In recent years, digital cameras have become more and more popular. Since an image captured by a digital camera can be stored and held as digital image data, the merits of this type of camera are notable, such as keeping an image from aging, allowing easy storage and retrieval, allowing data transmission to a remote place via a communication line, and so forth. In addition, it reduces development and print labor, unlike conventional silver halide photos. For these reasons, digital cameras are used in many business fields.
For example, in the non-life insurance industry, damage to an accident vehicle can be captured by a digital camera and then an accident assessment can be made based on the captured image, and in the construction industry, the image of a construction site can be captured to confirm the progress of the construction. The Ministry of Land Infrastructure and Transport already permits the use of images captured by digital cameras to record civil engineering sites.
However, digital images also have disadvantages. Using a commercially available application program, such as a photo retouch tool or the like, digital images can be easily processed and modified on a personal computer. Since processing and modifications are easy, the credibility of an image captured by a digital camera is recognized to be lower than that of a silver halide photo in an accident situation or in a report that cites a digital image as proof.
It is not impossible to alter an image of a silver halide photo. However, since its cost is relatively high and the alteration result is often unnatural, alterations are rarely performed in practice. This is why silver halide photos are often adopted as proof of what they show. Therefore, in order to overcome this problem of authentication in the non-life insurance industry and the construction industry, a validation method is required for digital image data.
Nowadays, falsification detection systems for image data based on a digital signature exploiting encryption technology has been proposed (U.S. Pat. No. 5,499,294).
This system comprises an image generation apparatus (camera) for generating image data, and an image verification apparatus for verifying the validity (non-alteration) of the image data. The camera executes a predetermined arithmetic operation on the basis of secret information unique to a camera and the captured digital image data, and generates digital signature data as identification information of the image data (to detect falsification). The camera outputs the digital signature data and the image data. The image verification apparatus verifies the authenticity by comparing the data resulting from the application of a predetermined arithmetic operation to the image data, and the data obtained by applying the inverse arithmetic operation on the generated digital signature data. In the above patent, a hash function (compression function) and public-key cryptography are used to generate the digital signature data.
A MAC (Message Authentication Code) is often used in place of digital signature data. A MAC is generated either by using symmetric-key cryptography, and a hash function, or the like, and is characterized in that its processing speed is higher than the public-key cryptography. Since identical symmetric-keys are used in the generation and the verification of the MAC, the symmetric-keys must be strictly controlled by both the camera and the image verification apparatus.
Image data captured by a camera is normally stored in a compact memory card (non-volatile memory) connected to the camera. Memory cards usually comprise flash EEPROMs. Recent miniaturization techniques have shrunk the size of memory cards to no more than 4-cm2 and to a height of about 2 to 3 mm Its storage capacity has also been multiplied by several hundred Mbytes. Furthermore, a memory card or IC card, which has an arithmetic unit including a CPU, a RAM, and a ROM in addition to the flash EEPROM and implements a security function, is now available on the market. Using its arithmetic function, the memory card or IC card, as an external device to the camera, can generate the required for falsification detection of image data and the like.
A system that detects falsification of image data using a MAC within the image generation apparatus such as a camera or the like will be examined below. In the following examination, assume that an IC card verifies the presence/absence of falsification of the image data. The MAC has a scheme for generating and verifying verification data using symmetric-key cryptography, as described above, and cannot assure security if the symmetric key is discovered by outside parties. Therefore, identical symmetric keys must be stored in secret in the camera on the generation side, and in the IC card on the verification side. How to share/set the symmetric keys on the generation and verification sides of the authentication mechanism will be examined. In this case, the following two arrangements are possible.
1. The user generates a symmetric key, and sets it in the camera and the IC card.
2. A vendor generates a symmetric key, and sets it in the camera and the IC card.
In these cases, the following problems occur.
1. Since the user who sets the symmetric key knows the symmetric key, only he/she can falsify image data. Therefore, no proof of non-falsification of camera images described in the prior art can be attained. Since the content of IC cards are different for respective users, one IC card cannot verify another camera. This is very inconvenient in practical use.
2. If the vendor protects the key set secret, the symmetric key should never be discovered by outside parties, and a user should never be aware of it, resulting in higher security. However, the production process is complicated when different symmetric keys are set for respective pairs of cameras and IC cards. For this reason, identical symmetric keys may be set in all pairs of cameras and verification apparatuses. In this case, if the symmetric key of one camera is uncovered, all cameras are subject to their images being falsified without detection. Also, old verification data can be falsified, and its validity becomes threatened.