1. Field of the Invention
The present invention relates to an information processing system having an authentication reference apparatus which is captured together with an object and serves as a reference for authentication in order to assure the authenticity of an image obtained by capturing an object by an image capturing unit, and an information processing apparatus which authenticates the authentication reference apparatus.
2. Description of the Related Art
The electronic document law (to be referred to as the e-document law hereinafter) has been enforced which approves electronization of documents, forms, and the like that companies are obliged to preserve. The e-document law imposes roughly two requirements: (1) readability and (2) authenticity, in order to provide electronic documents with the same functions as those of paper documents.
As for readability, the operation of an application for reading an electronic document by the human eye via a device such as a PC needs to be assured for a period individually determined by law, together with concrete numerical targets of the resolution and the like. For example, according to the Japanese commercial law, this period is 10 years during which the company is obliged to preserve the minutes of a shareholders' meeting.
A concrete method of ensuring readability with respect to an original paper document assumes browsing via an output device such as a display. The ITC technique is introduced to add new functions of enlarging and confirming data for details, and searching for target data.
Authenticity guarantees the genuineness of an electronic document. A technique called a genuineness assurance system or digital data authenticity assurance system had conventionally been studied and developed before the e-document law was enacted. For example, a photograph recorded as analog data on a film by a silver halide camera is accepted as evidence in court proceedings and the like.
To the contrary, a digital camera which digitally processes captured data into digital data outputs image data as digital data, which can be readily modified and tampered with. For this reason, a mechanism is necessary to verify the genuineness of digital data, that is, whether image data generated by a digital camera has been modified.
For example, according to a conventional method disclosed in Japanese Patent Laid-Open No. 11-308564, a digest of image data captured by an image capturing unit is generated by a message digest generation unit using a hash function. The digest is encrypted using a private key incorporated in a digital camera, thereby creating MAC (Message Authentication Code). Details of the encryption process to generate a digest and MAC will be described later.
There are a variety of image data formats. When encoding a captured image, metadata other than the image data is generally stored at the header. For example, according to Exif (Exchangeable Image File Format) as a kind of image file format, various metadata such as the image capturing date & time, a device used to capture an image, and focus information are added to the header. The Exif is described in, for example, JEIDA standard JEIDA-49, Digital Still Camera Image File Format Standard (Exchangeable image file format for Digital Still Camera: Exif) Version 2.1.
For example, Japanese Patent Laid-Open No. 11-308564 proposes an image authenticity assurance system using an image file format having header information, like Exif. This system uses a MAC as data for assuring the authenticity of captured data at a later date. This system generates an authentication code which can be generated by only a device having key information because image data is encrypted using key information held by only an image capturing device. At this time, to perform matching of a MAC to captured data, the MAC is stored at the header of the image file format.
This system has been proposed to assure the authenticity of image data captured by a digital camera. Such image authenticity assurance systems are being widely applied to even personal uses, in addition to assuring the authenticity of documents in corporate environments, such as legal and public documents including the minutes of a general meeting the company is obliged to preserve.
For example, articles put up at an Internet auction are presented by images captured by an image capturing device such as a digital camera, in addition to text-based basic information such as the size, color, and material. Article images are important information which influences the bidding decisions and the contract price. However, a captured original image can be processed to hide any defect, for example, scratch or deterioration of the articles. This may cause a complaint from a successful bidder or a transaction trouble. To prevent this, even popular digital cameras require a mechanism for confirming the genuineness of article images.
Conventional techniques for ensuring image authenticity in order to assure the genuineness of an image, other than the data authenticity assurance function based on verification data such as MAC, will be introduced.
According to Japanese Patent Laid-Open No. 2002-215029, the date and time when an image was captured (or a paper document was scanned) can be specified later using a time stamp. According to Japanese Patent Laid-Open Nos. 2000-050193 and 2000-215379, the image capturing place can be specified later using GPS-based position information.
A cryptographic technique necessary to build an image authenticity assurance system will be explained.
[Hash Function]
The hash function will be explained. The hash function is used together with a digital signature process in order to lossily compress data to be signed and shorten the signature application time. More specifically, the hash function processes data M of an arbitrary length to generate output data of a predetermined length. The output H(M) is called hash data of plaintext data M.
In particular, a one-way hash function has a feature in which it is difficult in terms of the calculation amount to calculate plaintext M′ which satisfies H(M′)=H(M) for given data M. As the one-way hash function, there are standard algorithms such as MD2, MD5, and SHA-1.
[Public Key Cryptography]
The public key cryptography will be explained. The public key cryptography uses two different keys, and has a feature in which data encrypted by one key can be decrypted by only the other key. Of these two different keys, one is called a public key which is widely open to the public. The other key is called a private key which is held by only a user. According to this feature, a public key can be disclosed, so an encryption key need not be delivered in secret and can be easily delivered.
Encryption methods using the public key cryptography are, for example, RSA encryption and ElGamal encryption. The RSA encryption will be exemplified. The RSA encryption is described in, for example, R. L. Rivest, A. Shamir and L. Adleman: “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, v. 21, n. 2, pp. 120-126, February 1978.
[RAS Encryption]
Prime numbers p and q are generated to make a number n=pq. λ(n) is defined as the least common multiple of p−1 and q−1. Appropriate e prime to λ(n) is selected to define d=1/e(mod λ(n)). e and n are set as public keys, and d is set as a private key.
[Creation of RSA Cipher Text] Procedure to create cipher text C of document M
C: =Me(mod n) is defined as a cipher text.
