1. Field of the Invention
The present invention relates to an information processing apparatus, a method therefor, a computer program, and a computer-readable storage medium that are particularly preferable for use in assuring the originality of data.
2. Description of the Related Art
Recently, in conjunction with widespread use of computers and the Internet, formats in which information is digitized and is used as digital data are becoming more common. On the other hand, digital data has features in which an identical copy can be easily generated and editing processing is readily executed. Thus, it is important to assure the originality of digital data.
For example, as described in U.S. Pat. No. 5,499,294, in order to assure the originality of digital data, it is generally known that a technique in which a digital signature is created, using public key encryption, for a hash value of a digital image can secure the originality of the digital data. U.S. Pat. No. 5,499,294 uses a hash function and public key decryption to generate digital signature data. With the digital signature, a sender transmits data and signature data corresponding thereto together to a receiver and then the receiver checks the validity of the data by verifying the signature data.
An approach for checking the validity of data by generating digital signature data using a hash function and public-key encryption per the method disclosed in U.S. Pat. No. 5,499,294 will now be discussed in an easy-to-understand manner in conjunction with a known conventional technique.
First, a sender compresses plain-text data M using a hash function and performs a calculation to determine an output h having a constant length (the output h having a constant length is referred to as a “hash value”). In this case, a private key is represented by Ks and Kp represents a public key.
Next, a calculation for creating digital signature data s is performed by converting the constant-length output h with the private key Ks. This calculation is given as expression (1) below.D(Ks, h)=s  (1)
Thereafter, the digital signature data s and the plain-text data M are transmitted to a receiver.
The receiver performs a calculation for converting the received digital signature data s with the public key Kp. This calculation is given as expression (2) below.E(Kp, s)=E(Kp, D(Ks, h″))=h″  (2)
The receiver also performs a calculation for determining a constant-length output h′ by compressing the received plain-text data M′ using the same hash function as the sender. When the constant-length output h′ determined by the calculation and the constant-length output h″ obtained from expression (2) match each other, it is determined that the received plain-text data M′ is valid.
If the plain-text data M is tampered with during the communication, the constant-length output h″ obtained from expression (2) and the constant-length output h′ obtained by compressing the received plain-text data M′ with the same hash function as the sender do not match each other. Thus, tampering of the plain-text data M can be detected.
In this case, if the digital signature data s is also tapered with in conjunction with tampering of the plain-text data M, the tampering cannot be detected. However, in order to tamper with the digital signature data s, the plain-text data M has to be obtained from the constant-length output h, but such a calculation is impossible because of the one-way property of the hash function.
The hash function will now be described.
The hash function is used to speed up the generation of the digital signature data s. The hash function serves to process the plain-text data M having an arbitrary length and output the constant-length output h. The constant-length output h is referred to as a hash value (or a message digest or digital fingerprint) of the plain-text data M.
The hash function requires the one-way property and collision resistance. The one-way property means that, when the constant-length output h is given, it is difficult to mathematically calculate the plain-text data M that satisfies h=H(M). The collision resistance means that, when the plain-text data M is given, it is difficult to mathematically calculate the plain-text data M′ (M≠M′) that satisfies H(M)=H(M′) and is difficult to mathematically calculate the plain-text data M and M′ that satisfy H(M)=H(M′) and M≠M′.
As the hash function, MD2, MD-4, MD-5, SHA-1, RIPEMD-128, RIPEMD-160, and the like are known and these algorithms are generally available to the public.
Next, public-key encryption will be described.
Public key encryption is an encryption scheme in which an encryption key and a decryption key are different from each other with the encryption key being made public and the decryption key being kept secret. The public key encryption mainly has the following three features.                (a) there is no need to deliver the encryption key in a secret manner, thereby facilitating the delivery, since the encryption key and the decryption key are different from each other and the encryption key can be made public.        (b) each user only needs to keep his or her own decryption key secret, since the encryption key thereof is available to the public.        (c) it is possible to achieve a verification function that allows a receiver to check whether the sender of a transmitted message is not an impersonator and whether the message is not tampered with.        
For example, when an encryption operation using the public encryption key Kp for the plain-text data M is represented by E(Kp, M) and an decryption operation using the private decryption key Ks for the plain-text data M is represented by D(Ks, M), the public-key encryption algorithm satisfies the following two conditions.                (1) when the public encryption key Kp is given, it is easy to perform the encryption operation E(Kp, M), and, when the private decryption key Ks is given, it is easy to perform the decryption operation D(Ks, M).        (2) if the private decryption key Ks is not known, it is difficult to obtain the plain-text data M in terms of the amount of calculation even if the public encryption key Kp, a calculation procedure for the encryption operation E, and C=E(Kp, M) are known.        
In addition to conditions (1) and (2) described above, when condition (3) below is satisfied, secure communication can be accomplished.                (3) the encryption operation E(Kp, M) can be defined for the all plain-text data M, and expression (4) below is satisfied.D(Ks, E(Kp, M))=M  (4)        
That is, since the public encryption key Kp is made public, anyone can perform the encryption operation E(Kp, M), but one who can perform the decryption operation D(Ks, E(Kp, M)) to obtain the plain-text data M is only a person who has the private decryption key Ks.
In addition to conditions (1) and (2) described above, when condition (4) below is satisfied, verified communication can be accomplished.                (4) the decryption operation D(Ks, M) can be defined for the all plain-text data M, and expression (5) below is satisfied.E(Kp, D(Ks, M))=M  (5)        
That is, one who can perform the decryption operation D(Ks, M) is only a person who has the private decryption key Ks. Thus, even when another person performs the decryption operation D(Ks′, M) using a false private decryption key Ks′ to impersonate the authentic person having the private decryption key Ks, expression (5) described above is not satisfied (E(Kp, D(Ks′, M))≠M) and thus the receiver can verify that the received information is unauthorized.
Also, when the decryption operation D(Ks, M) is tampered with, expression (5) described above is not satisfied (E(Kp, D(Ks, M)′)≠M) and thus the receiver can verify that the received information is unauthorized.
Typical examples known in the art that allow for the above-described secure communication and verified communication include RSA decryption, R decryption, and W decryption.
RSA-decryption-based decryption and encryption that are most widely used at present can be represented by expression (6) below.                Encryption: Encryption key (e, n) Encryption conversion C=Me (mod n)        Decryption: Decryption key (d, n) Decryption conversion M=Cd (mod n)n=p·q  (6)        where p and q are large prime numbers different from each other        
As described above, U.S. Pat. No. 5,499,294 discloses a technique for assuring the originality of digital data by creating a digital signature, using public key encryption, for a hash value of a digital image. However, with this technique, when even one bit of digital data with a digital signature is modified, it is considered tampered with even when the modification was permitted by the author of the digital data. Further, with the technique disclosed in U.S. Pat. No. 5,499,294, after data is modified, the only thing that can be determined is that the data is not the original.
An example in which the approach disclosed in U.S. Pat. No. 5,499,294 is applied to a digital camera will now be discussed. Typically, a digital image and digital signature data, which are outputs from the digital camera, are input to a computer (PC). Thereafter, processes, such as changing the brightness for easy visibility of the image, filtering, and cropping of the image are commonly performed.
These processes are intended to make the image easy-to-view and clear, and are permitted by the author of a digital image in many cases. However, with the technique of U.S. Pat. No. 5,499,294, if any process, including those described above, is performed on the digital image after the digital image data has been outputted from the digital camera, the digital image data is considered to have been tampered with.
In this manner, the known technology has a problem in that, when the originality of data is assured with a digital signature or the like, the data cannot be modified even if the modification is authorized.