US20050132200A1 - Indigenous authentication for sensor-recorders and other information capture devices - Google Patents

Abstract

A method and system of authentication for sensor-recorders and other information capture devices is disclosed. In accordance with aspects of the current invention, a digital sample of the environment is obtained. From this sample and at least one parameter representative of at least one condition under which the sample was generated, a digital signature is created. This signature is stored in memory with the sample to be checked at a later time for authenticity. The file is checked for authenticity by generating a second signature from the file and comparing that signature to the original signature. If the two signatures are identical, the sample is considered authentic and if the two signatures are different, the sample cannot be authenticated.

Description

FIELD OF THE INVENTION
• The present invention generally relates to a method and apparatus for acquiring and recording a sample of an environment and, more particularly, to a method and apparatus that allows the stored recording to be verified as an authentic, unaltered sample of the environment.
BACKGROUND OF THE INVENTION
• One purpose of the present invention is to provide a solution to the problem of either deliberate or inadvertent alteration of recordings. In this context, “recordings” refers to all recordings, including digital images, data files, and the more common audio recording.
• Photographs, movies and printed materials have historically been regarded as media that can be trusted to be authentic copies of the original. Early attempts at alteration of photographs for the purposes of revisionist history were almost comically detectable with five people sitting at a table, but six pairs of legs underneath. Hand written, permanently bound, notebooks are used in research laboratories for their resistance against attempts at alteration. Recent technological advances have brought the ability to alter images to the neophyte level. When a master employs the advanced technology the alterations are almost completely undetectable. For this reason digital photography is seldom used in situations when “chain of custody” requirements exist to protect the authenticity of a recording be it photographic, written or auditory. For example, the picture of an accident scene could be altered to show bottles of alcoholic beverages around the driver, even if those bottles hadn't really been there when the picture was taken, but were a post accident embellishment.
• A digital camera with apparatus for authentication of images produced from an image file is disclosed in U.S. Pat. No. 5,499,294. Referring toFIG. 3A of U.S. Pat. No. 5,499,294, a block diagram of a system including a digital camera is shown that produces a file image with a digital signature. A device specific decryption key is required to allow a file image to be authenticated. Furthermore, in order to determine whether a file image is authentic, the person performing the authentication must know which camera took the picture; due to the fact that each camera includes a unique private encryption key.
SUMMARY OF THE INVENTION
• It is desirable to provide an improved method and system for determining the authenticity of a sample of an environment. A digital signature is created that is a function of both the sample of the environment itself, as well as at least one parameter that is representative of at least one condition under which the digital sample was acquired. The sample is stored in memory together with the at least one parameter and the digital signature. Authenticity of the stored image is determined by creating a new signature from the stored image and at least one parameter, and then comparing the two signatures to determine if they are the same.
• Such a method and apparatus is advantageous for several reasons. First, one aspect of the present invention is that it is not necessary to know what device sampled the environment because it only is necessary to have the stored sample, parameters, and signature. Second, encryption is not required for authentication purposes, thereby allowing information storage devices to be manufactured in a more cost effective manner.
• Other features and advantages of the present invention will become apparent from the following description.
DESCRIPTION OF THE DRAWINGS
• FIG. 1 is a schematic diagram of one embodiment of the present invention showing a digital camera, a personal computer, and an external GPS unit;
• FIG. 2 is a schematic diagram of a self-contained digital camera that incorporates certain aspects of the present invention;
• FIG. 2A is a detailed schematic diagram of a self-contained digital camera that incorporates certain aspects of the present invention;
• FIG. 3 is a flow chart of an operational sequence according to a first embodiment of the present invention;
• FIG. 4 is a flow chart of the Pre Capture Operations fromFIG. 3;
• FIG.4A1 is a flow chart of the Check Additional Inputs for Pre Capture Operations inFIG. 4;
• FIG.4A2 is a continuation of the flow chart fromFIG.4A1;
• FIG. 4B is a flow chart for recording the user controls during the Pre Capture Operation;
• FIG. 5 is a flow chart of the Capture Operations fromFIG. 3;
• FIG. 6 is a flow chart of the Post Capture Operations fromFIG. 3;
• FIG. 6B is the continuation of the flow chart fromFIG. 6;
• FIG. 7 is a flow chart of the Recording operation fromFIG. 3;
• FIG. 7A is a diagram of a file format for a signed digital image.
• FIG. 8 is a flow chart of the Clean up and Preparation fromFIG. 3;
• FIG. 9 is a flow chart of the Authentication Sequence;
• FIG.9A1 is a flow chart of the RCA Operations fromFIG. 9;
• FIG.9A2 is a continuation of the flow chart fromFIG.9A1;
• FIG.9B1 is a flow chart of the ELA/DER Operations fromFIG. 9;
• FIG.9B2 is a continuation of the flow chart fromFIG.9B1;
• FIG.9B3 is a continuation of the flow chart fromFIG.9B2;
• FIG.9B4 is a continuation of the flow chart fromFIG.9B3;
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
• One aspect of the present invention is the concept and method of indigenous authentication. That is, a family of devices to create recordings with material to validate its authenticity. One embodiment of the present invention relates to digital photography where an image is authenticated as a whole. An intermediate version allows the authentication of less than the whole. An advanced version allows for recovery of damaged (altered from its original state) elements. Additional inputs including, but not limited to, date, time, latitude, longitude, altitude, roll, pitch, yaw, and compass heading can be made part of the image as well as the status of camera elements including camera identification, image sequence number, flash status, lens zoom factor, counter vibration status, focus status and focus quality. This additional information becomes part of the recording and can also be authenticated.
