Trusted Digital Camera

Some ideas for a trusted digital camera for surveillance and news-gathering applications (September 2003).

Andrew Daviel

Introduction

"The camera never lies" they say, but with the widespread adoption of digital cameras and high-quality low-cost colour printing, together with the ready availability of image manipulation software, this is no longer true.

The following are some ideas for a "trusted camera" using public-key cryptography to provide assurance that the image has not been modified, and optionally has been taken at a particular time.

Concepts

In computer forensic work, a combination of checksumming and digital signatures is used to document chain-of-custody of digital media. For instance, a computer hard drive may be seized by law enforcement and examined for evidence of child pornography. Using validated tools, an exact copy is made of the disk. An MD5 checksum is then calculated of this image file, which is then digitally signed using a private key. If later the image is retrieved from archive, a second checksum is calculated which matches the first, and the signature decrypts with the investigators public key, it can be asserted that neither the evidence nor the checksum has been tampered with.

If the photographer is trustworthy, a similar method can be used for photographs. The images are downloaded from the camera, a checksum is calculated and signed. If the photographer is able to swear that they have maintained custody of the camera from the time the photograph was taken until the checksum was generated, then the image is authentic.

This method breaks down if the camera is unattended, or if key security is not maintained.

Camera Designs

The first design is an offline, standalone device. No timestamps are available, but the camera offers some assurance that the image is authentic. This might be suitable for a photojournalist.

The second design adds a bidirectional connection with a trusted time service. This can assert that an image was taken during a fairly short time interval.

Construction

Each individual camera is given a unique public/private key during construction. The private key is embedded in the camera hardware, while a copy of the public key is kept by the manufacturer. The public key is also published e.g. on a public website. To deter easy cloning of the private key, it should be stored in copy-protected media, and should not be exposed to electronic monitoring. It may, for instance, be integrated into a single chip with the checksum and encoding circuitry, and possibly the entire camera system. A sophisticated attacker may still be able to extract the key by stripping the chip package and using microelectronic techniques to read the program or probe the chip operation.

To deter input signal replay, the camera imaging device should be tightly integrated with the processing electronics, so that it is difficult to inject an external video signal. A tamper-resistant enclosure should be used; it may be feasible for the camera itself to monitor the enclosure characteristics, while continuous operation of a surveillance camera may be adequate to detect tampering.

Possible Uses

If the camera operator is trusted, then they may use the signing feature of the camera to assert that they did in fact take the images in question and that they are authentic. The operator could more credibly attest that they did not create a fraudulent image than they could attest that a photographic print matches in every detail a scene that they remember photographing with a conventional camera. This scenario may fit a scene-of-crime officer, journalist or UFO hunter.

If the camera is unattended or the operator is not trusted, it may still be useful to know that the image was signed by a certain camera, which may be traced or examined for tampering. Such uses include surveillance, traffic cameras, photo-radar etc.

Privacy

The public key for a camera is indexed by the camera serial number for later retrieval. In some applications, it may be desirable to publish the serial number. For instance, a freelance photographer may do so in order that editors may verify their work. This would allow any of their work to be identified, including bad shots and candid photographs, if the signatures were retained.

By default, it would not normally be possible to identify a camera owner from the serial number or from the key signature. However, this may be inferred since images from the same camera would all have the same key signature. If several signed images are published, the identity of the creator of one may be deduced from data associated with another. Since the grower of "the world's largest cucumber" may not wish to be identified as a participant in a nude swimming party, it is desirable that the signing mechanism can be switched off if required, or that interface software have an option to strip signatures.

Limitations

The designs are not foolproof. An attacker with unsupervised access to the camera can subvert it in two ways - they can tamper with the image before it is digitized, and they can clone the signing mechanism. In the third design, the time that the image was encoded can be verified, which puts a limit on the latest time a modified image could have been introduced. In some applications, this may be useful. If an event is known to have happened at a certain time, and an image is timestamped shortly thereafter, there is limited opportunity for post-processing.

Any image manipulation at all, even cropping and scaling, will invalidate the signature, so that it may be useful if the camera saves signed images at multiple resolutions.

Details

References

Bruce Schneier and John Kelsey, Counterpane Systems
How to Time-Stamp a Digital Document, S. Haber and W.S. Stornetta, Journal of Cryptology, v. 3, n.2, 1991, pp. 99-112.
Commercial timestamping service at Evertrust.net