1. Field of the Invention
The present invention relates generally to methods and apparatuses for acquiring and certifying physical measurements. More particularly, the invention relates to acquiring and cryptographically certifying a measurement representative of a physical parameter, such that the measurement can be verified at a later time.
2. Background
The use of sensors to acquire physical measurements is a pervasive and ever-expanding aspect of the electronic age. The widespread availability of low-cost, highly accurate sensor technology enables detailed measurements of physical parameters of concern to a wide variety of commercial and military applications. For example, the National Weather Service has developed the Automated Surface Observing System (ASOS) which is a cluster of sensor instruments that produce weather data. Each ASOS system is made up of eight sensors that stand in a row about 50 feet long, typically in an open field. The sensors, linked to an on-site computer, measure rainfall, wind speed and direction, temperature and dew point, air pressure, precipitation, visibility (fog and haze), cloud height, and freezing rain. Another example is Conductus Technologies{character pullout} Extremely Low Frequency Antenna, which is a superconductor-based magnetic field sensor capable of measuring extremely small magnetic signals from distant sources. The system is designed for applications in mineral resource detection, experimental studies of seismic activities, and submarine communications. Yet another example is the Urban Gunshot Location System, which uses sound sensors to pinpoint the location of gunshots in a city. The sensors arc mounted twenty to thirty feet above the ground, attached to poles or buildings. Data from the sensors are transmitted to a central computer which triangulates the location of the sound source to within 25 feet. The central computer then provides the location information to nearby police officers who can investigate the scene.
As shown by these applications, physical measurements are being acquired and used to guide activities having significant economic or safety implications, e.g., predicting the weather, prospecting/developing mineral resources, predicting earthquakes, securing military communications, or monitoring criminal activity. In these and many other instances where a physical measurement is to be communicated to a temporally or spatially distant recipient, the recipient would like to be assured of when the measurement was taken, as well as one or more of: what was measured, where the measurement was made, and who was present during the measurement.
For example, one application involves remote monitoring of pollution levels at a factory for round-the-clock clean air compliance verification. There, the certified measurement would include the pollution measurement and its time of acquisition. Another application might be the logging of access requests to a secure location. There, the certified measurement would include an individual{character pullout}s biometric identifier and his time of entry onto the premises. Yet another application might be a device to ensure house arrest. There, the certified measurement might include an individual{character pullout}s biometric identifier and his location. An example of an application requiring all four elements (when, what, where, and who) is the U.S. Army{character pullout}s Intelligence and Electronic Warfare Common Sensor System, in which land combat elements are sent into the field with intelligence-gathering sensors and subsystems. These sensors will provide tactical commanders with tools to electronically map the entire battlefield in order to identify, locate, and determine the intentions of enemy forces. In this case, it is crucial that the certified measurement accurately represent when the battlefield data were acquired, what was actually measured, where the measurement was taken, and who took the measurement, i.e., that the measurement was taken by a friendly soldier rather than an enemy who had captured or otherwise spoofed the measurement process. In general, the cryptographic certification may require elements of authenticity (measurement origin), integrity (non-modification subsequent to acquisition), and corroboration (assurance of the measurement process).
There is known a technique for using a cryptographic protocol to verify inaccessible foreign countries{character pullout} compliance with nuclear test ban treaties. Simmons (1981) discloses the insertion of a seismic signal sensor, along with a public key cryptographic system, into a borehole for timestamping and encrypting measurements of seismic vibrations indicative of nuclear weapons testing. This system was designed to operate under two important constraints: 1) that the measurements be fully accessible to the Russian hosts, to ensure them that no unauthorized measurements were being taken, and 2) that the measurements be transmitted to the US in spite of lack of local access to the monitoring equipment. The first constraint compels using public key cryptography and giving the Russians the public key so they could decrypt measurements encrypted with the corresponding private key. Thus, the Russians could monitor the transmitted measurements but not impersonate them. The second constraint requires transmitting the measurements rather than storing them locally for later retrieval. These requirements are unnecessarily limiting for certain commercial applications of physical event monitoring. For example, in low-cost applications, or where the receiver has limited computational capabilities, it may be impractical to use public key cryptography because it is too computationally intensive. Instead, a simple hash (if integrity alone is required) or symmetric key encryption (if authenticity alone is required), or a combination thereof, might be appropriate. Neither of these techniques is possible with the Simmons system because of the possibility of fraud. Still other applications might require only local acquisition or storage of the certified measurement rather than transmission--which would result in significant cost and or device complexity reductions upon elimination of the transmitter and receiver. The Simmons system does not allow this possibility because of the lack of US access to Russian soil and the need to allow Russian monitoring as a precondition of measurement acquisition. Finally, the Simmons system does not describe techniques for assuring where the sensor was at the time of measurement (suppose the sensor and its surrounding soil were surreptitiously excavated between measurement transmissions and moved away from the nuclear test site). Furthermore, there is no provision for certifying who was present during measurement (a presumably unmanned site) or to otherwise independently corroborate the measurement to a remote recipient.
There are also known various devices for cryptographically certifying the authenticity and integrity of electronic documents. Examples of such devices may be seen in several US patents (U.S. Pat. Nos. 5,189,700; 5,157,726; 5,136,647; 5,136,646; 5,022,080; 5,001,752; and 4,786,940) disclosing devices that input a digital data stream, crytographically certify the digital data, and output a digital data stream. In addition, certain of these devices optionally add time from a secure internal clock to the digital data stream.
Many of the aforementioned devices are directed at applications whose primary goal is digital data certification, rather than physical measurement certification. The devices can assure the authenticity and/or integrity of digital data presented to the device only as of the time of presentation of the data to the device. However, they can not assure: 1) when the digital data were originally acquired prior to presentation to the device, 2) what the digital data actually represent, 3) where the data were acquired prior to presentation to the device, or 4) who was present at the time of measurement. For example, such devices would be unable to certify: 1) that a digital signal representative of a physical measurement was not acquired at an earlier time and subsequently provided to the measurement certification device, 2) that the purported physical measurement really is a physical measurement (rather than a man-made signal), 3) that the physical measurement came from where it was supposed to, rather than from an alternate location, and 4) who made or witnessed the physical measurement.
In a variation of digital data certification, cryptographic techniques have been used to certify an image recorded by a digital camera. In one known example of this technology, Aquila Technologies (1996) discloses a digital image authentication system that is analogous to, and shares the same drawbacks of, the aforementioned digital data certification technologies--a lack of assurance as to the physical measurement itself. At best, a camera can only be said to certify an image rather than a physical measurement. Even if an image is taken of a sensor purportedly displaying the result of a physical measurement, there is no guarantee of the physical measurement itself. For example, a timestamped photograph of a thermometer reading is meaningless because one is not assured of when the reading was taken (suppose the camera takes a picture of a picture of an earlier reading), what is being read (maybe the thermometer has just come out of an ice bath), where the measurement was taken, or who witnessed the measurement.
Thus, there exists a need for a device and method for acquiring and certifying a physical measurement, using a wide variety of cryptographic protocols, such that the value and time of measurement can be verified by a party that was not necessarily present at the time the measurement was taken. There further exists a need for a device and method which assures where the measurement was acquired. Finally, there exists a need for a device and method which can accomodate independent corroborative evidence of the measurement or certification event.