• The present invention is applicable to information capture scenarios other than digital cameras such as self-authenticating identification documents, an extension of the notary public system, or electronic laboratory notebooks to replace the handwritten ones mentioned above. Once established as a trustworthy source; the indigenous authentication concept can be extended further for recording quality control, legal requirements and financial instruments.
• A key to verifiable authenticity is to insure that the authentication information generation is tightly coupled to the sensor set and recorder. There can be nothing that can possibly alter the recording before the authentication information is generated. Authentication using this method requires neither comparison files, nor conventional or reverse encryption. The strength of authentication is increased by using one-time random elements and by the use of a random string, regenerated under user control. Although not required for basic operation, the resulting recording can be optionally encrypted to conceal the information. The absence of required conventional encryption or reverse encryption eliminates the need for a public registrar or record keeping relating to the management of decryption keys. As the authentication is indigenous there is no requirement to identify which recorder was used.
• Referring toFIG. 2, anenvironment2 can be sampled1 in a variety of formats. In recording a single sample of a visual environment, a single frame optical recorder, generally known as a camera, is used. The sample taken, known as a “photograph,” has been recorded on positive transparency films (slides); negative transparency films (negatives); opaque or translucent prints; and more recently as digital files.
• In recording a continuous sample of a visual environment, a continuous optical recorder such as a video camera, movie film camera or a digital movie camera is used. These samples, generically called “movies,” have been recorded on transparency film, videotape and more recently as digital files.
• In recording a sample of an auditory environment, a continuous audio recorder such as a tape recorder or a digital recorder is used. These samples, generally called “recordings,” have been recorded on a wide variety of wire, tape and digital files.
• With the development of sensors and recorders, the recording of samples of taste, touch and smell can be accommodated in the same generic model. Also, samples are not limited to the five human senses. The method for authentication and verification disclosed in the present application can be used on samples taken from any sensor set including, but not limited to, the full range of physical, chemical, and spectral phenomena.
• To ensure authentication,additional inputs7 other than the sensor set4 are not accessible to the user without detection as shown inFIG. 2. To accomplish this the additional inputs are shown inside the device physical boundary. Analog recorders may also be incorporated into this system through the use of analog to digital converters.
• One use of the present invention is to create an image or data file that is considered “trustworthy” in any situation where proof of authenticity is necessary. This includes, but is not limited to, legal evidence, insurance claims, project management, scientific research, invention, quality control, identification, intelligence gathering, purchasing, command and control, law enforcement, document and image transmission.
• The increasingly rapid transition to digital capture, analysis, storage, transmission, distribution and use of information, using increasingly sophisticated hardware and software for creation and capture tools, makes it increasingly difficult to accept any image or data file as authentic on its face.
• With the continued growth of personal computers in society and the increasing use of the internet, electronic miscreance including deliberate fraud and inadvertent changes caused by transmission or storage errors are on the rise. The need for authentication parallels that rise to counter proliferation of altered files. The need for authentication also increases with the potential damage an altered file might cause. For example, contracts, purchase orders, legal decisions, electronic bill payments, electronic invoices, quality control information, blue prints, designs: all of these could cause great harm if an altered version were believed to be authentic. It is not unreasonable to presume that indigenous authentication might become the norm, in an attempt to prevent or derail any possible malicious acts by miscreants.
• One aspect of the present invention allows generally complete mitigation of the threat of undetected image alteration and subsequent use of the altered image for purposes of deliberate or unknowing deception. Thus, a framework is provided for future devices to accomplish similar ends and provide a solution to an ever more troubling social and economic problem, namely the eroding credibility of photographic images, especially in law enforcement where the images may become evidence in a legal proceeding.
• Referring toFIG. 1, a schematic diagram of one embodiment of the present invention showing a digital camera, a personal computer, and an external GPS unit is shown. Ageneral purpose microcomputer252 is used to simulate theprocessor157 and its programming. Themouse256 and keyboard257 are used to simulate the user's setting of controls (SeeFIGS. 2A, 910111213). The microcomputer'smonitor253 is analogous to the process monitor8 shown inFIG. 2A. An external geographic positioning system254 (GPS) is used instead of an internal44 one. An externally connecteddigital camera255 simulates the lens sensor set73,auto focus19, andflash generator30. The microcomputer's252 floppy drive (not shown) performs the function of therecorder142 and the 3.5″ floppy disk259 is theremovable storage media141.
