chart for the exemplary embodiment according to FIG. 2a.
  • a digitization step is undertaken and a digital file Di 'is created. This is done for example by a scan.
  • a first data set DMi is created which contains a hash value h [Di '], a nonce N and an internal time stamp T s , which is obtained from a server S (not from the TSA).
  • This process step can be omitted in special systems (cf also see above or the dependent claim 2).
  • Embodiments in which, after the first method step, the first data set DMi (per document) is signed with a private key of a server 5 to a time stamp signature ⁇ DMiJks 1 for the subsequent journalization however, always have the advantage of a particularly high security against inadmissible mutations ,
  • This time stamp signature ⁇ DMiJks "1 is journaled in a next step d) as a journal entry Jei and complemented in preferred variants of the invention to other data such as a journal entry ID JEIDi or document attributes attributes! (Such as a document ID DocIDi).
  • the next procedural step f) is that a journal is completed according to predetermined termination criteria (eg time interval or number of journal entries JE An ) and its hash value h [J A ] (possibly supplemented by a nonce or journal ID JID n ) is transmitted to a TSA, where the hash value of the journal J A is provided with a certified time stamp T A and signed by means of a private key krsA 1 of the TSA to a time t-stamp signature ⁇ h [J A ], TA] I ( TSA 1 - This timestamp signature ⁇ [YES], TAJICTSA "1 is returned to the respective enterprise (usually server 5).
  • predetermined termination criteria eg time interval or number of journal entries JE An
  • hash [J A ] possibly supplemented by a nonce or journal ID JID n
  • journal J A and the timestamp signature ⁇ h [J A ] are now stored in a suitable repository 10 at the respective company.
  • the method steps a) to f) are repeated analogously so that a journal file JB is created, which is correspondingly temporally signed via the TSA and also together with its time stamp signature ⁇ h [Jß], in a method step h) is stored in a repository 10.
  • These process steps g) and h) can be repeated as needed.
  • the respective journal files 7 not only after their completion with the external time stamp signature ⁇ h [J A ], but additionally by internal timestamp signatures, which are created at intervals by the server 5 or by a separate server and can verify the integrity of the journal itself.
  • These interval timestamp signatures can be created periodically (eg after m journal entries IT m or every 30 minutes) and integrated into the journal file, so that these eg a structure ITi, IT 2 , ..., IT m , ITZi, IT m + i, ..., ITZ 2 , ... IT n ⁇ 1 , IT n , where ITZi stands for a first and ITZ 2 for a second interval timestamp signature.
  • interval timestamp signatures are advantageous in order to additionally increase the manipulation security of the overall system and may also be advantageous in particular if not every single journal entry IT n is signed. In these cases, it is ensured that the interval timestamp signatures ensure (internal) temporal authenticity at regular intervals before the journal is completed altogether.
  • a corresponding method step would preferably be integrated at intervals according to step d) described above.
  • the interval time stamp signatures ITZ n are preferably stored in the journal file itself, but can also be stored independently and assigned to the respective journal J n via the journal ID JID n .
  • interval time stamp signature method can also, especially if contextually related document groups are to be stored, instead of a timestamp signature per document D / created an interval timestamp signature on the entire journal after storage of each document become.
  • a timestamp signature per document D created an interval timestamp signature on the entire journal after storage of each document become.
  • only the non-timestamped hash value of each document is attached to the respective journal. thereafter provided in total with an interval time stamp signature.
  • Such a journal file accordingly has the typological structure H [D 1 '], ITZi, Ji [D 2 1 ], ITZ 2 , h [D 3 '], ITZ 3 , h [D 4 '], ITZ 4 ,. ..., the interval time stamp signatures ITZ n here each representing a timestamp signature over all temporally preceding journal entries, so that one could also speak of a cumulative time stamp signature method.
  • a particular document Di can be verified from the point of view of revision.
  • the digital document Di ' is designated as representative of the document Di (insofar as it is a paper-bound original).
  • the corresponding journal file JA is determined via its hash value + nonce, via its document ID, which in this case must be contained in the document container, or according to the example in Figure 2a via a journal entry ID JEIDi (see above).
  • the corresponding journal entry JEAi is extracted from the associated journal file J A via the journal entry ID JEIDi or the document ID.
  • the journal entry JEAi contains both the hash value h [Di] and the internal time stamp Ts. Both values can be extracted from the journal entry JEAi by using the public key ks. The temporal authenticity of the time stamp Ts can be checked by comparing the read hash value Pi [D 1 ] with the hash value that can be calculated for the file Di 'to be checked. In addition, the integrity and temporal authenticity of the journal JA itself must be checked.
  • the two information ⁇ I [YES] and TA are determined by means of the public key kjsA and again the corresponding extracted hash value h [J A ] is compared with the hash value of the journal file J A to be checked. If the values match, the temporal authenticity of the time stamp Ts is verified and the document Di 'is verified to be temporally authentic and integer.
