In recent years, varieties of services have become available via networks. The services include works of music or video, browsing the confidential information held by corporations, and on-linebanking. The economical values of the information treated in the services have increased, as well. To deal with such varieties of services, information terminals such as personal computers, mobile telephones, and digital home electric appliances are installed with many pieces of client software (program data). Also, the program data is implemented with a function to protect the high-value information, as well as with a function to receive the services.
As the services have come to provide contents with higher values, improper acts causing damages have increased. For example, the restriction imposed by the software is bypassed by changing, in an unauthorized manner, the program data that is executed on the information terminal. As a result, it has become increasingly necessary to verify, regarding the personal computer to which a service is to be provided, whether or not the client software of the personal computer and the execution environment including the operating system have not been changed in an unauthorized manner.
As one example of technologies developed to meet the above-described needs, a technology of accurately conveying information on the program data executed on the personal computer has been proposed by the TCG (Trusted Computing Group).
FIG. 16 shows an example of a system in which, based on the technology proposed by the TCG, a personal computer 1600 holds data that has been encrypted for protection, and a service providing server 1610 authenticate the program data executed on the personal computer 1600 and provides an information service thereto. The personal computer 1600 is implemented with a tamper-resistant module that is called TPM (Trusted Platform Module) 1602.
When a BIOS 1605, an OS 1606, an application 1607, or a code of the program data is to be executed, a CPU 1601 of the personal computer 1600 calculates a hash of it, and transmits the calculated hash to the TPM 1602. Upon receiving the hash, the TPM 1602 concatenates the received hash with a hash prestored in a PCR (Platform Configuration Register) 1604, further performs a hash calculation onto concatenated data resulted from the concatenation, and stores the result into the PCR 1604. In this way, the PCR 1604 stores extend information of the program data executed by the CPU 1601. The value stored in the PCR 1604 thus indicates which piece of program data is being executed on the personal computer 1600.
When the personal computer 1600 is to hold a certain piece of data safely as confidential data, the TPM 1602 obtains encrypted data by encrypting the certain piece of data by binding it with the value stored in the PCR 1604 of the TPM 1602, and stores the obtained encrypted data on to a hard disk 1603. More specifically, the TPM 1602 encrypts the data in a format that includes a PCR value as a reference value which is to be used in the decryption, where the PCR value to be included is a PCR value when the CPU 1601 is actually executing authentic program data that is expected to be executed by the CPU 1601 of the personal computer 1600 in the case where the data is to be browsed or processed on the personal computer 1600. In the encryption, a public key in the public key cryptography is used, and the private key corresponding to the public key is managed by the TPM 1602.
Encrypting data by binding it with the value stored in the PCR 1604 of the TPM 1602, as described above, is called sealing. Conversely, decrypting the sealed encrypted data 1608 is called unsealing.
When decrypting the sealed data 1608, first, the TPM 1602 decrypts the encryption of the sealed data 1608 by using the private key corresponding to the public key that was used in the encryption. Next, the TPM 1602 compares the reference value included in the decrypted data with the value (PCR value) stored in the PCR 1604. When, by the comparison, it is confirmed that they match, the TPM 1602 authenticate that authentic program data is executed on the personal computer 1600, and then outputs the decrypted data from the TPM 1602 to the CPU 1601. When, by the comparison, it is confirmed that they do not match, the TPM 1602 does not authenticate that authentic program data is executed on the personal computer 1600, and does not output the decrypted data from the TPM 1602 to outside.
When the personal computer 1600 is to receive an information service provided from the service providing server 1610, the personal computer 1600 transmits data 1620 to the service providing server 1610, where the data 1620 is generated by the TPM 1602 by applying an electronic signature to the value (PCR value) stored in the PCR 1604. Here, the data 1620, which is generated by applying an electronic signature to the value (PCR value 1620a) stored in the PCR 1604, is generated by the TPM 1602, in accordance with a request from the CPU 1601, by applying a signature to data that was generated by concatenating the value (PCR value 1620a) stored in the PCR 1604 with challenge information 1620b (for example, a random number generated by the service providing server 1610) received from a client authentication unit 1611 of the service providing server 1610.
A reference value DB (database) 1612 of the service providing server 1610 stores a PCR value (PCR reference value) in the case when the CPU 1601 of the personal computer 1600 is actually executing authentic program data that is expected by the service providing server 1610 side. First, the client authentication unit 1611 of the service providing server 1610 verifies the electronic signature applied to the data 1620 received from the personal computer 1600. Next, the client authentication unit 1611 compares the PCR value 1620a included in the data 1620 with the PCR reference value stored in the reference value DB 1612, and further compares the challenge information 1620b included in the data 1620 with the challenge information 1620b that was transmitted to the personal computer 1600. When it is confirmed that they match in each of the comparisons, the client authentication unit 1611 authenticate that authentic program data is being executed on the personal computer 1600, and a service providing unit 1613 of the service providing server 1610 provides the information service to the personal computer 1600. On the other hand, when it is confirmed that they do not match in any of the comparisons, the service providing unit 1613 of the service providing server 1610 does not provide the information service to the personal computer 1600.
The above-described technology proposed by the TCG is, for example, disclosed in Patent Document 1 and Patent Document 2 which are identified as follows.    Patent Document 1: U.S. Patent Publication No. 2005/0021968    Patent Document 2: Tokuhyo (published Japanese translation of PCT international publication for patent application) No. 2002-536757