• Referring toFIG. 2A, a device model for a single frame optical recorder, more commonly known as a camera, is shown.FIG. 2A does not show the externally supplied source or internal batteries that must power this device. In this camera, the user may access theprocess monitor8. For approximate aiming, access may be gained through a shaft, parallel to the axis of the lens. Access to the process monitor8 may also be gained through aprocessor157 controlled recreation of the current scene. Indicators appear on the process monitor indicating flash status, zoom status, etc.
• Operators may aim the device, activate the device, and set user controls, including but not limited to,flash9, zoom10, random string recording (RSR)11, oroptional encryption12. During the operation of the camera,internal security14 is monitored to detect the integrity of the tight coupling of the sensor set and therecorder6.
• Referring toFIG. 3, when theprocessor157 receives an activation signal, the multi phase operating cycle proceeds through the pre capture, capture, post capture, recording, clean up and preparation operations before returning to the pre capture phase. To reduce the time within each phase, parallel processing and other engineering techniques are used.
• Referring toFIG. 4, the pre capture sequence is the most common operating phase of the unit. The device cycles in thepre capture operation65 until activated byuser control13, or turned off15 in preparation fornormal termination95. If the device is turned on and inadequate16 power is present to complete the operating cycle, the user activation will have no effect. Anindication17 is given to the user through the process monitor and no further processing is completed66.
• If sufficient power is present to complete the operating cycle, the additional inputs and components are checked. Referring toFIG.4A1, theauto focus19 sensor and processor are then checked20. If amalfunction21 is present the process monitor8 will be updated with anerror message22 to inform the user.
• Independent of the auto focus's status, processing continues checking thefocus quality sensor23, theflash generator30, counter vibration unit (C-VIBE)35 and the roll, pitch, yaw (RPY)unit40. These tests are performed in order (20,25,29,34, and39) independent of resulting status. At each stage, if a malfunction is present, the process monitor is updated with an error message to inform the user (27,32,37 and250).
• Referring toFIG.4A2, the status processing continues42 with acheck43 of the global position system (GPS)unit44. If there is amalfunction45, the value “NO GPS” is recorded46. If no malfunctions47 are present, the current GPS coordinates and other GPS information are recorded48 and the process monitor8 is updated49 with an error message or the current coordinates.
• Independent of the GPS status, processing continues50 with acheck51 of theinternal compass52. If amalfunction53 is present, the value “NO COMPASS” is recorded54. Otherwise55 the current compass heading is recorded56 and the process monitor8 is updated57 with an error message or the current heading.
• Independent of the compass status, processing continues58 with acheck59 of theinternal security system14. If there is a breach ofsecurity60 the violation is recorded61. Otherwise62 the value “ImageGuard” is recorded63 and the process monitor8 is updated64 with the violation or “ImageGuard”
• Referring toFIG. 4, after the additional inputs and components are checked18, the user control modifications are recorded67. Referring toFIG. 4B, the current setting for theflash generator30 is checked68 against theflash settings9 provided by the user. If not identical69, the setting for theflash generator30 is set70 to that provided by the user.
• The user's zoom setting10 is then checked72 against the zoom setting of thelens73. If not identical74, the setting forzoom73 is set75 to that provided by the user. The current random string record (RSR) value is then checked77 against the setting11 provided by the user. If not identical78, the RSR value is set79 to that provided by the user. The two possible values are “Y” for “Yes, record a new random string with the next image” and “N” for “No, don't record a new random string with the next image.”
• The current encryption value is then checked81 against theencryption value12 provided by the user. If not identical82, the current encryption value is set83 to that provided by the user. The three possible values are “Y” for “Yes, produce an encrypted image only”, “N” for “No, don't produce an encrypted image, produce an unencrypted image only” and “B” for “Produce both an encrypted image and an unencrypted image.” During this process the process monitor8 is updated85 to reflect any changes made.
• Referring toFIG. 4, once the user control modifications are recorded67, processing continues86 with atest87 for adequate recording media. If there isinadequate recording media88 the process monitor8 is updated89 with an error message and no further processing is completed90 past this point.
• After the test dealing with adequate recording media is completed91, all pre capture operations are complete. Atest92 is made for the status of theactivation control13. If the control is not active93, processing is cycled65 and if active, processing continues94 with capture operations
• Referring toFIG. 5, once theuser activation control13 is active, processing moves from pre capture operations (seeFIG. 4) to capture operations. (seeFIG. 5) Current values are acquired96 from the GPS and Compass system. If the GPS is not active45, the “NO GPS”value46 is recorded. If the GPS is active47, the GPS coordinates48 are recorded as is the current date and time. If the Compass is active55, the current heading is recorded and if not active51, the “NO COMPASS”value54 is acquired.
• At this point, if required97, the counter vibration unit (C-VIBE) is activated98 to counter vibration. The roll, pitch and yaw (RPY) sensors are activated99, and the need to prime105 the flash unit is determined. A test is made for the user commanding the flash on or off100. If the flash is commanded on101 or auto flash detects103 therequirement104 for a flash, the flash is primed105 and the image is captured withflash108. Otherwise the image is captured without aflash107.