  • FIG. 5 a later verification process for a document component according to the exemplary embodiment according to FIG. 2c is described by way of example with reference to an example. In this exemplary embodiment, according to the invention, it is achieved that the temporal authenticity and integrity of a document component C n (or also of component data CD n ) can take place outside the original DMS.
  • journal ID JID n and journal segment ID SID n the desired document component C n and the signature for this component C n , which is assigned to it via journal ID JID n and journal segment ID SID n , together with the public keys kpi m and the certified time stamp 9 or 9 ' (or in the alternative embodiments with the HSM signature) exported.
  • the document components can be verified by means of the time stamp 9 or 9 'and the information Al n via the hash function used and via the public key k P m .
  • the journal segment ID SID n defines the authoritative public key kp ⁇ , which permits the verification of the document via its internal timestamp signature IT n or its hash value analogously to the above explanations regarding FIG. Unlike what is described there, however, the integrity and temporal authenticity of the entire journal need not be checked, but these are determined directly for the corresponding document or document component C n .
  • the device which allows the method to be carried out, comprises the usual components of a DMS, namely at least one client and a DMS server 5, which performs the DMS function (digital storage of documents, retrieval of documents , Business logic, archiving functions), and a repository 10 for storing the data and the journals or timestamp signatures and other data according to the invention.
  • the DMS server 5 has a timestamp function and preferably allows the creation of timestamp signatures that are created with a suitable encryption method (eg RSA).
  • the server has a UTC synchronization.
  • the device also has a journaling device 11, which has a time stamp for every document archiving or receives a timestamp signature from the DMS server 5 and stores them in groups in a timestamp journal.
  • This journalization device can be formed by a separate device, such as a powerful computer, or integrated directly in the DMS server 5.
  • journal file (YES) according to the termination criteria, not only the hash value h [J n ] of the respective journal J n is transmitted to the certified timestamp company, but alternatively or cumulatively the complete journal YES.
  • the public keys used (public key) of the server 5 (and any further internal server) and the external certified time stamp company TSA are stored in the document management system. Either these public keys are stored and managed separately with each journal file or, since they can be uniquely assigned via the journal IDs.
  • a further inventive step in connection with a long-term archiving is that a time stamp signature is obtained per journal or preferably groups of journals from a second (or further) certified time stamp company TSA 2 that is independent of the certified time stamp company TSA.
  • TSA 2 a second (or further) certified time stamp company
  • This measure has significance if the (very unlikely) case should occur that the key pair of the first timestamp company compromises, ie "cracked", so that no audit-proof information would be guaranteed by the key pair k s / k s °
  • the time stamp signature of the second certified time stamp company would serve to further verify the integrity of the journals or journal groups. Appropriate procedure makes it clear that this can achieve a particularly high level of security for a revision-proof document management system with comparatively little effort and costs.
  • the acquisition of a timestamp signature in conventional procedures per document from two certified companies would be neither practical nor cost reasons practical.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un dispositif et un procédé de gestion de documents, notamment à des fins d'archivage fiable quant aux révisions. Le dispositif comprend un serveur (5) destiné à produire un horodateur et/ou une signature horodatrice pour chaque document (D1', Cn) à stocker et une unité de journalisation (11) destinée à rassembler les horodateurs et/ou les signatures horodatrices dans un fichier journal (Jn, 7) unique. Dans le cadre du procédé, une empreinte digitale est associée à un document numérique (D1', Cn), ladite empreinte étant journalisée dans le fichier journal (Jn, 7) avec une signature horodatrice ({DM1}ks-1) obtenue du serveur (5). Après fermeture du fichier journal (JA) selon des critères d'achèvement prédéterminés, sa valeur de hachage (h[JA]) ou la valeur de hachage d'une clé publique (h[kPm]), avec laquelle les entrées de journal (JEn) sont signées, et éventuellement d'autres données, sont transmises à une entreprise de certification d'horodateur (TSA). Une signature horodatrice ({h[JA], TA}kTSA-1, 9, 9') obtenue de celui-ci calculée à partir de la valeur de hachage du journal (H[JA]) ou de la valeur de hachage de la clé publique (h[kPm]) et d'un horodateur certifié par l'entreprise de certification d'horodateur (TA), est stockée dans un dépôt (10) avec le journal (JA, 7, 7') ou séparément de celui-ci.
PCT/CH2007/000587 2006-11-24 2007-11-23 Dispositif et procédé de gestion de documents WO2008061389A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CH1890/06 2006-11-24
CH18902006 2006-11-24

