Some ideas for a trusted digital camera for surveillance and news-gathering
applications (September 2003).
Andrew Daviel
Introduction
"The camera never lies" they say, but with the widespread adoption
of digital cameras and high-quality low-cost colour printing, together with
the ready availability of image manipulation software, this is no longer true.
The following are some ideas for a "trusted camera" using public-key cryptography
to provide assurance that the image has not been modified, and optionally
has been taken at a particular time.
Concepts
In computer forensic work, a combination of checksumming and digital
signatures is used to document chain-of-custody of digital media. For instance,
a computer hard drive may be seized by law enforcement and examined for
evidence of child pornography. Using validated tools, an exact copy is made of
the disk. An MD5 checksum is then calculated of this image file, which is
then digitally signed using a private key. If later the image is retrieved
from archive, a second checksum is calculated which matches the first,
and the signature decrypts with the investigators public key, it can be
asserted that neither the evidence nor the checksum has been tampered with.
If the photographer is trustworthy, a similar method can be used for
photographs. The images are downloaded from the camera, a checksum is
calculated and signed. If the photographer is able to swear that
they have maintained custody of the camera from the time the photograph
was taken until the checksum was generated, then the image is authentic.
This method breaks down if the camera is unattended, or if key security is
not maintained.
Camera Designs
The first design is an offline, standalone device.
No timestamps are available, but the camera offers some assurance that
the image is authentic. This might be suitable for a photojournalist.
The second design adds a bidirectional
connection with a trusted time service. This can assert that an image
was taken during a fairly short time interval.
Construction
Each individual camera is given a unique public/private key during
construction. The private key is embedded in the camera hardware, while a copy
of the public key is kept by the manufacturer. The public key is also published
e.g. on a public website. To deter easy cloning of the private key, it
should be stored in copy-protected media, and should not be exposed
to electronic monitoring. It may, for instance, be integrated into
a single chip with the checksum and encoding circuitry, and possibly the
entire camera system. A sophisticated attacker may still be able to
extract the key by stripping the chip package and using microelectronic
techniques to read the program or probe the chip operation.
To deter input signal replay, the camera imaging device should be
tightly integrated with the processing electronics, so that it
is difficult to inject an external video signal. A tamper-resistant
enclosure should be used; it may be feasible for the camera itself to
monitor the enclosure characteristics, while continuous operation of
a surveillance camera may be adequate to detect tampering.
Possible Uses
If the camera operator is trusted, then they may use the signing feature of the camera
to assert that they did in fact take the images in question and that they are authentic.
The operator could more credibly attest that they did not create a fraudulent image than they
could attest that a photographic print
matches in every detail a scene that they remember photographing with a conventional camera.
This scenario may fit a scene-of-crime officer,
journalist or UFO hunter.
If the camera is unattended or the operator is not trusted, it may still be
useful to know that the image was signed by a certain camera, which may be traced
or examined for tampering. Such uses include surveillance, traffic cameras,
photo-radar etc.
Privacy
The public key for a camera is indexed by the camera serial number for later retrieval.
In some applications, it may be desirable to publish the serial number. For instance, a
freelance photographer may do so in order that editors may verify their work. This would allow
any of their work to be identified, including bad shots and candid photographs, if the signatures
were retained.
By default, it would not
normally be possible to identify a camera owner from the serial number or from the key signature.
However, this may be inferred since images from the same camera would all have the same key signature.
If several signed images are published, the identity of the creator of one may be deduced from
data associated with another. Since the grower of "the world's largest cucumber" may not wish
to be identified as a participant in a nude swimming party, it is desirable that the
signing mechanism can be switched off if required, or that interface software have an option to
strip signatures.
Limitations
The designs are not foolproof. An attacker with unsupervised access to the
camera can subvert it in two ways - they can tamper with the image before
it is digitized, and they can clone the signing mechanism. In the third
design, the time that the image was encoded can be verified, which
puts a limit on the latest time a modified image could have been introduced.
In some applications, this may be useful. If an event is known
to have happened at a certain time, and an image is timestamped shortly
thereafter, there is limited opportunity for post-processing.
Any image manipulation at all, even cropping and scaling, will invalidate the
signature, so that it may be useful if the camera saves signed images at
multiple resolutions.