• Focus quality points are detected109 by accessing the focus qualityadditional input23. The number of focus quality points is selected, and the maximum range and minimum range are recorded. Here the camera uses either sound ranging, or another technology to measure depth of field. This procedure is required for auto focus and would detect the reproduction of a picture. This procedure also reports the number of points with differing ranges as well as the closest and farthest focus quality points from the camera. For example, “10p 1m Inf” would mean 10 points of differing depth, the nearest being one meter, the farthest is infinity.
• Referring toFIG. 6, once the image has been captured (seeFIG. 5) processing moves to post capture operations. First the CCD (or other sensor) is polled110 to gather the image and prepare it for recording. The GPS values for latitude, longitude, altitude, date, time, and satellites used for the positioning; that were previously acquired96, are then appended111 to the image. If the GPS was not functional45 the “NO GPS”value46 is appended111 to the image. The AutoFocus status; number offocus quality points109; maximum range and minimum range; flash value (commanded on, commanded off, auto-flash required, or auto-flash not required); counter vibration value (active98 or not); roll, pitch and yaw (RPY) values; recorded compass heading96;lens73 zoom setting; camera identifier (CamID124 set by the factory and unalterable by the user); currentimage sequence number125; currentrandom string126; and file type (127 set by the factory and unalterable by the user) are all appended to the image. If internal security is compromised60 asecurity violation61 is appended123 to the image. Otherwise the “ImageGuard” value is appended123 to the image.
• Referring toFIG. 6B, there are three levels of authentication and damaged element recovery. The initial level is total image authentication (TIA). At this level only the entire image is authenticated or not. The second level is row/column authentication (RCA) where each row and column of the picture elements (pixels) can be authenticated independently. Under RCA, less than the whole image can be authenticated. The third level is elemental level authentication (ELA) and damaged element recovery (DER).
• Under the ELA structure, each and every single pixel can be authenticated independently. If a single pixel fails authentication (damaged) there are structures added to the image in the post capture operation which provide multiple methods of determining the original value of the damaged pixel. This is called damaged element recovery (DER). Initially the level of authentication and damaged element recovery is to be set at the factory so that no affiliated user control (9,10,11,12, and13) is shown. There can be only one level of authentication (TIA, RCA, ELA/DER) active per use. (SeeFIG. 9 “Authentication Sequence” and more on authentication.)
• If RCA is elected128, the RCA structures and values are computed and appended129 to the image. If ELA/DER is elected130, the ELA/DER structures and values are computed and appended131 to the image. The signature protocol used in this device is the commercially available MD5, but the signature protocol is not limited to the MD5. Thedigital signature132, which is a function of the signature protocol (SP) being used and the block, is computed and made part of the file. (SIGNA=ƒ( SP (Block))) TheBlock144 is the digital data composed of the image and optionally: additional information, the camera id, the random string, the camera decryption key, and the RCA and ELA/DER structures and values.
• If the user has elected133 no encryption, or both encrypted and unencrypted, as set by theuser control12 and evidenced by theencryption value83, then an unencrypted version of the complete image file is created134. If the user has elected135 encryption, or both encrypted and unencrypted, as set by theuser control12 and evidenced by theencryption value83, then an encrypted version of the complete image file is created136.
• Referring toFIG. 7, if the user has elected137 no encryption, or both encrypted and unencrypted, as set by theuser control12 and evidenced by theencryption value83, then an unencrypted version of the complete image file is written138 by therecorder142 on therecording media141. If the user has elected139 encryption, or both encrypted and unencrypted, as set by theuser control12 and evidenced by theencryption value83, then an encrypted version of the complete image file is written140 by therecorder142 on therecording media141.
• Referring toFIG. 2A, a 3.5″floppy drive142 and removable 3.5″floppy diskette141 is shown as the recorder and recording media. Other available recording options include flash RAM with removable memory modules, and storage not internal to the device via infra red, serial, Ethernet, Token Ring, parallel, universal serial bus (USB), firewire or other communication mode to either a single computer or a network of computers.
• Referring toFIG. 7A, the files created by the Signa2 process are in a format generally accepted by the industry. Most specifically, the Signa2 files are not proprietary. Additional information is contained within the file, but the addition of the information is in compliance with the standards for the format.
• There are two braces in the figure. The first titled “Image” indicates the two elements that are viewable by programs compliant with generally accepted industry formats. Elements outside this brace are not viewable by programs compliant with generally accepted industry formats. The second144 titled “Block” indicates the elements covered by thesignature145. Everything inside the “Block” is what is signed.
• Elements shaded in gray161 are optional and not required to fulfill the basic purpose of Signa2 devices. A tightly coupledimage146 andsignature145 are the minimum required elements for the Signa2 process.
• The sensor set73 acquires theimage146, which is the minimum viewable information. Additional data from thecamera147, viewable by the user, include: Global Positioning System (GPS)information111; zoom settings; AutoFocus status; the results of the focus quality sampling; roll, pitch and yaw (RPY) values; the compass heading; flash status; File Type; CamID;Seq120; and Security Value.
• TheGPS information111 may include48 latitude, longitude, altitude, date, time, satellites used in the determination or “NO GPS”46 if there is afault45 with the system. The zoom setting75 information includes the setting used by thelens73 for capturing the image expressed either in millimeters with 50 mm being “eye-normal”, or in X where 1X is 50 mm. The compass heading117 includes information on which way the camera was pointing at the time the image was captured.