Publications (1)

Publication Number Publication Date
WO2008061389A1 true WO2008061389A1 (fr) 2008-05-29

Family

ID=39200032

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CH2007/000587 WO2008061389A1 (fr) 2006-11-24 2007-11-23 Dispositif et procédé de gestion de documents

Country Status (1)

Country Link
WO (1) WO2008061389A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010003975A1 (fr) * 2008-07-08 2010-01-14 Artec Computer Gmbh Procédé et système informatique pour l’archivage à long terme de données signées
WO2010143001A1 (fr) * 2009-06-12 2010-12-16 Provenance Information Assurance Ltd Système et procédé de vérification de documents électroniques
CN107665399A (zh) * 2017-09-06 2018-02-06 北京联合大学 一种基于数字签名技术的人事档案存贮和可信电子文件管理方法
CN109784005A (zh) * 2018-12-28 2019-05-21 国网雄安金融科技有限公司 电子协议管理平台及电子协议管理方法
CN114492355A (zh) * 2021-12-30 2022-05-13 博思数采科技发展有限公司 一种生成ofd格式的电子投标邀请函及回执函的方法和系统

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1081890A2 (fr) * 1999-09-01 2001-03-07 Nippon Telegraph and Telephone Corporation Système d'horodatage du type classeur et système d'horodatage distribué
US20020038296A1 (en) * 2000-02-18 2002-03-28 Margolus Norman H. Data repository and method for promoting network storage of data
EP1243999A2 (fr) * 2001-03-22 2002-09-25 Hitachi, Ltd. Procédé et système de récupération et validation de données numériques signées cryptographiquement
US20030159048A1 (en) * 2002-02-20 2003-08-21 Tsutomu Matsumoto Time stamping system for electronic documents and program medium for the same
US20050138383A1 (en) * 2003-12-22 2005-06-23 Pss Systems, Inc. Method and system for validating timestamps
US20050223231A1 (en) * 2004-01-13 2005-10-06 International Business Machines Corporation Generating and verifying trusted digital time stamp
WO2006010347A1 (fr) * 2004-07-21 2006-02-02 Memory Data Gmbh Systeme de memoire non reinscriptible, rapide et a documents pouvant servir de preuve, sur la base d'un disque dur
EP1643402A2 (fr) * 2004-09-30 2006-04-05 Sap Ag Preuve de l'authenticité de longue durée des documents electroniques

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1081890A2 (fr) * 1999-09-01 2001-03-07 Nippon Telegraph and Telephone Corporation Système d'horodatage du type classeur et système d'horodatage distribué
US20020038296A1 (en) * 2000-02-18 2002-03-28 Margolus Norman H. Data repository and method for promoting network storage of data
EP1243999A2 (fr) * 2001-03-22 2002-09-25 Hitachi, Ltd. Procédé et système de récupération et validation de données numériques signées cryptographiquement
US20030159048A1 (en) * 2002-02-20 2003-08-21 Tsutomu Matsumoto Time stamping system for electronic documents and program medium for the same
US20050138383A1 (en) * 2003-12-22 2005-06-23 Pss Systems, Inc. Method and system for validating timestamps
US20050223231A1 (en) * 2004-01-13 2005-10-06 International Business Machines Corporation Generating and verifying trusted digital time stamp
WO2006010347A1 (fr) * 2004-07-21 2006-02-02 Memory Data Gmbh Systeme de memoire non reinscriptible, rapide et a documents pouvant servir de preuve, sur la base d'un disque dur
EP1643402A2 (fr) * 2004-09-30 2006-04-05 Sap Ag Preuve de l'authenticité de longue durée des documents electroniques