[Decryption of RSA Cipher Text] Procedure to decrypt cipher text C
M: =Cd(mod n)
[Public Key Authentication Infrastructure]
User authentication is necessary to access a server resource in communication between a client and a server. As a means for the user authentication, a public key certificate such as ITU-U recommendation X.509 is popular. The public key certificate is data which assures the correspondence between a public key and a user, and has a digital signature attached by a trusted third party called a certification authority. For example, a user authentication method using SSL (Secure Sockets Layer) installed in a browser authenticates a user by confirming whether he has a private key corresponding to a public key included in a public key certificate presented by him.
Since the public key certificate is signed by a certification authority, the public keys of a user and server in the public key certificate can be trusted. For this reason, if a private key used to create a signature by a certification authority leaks or becomes vulnerable, all public key certificates issued by the certification authority become invalid. The certification authority manages an enormous number of public key certificates, and makes a variety of proposals to reduce the management cost. The present invention to be described later can suppress the number of certificates to be issued and reduce the access to a server serving as a public key repository.
ITU-U recommendation X.509 v.3 as an example of public key certificates contains the ID of an entity (Subject) to be certified and public key information as data to be signed. For a digest obtained by calculating the hash function for these data, signature data is generated by signature calculation such as an RSA algorithm. An optional field “extensions” is ensured in the data to be signed, and can hold new extension data specific to an application or protocol.
ITU-U recommendation X.509 v.3 is described in ITU-T Recommendation X.509/ISO/IEC 9594-8: “Information technology—Open Systems Interconnection—The Directory: Public-key and attribute certificate frameworks”.
FIG. 6 shows the format of a public key certificate defined by X.509 v.3. Information displayed in each field will be explained.
The version of X.509 is set in a version 1501. This field is optional, and when omitted, it means v1. A serial number uniquely assigned by a certification authority is set in a serialNumber 1502. The signature method of a public key certificate is set in a signature 1503. The X.500 identification name of the certification authority serving as the issuer of the public key certificate is set in an issuer 1504. The valid term (start date & time and end date & time) of a public key is set in a validity 1505.
The X.500 identification name of the holder of a private key corresponding to the public key included in the certificate is set in a subject 1506. A certified public key is set in a subjectPublicKeyInfo 1507. An issuerUniqueIdentifier 1508 and subjectUniqueIdentifier 1509 are optional fields added from v2, and an identifier unique to the certification authority and that unique to the holder are set in the respective fields.
An extension 1510 is an optional field added by v3 and holds a set of three values: an extension type (extnId) 1511, critical bit (critical) 1512, and extension value (extnValue) 1513. The v3 extension field can store not only standard extension types defined by X.509, but also new unique extension types. Thus, how to recognize a v3 extension type depends on an application. The critical bit 1512 represents whether the extension type is indispensable or ignorable.
[Message Authentication Code (MAC)]
The digital signature is a message authentication method using public key cryptography to identify a user who has created a document. A message authentication method using secret key cryptography instead of public key cryptography or a hash function is also proposed and is called a message authentication code (MAC).
The message authentication method using a hash function will be explained. This hash function is described in, for example, NIST, FIPS PUB 198. FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. The Keyed-Hash Message Authentication Code (HMAC).
H( ) is a hash function of a byte length B of a block and a byte length L of a hash output, and a private key K is made up of B bytes or less. Two different fixed character strings ipad and opad are defined as ipad=a character string obtained by repeating a byte value “0x36” 64 times, and opad=a character string obtained by repeating a byte value “0x5C” 64 times.
At this time, the MAC value of HMAC for D is calculated by H(K XOR opad∥H(K XOR ipad∥D)), where ∥ represents the concatenation of data. HMAD uses the hash function to calculate a MAC value, but there is CMAC using secret key cryptography. The CMAC is described in, for example, NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication.
A large difference of the MAC from a digital signature is that a sender (MAC value creator) and a recipient (verifier) must share secret data (key K in the description of HMAC). The MAC has an advantage of a smaller calculation amount than that of the digital signature, but has a disadvantage because even the verifier holds secret data, so which of the sender and recipient has created MAC cannot be certified to a third party. The MAC is used together with a standard hash function such as SHA-1 in a network security protocol such as IPSec or SSL.
In paper document electronization applied in the e-document law and the like, readability and authenticity are requirements for electronization, as described above. The paper size of a printed material before electronically preserving the document does not matter.
However, the size of image-captured physical objects cannot be obtained from a digital image which is captured by an image capturing device such as a digital camera and is posted on a Web site such as an Internet auction or electronic mall. The size can be intentionally disguised. A conventional method for obtaining a relative size uses a reference medium whose size is generally recognized, such as a coin (e.g., a 1-yen coin), tobacco, lighter, or CD-ROM. However, these media serving as a reference to presume the size do not always have correct sizes. For example, the printout of a captured image may be captured again, or the output of an altered captured image on a display device may be captured again by an image capturing device. Further, the miniature of a car accident site, building, or the like may be created and captured. Such attacks which cheat a user as if a real thing existed are conceivable.
Even the data authenticity assurance function based on verification data such as MAC cannot avoid these attacks because image data is processed as an authentic one.
To solve this problem, Japanese Patent Laid-Open No. 11-164246 proposes a method of embedding distance information from an object in an image. However, when the source of “distance information from an object” is not specified, the distance information as metadata of the image can be readily forged and tampered with, failing to avoid the above-mentioned attacks. A covering attack which changes the color using cellophane on a lens accessory to an image capturing device can disguise color information.
As described above, even if the mechanism of assuring an image input from an image capturing device is reinforced, the original effects of the image authenticity assurance system cannot be attained as long as the input image itself is a fake.