• Theflash status114 information includes the commands, Commanded ON, Commanded OFF, Auto ON or Auto OFF. In the flash status, the first two refer to settings forced by the user and the latter two refer to the user allowing the camera to decide to flash or not and whether it did or not. There may be other options.
• TheCamId119, or camera identification code, is set at the factory and part of each image. Examples are SHEP0001 or MOLL0454. Although not required for authentication it does provide a means of determining, at least initial ownership of the device.
• Seq120, is the sequence number for unique image identification, automatically incremented. When used with CamId above BECK5102-98312 uniquely identifies the camera and the picture.
• The twoSecurity Values123 are ImageGuard and NONVERIFIED. ImageGuard appears if no internal errors are detected and the security is not compromised. NONVERIFIED (or other indication of compromise) appears if security is compromised within the system.
• Other segments within the File Structure includeCamera ID148;Random String149;Camera Decryption Key150; RCA and ELA/DER structures andvalues160; and thedigital signature145. TheCamera ID148 is the unique camera identification, the same as above, but in a section of the file not viewable by the user. TheRandom String149 is the current random string and is made part of the file. TheCamera Decryption Key150 is a camera specific decryption key that stays in the camera.
• Referring toFIG. 8, this figure illustrates the process for clean up and preparation. In this portion of the process, functions not useful in pre capture operations (seeFIG. 4) are deactivated and preparations are made for subsequent image capture. The counter vibration, and the roll, pitch, yaw are deactivated151,152 and the image sequence number is incremented153.
• If the “Random String Recording” has been set79 to YES by theuser control11, the image itself and other information (Referring toFIG. 7A) are used to generate155 a new random string that replaces the previous random string. The “Random String Recording”79 is then reset158 to NO and theuser control11 is set159 to NO. Temporary resources used by theprocessor157 are then deallocated156 to prepare them for re-use.
• It is important to note that the previous random string is used for the image just created. Therefore, frequent resetting of the random string will deter pattern recognition and increase security. This is discussed in the “Role of the random string in increasing the strength of the digital signature” below.
• Referring toFIG. 9, authentication starts with a file believed to contain an image and the additional items (seeFIG. 7A) to make the file authenticatable as a Signa2 image. The authentication program must be easily and freely available from a secure public source. Otherwise someone seeking to deceive could provide a faux-authentication program to generate a forced-negative or forced-positive authentication.
• The program starts162 with a self diagnostic to insure that the authentication program itself has not been damaged or corrupted. This self diagnostic is repeated each time processing reaches this162 point to guard against alterations made after the program has been loaded. Should the self diagnostic fail the program immediately ends with an error message. This self diagnostic procedure and the possibility of a failure are not shown onFIG. 9.
• Once the authentication program has been loaded the user is presented with an opportunity to select a file or elect program exit. If the user elects program exit the authentication program ends163. If an encrypted file is selected164, anattempt165 is made to decrypt the file. This may require a decryption key obtained from the user or taken from thefile150. If adecryption error166 occurs, anerror message167 is displayed and the program cycles back to start162
• If the file was not168 encrypted or was decrypted withouterror169, atest170 is made to confirm that the file is in the Signa2 format. If the file is not171 in Signa2 format, the file is not authenticatable172 and the program cycles back to start162
• If the file is173 in Signa2 format, theblock144 is separated174 from thesignature145 and the signature is recalculated175 from theoriginal block144. If the recalculated signature (SIG_R) matches176 the provided signature (SIG_P), the image may be viewed248 and is marked authenticated249 as a valid image using total image authentication (TIA). The program then cycles back to start162.
• If the two signatures do not match, and the authenticator program has been acquired from a trusted source and is free from alteration; then the image file has been damaged or altered. This is a true-negative, an image properly determined not to be authentic. With an uncompromised authenticator program, a Signa2 image file using TIA level authentication cannot generate false-negatives. The image and the signature are in a single file and altering the file, either intentionally or accidentally, constitutes invalidation and a proper negative authentication.
• If the recalculated signature (SIG_R) does not177 match the provided signature (SIG_P), a series of tests are made for one of three authentication levels. If only total image authentication (TIA) is available178 then no further operations are available179. The image is viewed180 and marked unauthenticated181. The program then cycles back to start162.
• Referring toFIG. 9, if row/column authentication (RCA) is182 elected, processing continues with RCA Operations and the program cycles back to start162. If row/column authentication (RCA) has not183 been elected, a184 test for elemental level authentication/damaged element recovery (ELA/DER) is made.
• Referring toFIG.9B1, if ELA/DER has186 been elected, processing continues with ELA/DER Operations and the program cycles back to start162. If ELA/DER has not been elected185, there is an error condition as one of the three levels of authentication (TIA, RCA, ELA/DER) should be available. This error condition is handled by reporting no further operations are available179. The image is viewed180, marked unauthenticated181 and the program cycles back to start162.