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010003975A1 (fr) * 2008-07-08 2010-01-14 Artec Computer Gmbh Procédé et système informatique pour l’archivage à long terme de données signées
KR20110038687A (ko) * 2008-07-08 2011-04-14 아르텍 컴퓨터 게엠베하 인증된 서명 데이터를 장기 보존하기 위한 방법 및 컴퓨터 시스템
US8397074B2 (en) 2008-07-08 2013-03-12 Artec Computer Gmbh Method and computer system for long-term archiving of qualified signed data
KR101644890B1 (ko) 2008-07-08 2016-08-02 아르텍 컴퓨터 게엠베하 인증된 서명 데이터를 장기 보존하기 위한 방법 및 컴퓨터 시스템
WO2010143001A1 (fr) * 2009-06-12 2010-12-16 Provenance Information Assurance Ltd Système et procédé de vérification de documents électroniques
CN107665399A (zh) * 2017-09-06 2018-02-06 北京联合大学 一种基于数字签名技术的人事档案存贮和可信电子文件管理方法
CN109784005A (zh) * 2018-12-28 2019-05-21 国网雄安金融科技有限公司 电子协议管理平台及电子协议管理方法
CN114492355A (zh) * 2021-12-30 2022-05-13 博思数采科技发展有限公司 一种生成ofd格式的电子投标邀请函及回执函的方法和系统
CN114492355B (zh) * 2021-12-30 2023-03-24 博思数采科技发展有限公司 一种生成ofd格式的电子投标邀请函及回执函的方法和系统

Similar Documents

Publication Publication Date Title
DE60019216T2 (de) Vorrichtung zur Zeitstempelung vom Mappentyp und verteiltes Zeitstempelungssystem
EP1944716B1 (fr) Procédé et dispositif de sécurisation d'un document comportant une signature apposée et des données biométriques dans un système informatique
DE102008031890B4 (de) Verfahren und Computersystem zur Langzeitarchivierung von qualifiziert signierten Daten
EP0760987B1 (fr) Procede pour verifier l'integrite des donnees stockees sur une installation de traitement d'articles sous forme de feuilles tels que billets de banque ou titres
DE102007003597A1 (de) Verfahren und Anordnung zur Erzeugung eines signierten Text- und/oder Bilddokuments
WO2008061389A1 (fr) Dispositif et procédé de gestion de documents
EP3552141B1 (fr) Système de serveur de type ordinateur destiné à fournir des ensembles de données
EP2545464B1 (fr) Procédé de création et de gestion d'une archive longue durée de grand volume
EP3563261A1 (fr) Système de classification de données à base de séquence de bits
DE112011104941T5 (de) Langzeit-Signaturendgerät, Langzeit-Signaturserver, Langzeitsignaturendgeräteprogramm und Langzeit-Signaturserverprogramm
EP1625467B1 (fr) Transmission electronique de documents
EP3881568B1 (fr) Procédé pour l'enregistrement d'informations d'image au moyen d'un dispositif terminal mobile et la transmission des informations d'image à un dispositif serveur connecté pour transmission de données au dispositif terminal
DE102018128602A1 (de) Verfahren zur Aufnahme von Bildinformationen mit einem mobilen Endgerät und Übertragung der Bildinformationen an eine mit dem Endgerät datenleitend verbundene Servereinrichtung
EP3248356B1 (fr) Jeton de certificat permettant de mettre à disposition un certificat numérique d'un utilisateur
DE102021106261A1 (de) Verfahren zur Autorisierung eines ersten Teilnehmers in einem Kommunikationsnetz, Verarbeitungseinrichtung, Kraftfahrzeug und Infrastruktureinrichtung
DE102021127976A1 (de) Wiederherstellen eines kryptografischen Schlüssels
DE102020113302A1 (de) System und Verfahren zum Authentifizieren von audiovisuellen Einheiten
WO2007074150A2 (fr) Procede pour transmettre des documents
DE102020208331A1 (de) Verfahren zum Betreiben eines Hardware-Sicherheits-Moduls
EP1759486B1 (fr) Procede pour documenter au moins une verification d'un document analogique ou numerique et pour generer un tel document
EP3553726A1 (fr) Procédé de mémorisation à fiabilité de manipulation des données de transaction dans un système de caisses enregistreuses électroniques et système
DE102017212617A1 (de) Verfahren und Rechenanlage zur Verifikation von Daten
DE102014012346A1 (de) Vorrichtung und Verfahren zur Zusammenführung von Datenpaketen und/oder Datensätzen
EP0988616A1 (fr) Procede pour archiver et activer des documents
AT8195U1 (de) Gesicherte übertragung und archivierung von daten

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07816270

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07816270

Country of ref document: EP

Kind code of ref document: A1