Media (i.e. data) security in computer systems is traditionally implemented at multiple levels. One level of security involves the complete denial of access to data. Many schemes exist for the implementation of access-level security, including password protection, logical partitioning, and data encryption. Among the encryption schemes, numerous lock-and-key architectures have been developed. One such architecture is described in U.S. patent application Ser. No. 07/928,850 to Robert C. Hartman, Jr., filed Aug. 11, 1992, which is hereby incorporated by reference. Hartman's access-level security architecture is directed to limiting the usage of digital media to client users having proper licensing authority granted by a Media Clearinghouse (server). The original digital media, which can be program object code, program source code, image, audio, video, text, or any other form of information contained in a file or data object, is encrypted with a Media Master Key by a Media Clearinghouse on behalf of the content creator or owner. The Media Master Key is then further encrypted with a unique private key for each authorized client system. The encrypted media and the encrypted Media Master Keys may then be widely distributed over open, non-secure channels.
Another level of media security, applicable once access is granted, involves restricting access based on time. In a client/server network, time based restrictions themselves involve comparing a time interval for which the server has granted access with a current time, typically the time stored in the client computer system's time-of-day (TOD) clock. However, this comparison and the underlying time-based restriction can easily be rendered meaningless by an intruder, unethical administrator, or knowledgeable user who simply sets the system clock backward or forward to mislead the access mechanism into believing the access interval is still active. Moreover, even if the client TOD clock is not subjected to tampering, it will always be subject to inherent inaccuracies such as drift and instability which over time will cause its value to diverge from the actual current time. Clock drift is the predictable, stable inaccuracy of a clock that causes it to lose or gain time at a constant rate. Clock instability is the unpredictable inaccuracy that causes the clock drift component to change. Factors which cause instability may include environmental temperature, humidity, supply voltage, etc. Finally, worse still than any of the foregoing problems, catastrophic events such as power loss can cause the client TOD value to diverge rapidly from the actual current time.
In the prior art, the problem of providing a trusted, or secure, time source has traditionally been solved by periodically generating encrypted time stamps at the server computer system. In one approach, the time stamps are then sent to the client, where they are decrypted and used as a basis for restricting access. This approach suffers from the drawback of being limited to providing discrete time values that can be trusted; it does not address the problems of setting and maintaining a client TOD clock such that the clock itself can be trusted. In a second approach, an encrypted time stamp is applied to an electronic document by the server prior to distributing the document to the client. At the client, the time stamp is used as the basis for access to the document. However, like the previous approach, this system is limited to supplying a fixed number of trusted time stamps, rather than to providing a secure TOD clock outside a secure environment.
A third prior art approach to providing secure time focuses on the client rather than the server. The client TOD clock is initially set using an untrusted time. Then a trusted witness verifies the set time, rendering it a trusted time. To maintain accuracy between settings, multiple clocks are used, and their values are averaged to generate the trusted time. While this approach addresses the problems of discrete time stamps and drift/instability, it incurs its own set of serious disadvantages. First, since a witness is required to establish the trusted time, the system is impractical in any but the smallest and most local of networks. Second, since the verification process requires human intervention, it is subject to all the usual human-based failure modes: error, neglect, subterfuge, etc. Third, the use of multiple clocks to maintain accuracy is expensive and inconsistent--in a large percentage of cases, even the average value would diverge quickly from the actual time.
A final prior art scheme has been developed which provides both client and server components to address some of the drawbacks of the above-described systems. In this scheme, the server produces an encrypted authentication code using a secret key, a time value, and an authentication device ID. The server then sends the time, along with the authentication device ID, the encrypted authentication code, and a client-supplied random number, to the requesting client computer. Upon receiving the transmission, the client checks the encrypted authentication code and the random number to verify the security of the time value. To protect against failure caused by power loss, the client includes a mechanism which prevents boot-up until a valid encrypted authentication code and random number are received from the server.
While this scheme represents an improvement over its predecessors, it too incurs certain penalties and leaves remaining impediments. First, it renders the client system inoperative unless a trusted time is available, in which case the client system cannot be used even for tasks which do not require access to trusted time. Second, it does not address the issues of clock drift and instability in the client clock, and thus quickly becomes unreliable due to client TOD clock inaccuracy.
Thus, there has existed an unmet need for a secure timekeeping facility for use in a client/server computer network, which facility provides a server-generated trusted time value for use in setting a client TOD clock, in which a client system may function in the absence of a trusted time value, and which includes facilities to maintain the accuracy of a client clock once it is provided with a trusted time value.