• Referring toFIG. 9, row/column authentication (RCA) is elected182 when a file in aSigna2 format173 has asignature failure177. The signature used incomparison145 is a single signature for the entire file. RCA structures andvalues160 provide for a method of detecting errors, not at the whole file level, but at a level for each row and column. Checking each row and column provides two opportunities to detect an error for each pixel.
• Cyclic Redundancy Check (CRC) is the method used to describe this form of error detection. There are several varieties of CRC as well as other algorithms for error detection of this type. Although CRC is used here for description purposes, other error detection codes (or error correction codes such as Hamming and Reed-Soloman) may be implemented to augment or replace the CRC error detection code.
• Referring toFIG.9A1, a digital image consists of picture elements, known as pixels, arranged in a matrix of rows and columns. RCA Operations commence by stepping187 through each row of theimage testing188 the CRC for internal integrity. Although CRCs do not contain an inherent internal integrity test, part of the RCA structures include additional values to test the CRC. If the CRC fails189 this self test, all pixels in that row are marked as damaged, but potentially false negatives (PFN)208.
• If the CRC itself is ok191, the entire row of pixels is used to compute192 a new CRC for the row. This new CRC is compared to the original CRC. If they do not193 match, all of the pixels in the row are marked as damaged190. If the new CRC does194 match the original CRC, all of the pixels in the row are marked195 ok.
• Referring toFIG.9A2, RCA operations continue by stepping196 through each column of the image andtesting197 the CRC of each column for internal integrity. If the CRC fails198 this test, no further operations are conducted on the column of pixels. If the CRC itself is ok200, the entire column of pixels is used to compute201 a new CRC for the column. If the new CRC does not202 match the original CRC, no further operations are conducted on this column. If the new CRC does203 match the original CRC, all of the pixels in the column are marked204 ok.
• A pixel may be marked in one of six ways: Ok—ok fromrow CRC195 andcolumn CRC204; Damaged—ok fromrow CRC190 andcolumn CRC204; Damaged_PFN—ok fromrow CRC failure189208 andcolumn CRC204; Ok—null fromrow CRC195; Damaged—null fromrow CRC190; and Damaged_PFN—null fromrow CRC failure208. There is no second status because ofcolumn CRC failure202.
• The nature of the two operations (row and column) generate a matrix where some rows of pixels may be marked as damaged in the row operations and some of those pixels changed from damaged to ok by the column operations. This is because an entire row is marked damaged or ok. If a column is marked ok, the pixels that may have been marked damaged as part of a whole row were not in fact damaged and are changed to being ok. As an example, a single damaged pixel would cause a whole row to be marked as damaged in row operations. Column operations would mark every column ok except the column that had the damaged pixel. The end result is an image with a single pixel marked damaged.
• Once the image has been authenticated the user selects199 from a list of presenteddisplay options205. The display options are: Option A—Display only the original image without any modification; Option B—Display the original image with damaged pixels forced to white; Option C—Display the original image with damaged pixels forced to black; Option D—Rock A and B; Option E—Rock A and C; Option F—Statistical Report; and Option G—End display options. “Rocking” refers to rapidly displaying two alternating images.
• The statistical report under Option F contains the following elements: F1 contains the total number of pixels in the image. F2 contains the total number of pixels marked ok—ok, Damaged—ok, Damaged_PFN—ok and ok—null, expressed as a number, and as a relative percent of the total number of pixels (F2/F1)*100 known as the “Undamaged Percentage.”
• Ok—ok pixels passed bothrow194 andcolumn203 CRC test. Ok—null pixels passed therow194 CRC test, but the column CRC was damaged198 and provided no additional information. Damaged—ok pixels were not actually damaged. The pixels were marked damaged because the new row CRC did not match193 the original row CRC, and the whole row was marked190 damaged even though the pixels passed203 the column CRC test. Damaged_PFN—ok also contains pixels that were not actually damaged. The pixels were marked damaged due to therow CRC failure189 caused the entire row to be marked Damaged_PFNeven though the pixels passed203 the column CRC test.
• F3 contains the total number of pixels marked Damaged—null expressed as a number, and as a relative percent of the total number of pixels in the image (F3/F1)*100 known as the “True Negative Percentage.” The pixels were marked Damaged—null because the new row CRC did not match the originalrow CRC test193. There is no second status because ofcolumn CRC failure202.
• F4 contains the total number of pixels marked Damaged_PFN—null expressed as a number, and as a relative percent of the total number of pixels in the image (F4/F1)*100 known as the “Potential False Negative Percentage.” The pixels were marked Damaged_PFN—null because the row CRC failed189208 the self test and the pixel could not be authenticated as ok due tocolumn CRC failure202. The sum of the relative percents of F2, F3, and F4 should equal 100%, and the sum of F2, F3, and F4 should equal F1.
• The user may continue to select206 alternate display options until they elect to enddisplay options207. At that point RCA operations are concluded.
• Referring toFIG.9B1, ELA/DER Operations occur when a file inSigna2 format173 has asignature failure177, and both element level authentication (ELA) and damaged element recovery (DER) authentication are elected186. The signature used incomparison145 is a single signature for the entire file. ELA/DER structures andvalues160 provide for a method of determining authentication, not at the whole file level, but at a level for each element.
