Services offered by way of a network have recently become expensive and diversified as provision of copyrighted works such as music and a video, exchange of confidential corporate information, and online banking. In order to address the thus-diversified services, many pieces of client software are installed in an information processing terminal such as a personal computer, a portable terminal, a cellular phone, and a digital home appliance. The pieces of software are provided with a function for protecting expensive information as well as a function of receiving a service.
As a value acquired by means of such a service increases, damages stemming from avoidance of limitations imposed by software by means of a method for making unauthorized modifications on software in an information processing terminal become more serious. There is an increasing necessity for verifying whether or not unauthorized modifications have been made to client software in an information processing terminal which is about to be provided with a service and an execution environment including an operating system in which the client software runs.
In order to address the necessity, a technique for accurately reporting information about software that is executed in an information processing terminal has been proposed by the TCG (Trusted Computing Group), or the like. The technique proposed by the TCG is disclosed in; for instance, Patent Document 1.
FIG. 14 illustrates a system in which a verification server 1410 verifies software executed in an information processing terminal 1400 according to a technique proposed by the TCG, or the like. The information processing terminal 1400 is equipped with a tamper-resistant module called the TPM (Trusted Platform Module) 1401. The module protects a private key and a hash value, which are important information in view of security, and safely performs processing that is important in terms of security.
The information processing terminal 1400 computes a hash of a code of software, such as a BIOS, a Loader, or a Kernel, executed since start of a CPU 1402, and causes the TPM 1401 to store a computed hash. The TPM 1401 can submit a digitally-signed hash to a verification server 1410 that is located outside for verifying the status of the information processing terminal. Hence, the verification server 1410 compares the hash with a correct hash, thereby proving that the information processing terminal is in a state where a correct code has been executed.
A target that adopts a hash that has been made more prevalent, and includes data (hereinafter called an entry) representing information about an event, such as launching of software or loading of a driver. In the case of this form, a program name and a hash of a code of the program can be put into entries, and contents of information that concatenate respective entries with each other (hereinafter called an “event log” or simply as a “log”) become an object to be guaranteed.
Specifically, when executing code of software such as a BIOS, a Loader, a Kernel, App A, App B, the CPU 1402 of the information processing terminal 1400 computes respective hashes (hash computation 1421) and transmits the thus-computed hashes 1422 to the TPM 1401 and adds and stores an entry 1424 into the event log 1403. When provided with the transmitted hash 1422, the TPM 1401 concatenates an already-stored value with the thus-received value, executes hash computation to thus generate one hash, and stores the thus-generated hash into a PCR (Platform Configuration Register) 1404 (cumulative arithmetic processing 1423).
Even when data that become objects for tampering detection are increased later, the data, including a sequence thereof, can be guaranteed by means of one hash. Because a status is accumulated, the hash will be hereunder called a cumulative hash. Processing for computing a hash and accumulating the thus-computed hash will also be called measurement.
When the verification server 1410 verifies software running on the information processing terminal 1400, a challenge 1425 is first transmitted from the verification server 1410 to the information processing terminal 1400. The TPM 1401 concatenates the received challenge 1425 with a cumulative hash stored in a PCR 1404, subjects a resultant hash to digital signing (digital signature processing 1426), further concatenates a certificate with the event log 1403, and transmits a result as verification information 1427 to the verification server 1410.
The verification server 1410 first verifies a signature of the certificate, verifies the digital signature, checks an entry of the received event log 1403 against the entry registered in a verification data DB 1411, computes a cumulative hash again, checks a computation result against the cumulative hash included in the received verification information 1427, and checks the challenge 1425 against a challenge included in the received verification information 1427, thereby verifying the software running on the information processing terminal 1400.
As mentioned above, more detailed verification can be carried out by means of notification of an event log as well as a signed cumulative hash. The reason for this is that the cumulative hash enables verification of the event log, as well.
In reality, software is made by a combination of several hierarchical levels. There is a case where pieces of software are identical with each other in terms of lower levels but different from each other in terms of upper levels, and hence a variety of combinations are present. Therefore, if one cumulative hash is applied to all statuses, difficulty will be encountered in verification. For this reason, the TPM can retain a plurality of cumulative hashes, and sixteen registers from PCR0 to PCR15 are available. When transmitting a hash to the TPM, the CPU 1402 designates a cumulative hash to be updated by number (hereinafter called a “cumulative hash number”).    Patent Document 1: JP-T-2002-536757