• The ELA/DER structure includes a complete duplicate of the image, compressed and encoded. It is this duplicate image that allows for elemental level authentication and damaged element recovery. In the description below the original version of the image, the one the user can see, is referred to as the “Primary Image”, abbreviated PI. The compressed and encoded version of the image is referred to as the “Backup Image”, abbreviated BI. Both the Primary Image and the Backup Image have row and column CRCs, or other error detection protocols.
• Referring toFIG.9B1, initially eachrow209 of the primary image (PI) is stepped through and aself test210 is performed on each primary image row CRC. If the CRC fails211 the self test, all of the pixels in the primary image row are marked212 Damaged_PFNas potential false negative damaged pixels. If the primary image row CRC passes213 the self test, a new primary row CRC is computed214 from the pixels in the primary image row. If the new primary image row CRC matches215 the original primary row CRC, all the pixels in the row are marked216 as ok (undamaged). If the new primary image row CRC does not217 match the original primary row CRC, all the pixels in the row are marked218 as damaged.
• Referring toFIG.9B2, once the row-wise process is complete, eachcolumn219 of the primary image is stepped through with aself test220 performed on the primary image column CRC. If the CRC fails theself test221, no further operations are conducted on this column. If the primary image column CRC passes222 the self test, a new primary column CRC is computed223 from the pixels in the primary image column. If the new primary image column CRC matches225 the original primary image column CRC, all of the pixels in that column are marked226 ok. If the new primary image column CRC does not224 match the original primary image column CRC, no further operations are conducted on this column.
• Each pixel may be marked in one of six ways: Ok—ok fromrow CRC216 andcolumn CRC226; Damaged—ok fromrow CRC218 andcolumn CRC226; Damaged_PFN—ok fromrow CRC failure212 andcolumn CRC226; Ok—null fromrow CRC216; Damaged—null fromrow CRC218; and Damaged_PFN—null fromrow CRC failure212. There is no second status because ofcolumn CRC failure221
• Referring toFIG.9B3, authentication then starts on each damaged or damaged_PFNpixel with attempts to recover the original value of that element. Additional processing efforts are not made to distinguish between true negatives and false negatives due to the fact that the same damaged element recovery (DER) procedures are used on each.
• To recover the value of a damaged primary image pixel the corresponding backup image pixel must first be located and validated. Validation of the corresponding backup image pixel can occur under either of the two scenarios. In the first scenario, the backup image ROW CRC for the corresponding backup image pixel is undamaged and the computed backup image ROW CRC matches the original backup image ROW CRC. In the second scenario, the backup image COLUMN CRC for the corresponding backup image pixel is undamaged and the computed backup image COLUMN CRC matches the original backup image COLUMN CRC.
• Stepping227 through each damaged or damaged_PFNpixel in the primary image is done to locate228 the corresponding pixel in the backup image. The backup image will require decompression first. If the corresponding backup image pixel cannot229 be located, it cannot be authenticated and it is not possible to recover the value of theprimary image pixel230. Once the corresponding backup image pixel is231 located, aself test232 is performed on the backup image ROW CRC.
• If the backup image ROW CRC self test fails233, the backup image ROW CRC is damaged and is unusable for authentication. The backup image COLUMN CRC for the corresponding backup image pixel is then used for authentication and aself test235 of the backup image COLUMN CRC is performed.
• If the backup image COLUMN CRC for the corresponding backup image pixel fails236 the self test, the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of theprimary image pixel230. If the backup image COLUMN CRC for the corresponding backup image pixel passes239 the self test then a new backup image COLUMN CRC is computed240.
• If the new backup image COLUMN CRC matches241 the original backupimage COLUMN CRC238, the corresponding backup image pixel is authentic and can be used to recover the value of the damaged or damaged_PFNprimary image pixel. If the new backup image COLUMN CRC does not match243 the original backup image COLUMN CRC, the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of theprimary image pixel230.
• If the backup image ROW CRC self test succeeds234, a new backup image ROW CRC is computed251. If the new backup image ROW CRC matches237 the original backup image ROW CRC then238 the corresponding backup image pixel is authentic and can be used to recover the value of the damaged or damaged_PFNprimary image pixel. If the new backup image ROW CRC does not242 match the original backup image ROW CRC, one or more of the backup image pixels in that row is damaged and the backup image column must be tested for authentication.
• Aself test235 of the backup image COLUMN CRC is performed. If the backup image COLUMN CRC for the corresponding backup image pixel fails236 the self test, the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of theprimary image pixel230. If the backup image COLUMN CRC for the corresponding backup image pixel passes239 the self test then a new backup image COLUMN CRC is computed240.
• If the new backup image COLUMN CRC matches241 the original backupimage COLUMN CRC238, the corresponding backup image pixel is authentic and can be used to recover the value of the damaged or damaged_PFNprimary image pixel. If the new backup image COLUMN CRC does not match243 the original backup image COLUMN CRC then the corresponding backup image pixel cannot be authenticated and it is not possible to recover the value of theprimary image pixel230.
• Each pixel may then be marked in one of eight ways: Ok—ok, fromrow CRC216 andcolumn CRC226; Damaged—ok, fromrow CRC218 andcolumn CRC226; Damaged_PFN—ok, fromrow CRC failure212 andcolumn CRC226; Ok—null, fromrow CRC216; Damaged—null—recovered, from row CRC218 (The original value of the pixel was recovered238); Damaged—null—not recovered, from row CRC218 (the original value of the pixel was not230 recovered); Damaged_PFN—null—recovered, from row CRC failure212 (the original value of the pixel was recovered238); and Damaged_PFN—null—not recovered, from row CRC failure212 (the original value of the pixel was not230 recovered). Damaged—null and Damaged_PFN—null are replaced with the results of the recovery efforts
• Referring toFIG.9B4, once the authentication and recovery operations are completed the user is presented244 with a list of eleven presenteddisplay options245. Option A display only the original image without any modification Option B display the original image with damaged and damaged_PFNpixels forced to white. Option C display the original image with damaged and damaged_PFNpixels forced to black. Option D display the original image with damaged and damaged_PFNpixels replaced with recovered pixels. Unrecovered damaged and damaged_PFNpixels are forced to white. Option E display the original image with damaged and damaged_PFNpixels replaced with recovered pixels. Unrecovered damaged and damaged_PFNpixels are forced to black.
• Rapidly displaying two alternating images is known as “rocking.” Option F rocks between A and B. Option G rocks between A and C. Option H rocks between A and D. Option I rocks between A and E.
• Option J displays the Statistical Report containing the various elements. This option displays the total number of pixels in the image J1. It also displays the total number of pixels marked ok—ok, Damaged—ok, Damaged_PFN—ok and ok—null, expressed as a number, and as a relative percent of the total number of pixels (J2/J1)*100 known as the “Undamaged Percentage” J2. Ok—ok pixels are those that passed bothrow216 andcolumn226 CRC test. Ok—null pixels are those that passed therow216 CRC test, but the column CRC was damaged221 and provided no additional information. Damaged—ok pixels are those that were not actually damaged. The pixels were marked damaged because the new row CRC did not match217 the original row CRC and the whole row was marked218 damaged. These pixels passed225 the column CRC test. Damaged_PFN—ok pixels were those that were not actually damaged. The pixels were marked damaged_PFNbecause ofrow CRC failure211 caused the entire row to be marked212 Damaged_PFN. The pixels passed225 the column CRC test.
• Option J also displays the total number of damaged—null—recovered pixels as a number, and as a relative percent of the total number of pixels (J3/J1)*100 known as the “Damaged and Recovered Percentage” J3. The total number of damaged—null—not recovered pixels are also displayed as a number and as a relative percent of the total number of pixels (J4/J1)*100 known as the “Damaged and Not Recovered Percentage” J4.
• Option J displays the total number of damaged_PFN—null—recovered pixels as a number and as a relative percent of the total number of pixels (J5/J1)*100 known as the “Damaged_PFNand Recovered Percentage” J5. It also displays the total number of damaged_PFN—null—not recovered pixels as a number and as a relative percent of the total number of pixels (J6/J1)*100 known as the “Damaged_PFNand Not Recovered Percentage” J6. The sum of J2, J3, J4, J5 and J6 should equal J1, and the sum of the relative percents of J2, J3, J4, J5 and J6 should equal 100%.
• The final option that may be selected is Option K to end display options. The user may continue to select246 alternate display options until they elect to enddisplay options247. At that point ELA/DER operations are concluded.
• The following is information on True Negatives, False Negatives and False Positives using row/column authentication (RCA) given that an authenticator program has been acquired from a trusted source and is free from alteration.
• If a pixel is damaged (altered from its original state) and this damage is detected by the RCA operations then the pixel is a true-negative, part of an image properly determined not to be authentic. Using RCA it is possible to generate a false negative, that is where a pixel is in fact authentic, but is being marked as damaged.
• There are eight possible cases of pixel authenticity/damage, row CRC authenticity/damage, and column CRC authenticity/damage.

  	Case

  	A	B	C	D	E	F	G	H

  Pixel Damaged	N	Y	N	N	Y	Y	N	Y
  Row CRC Damaged	N	N	Y	N	Y	N	Y	Y
  Col CRC Damaged	N	N	N	Y	N	Y	Y	Y
  Y = damaged
  N = not damaged or ok

• The number of possibilities can be expressed as$\frac{\left(\mathrm{The}\mathrm{number}\mathrm{of}\mathrm{elements}\right)!}{\left(\mathrm{Number}\mathrm{of}\mathrm{identical}\mathrm{elements}\right)!}$
• There are three elements in all cases. Case A is the case in which none of the three items are damaged. There is the single case with zero Y and three N. (3!/3!=1) Cases B through D are the cases in which a single item of the three are damaged. There are three cases with one Y and two N. (3!/2!=3.) Cases E through G are the cases in which two of the three items are damaged. There are three cases with two Y and one N. (3!/2!=3.) Case H is the case in which three of the three items are damaged. There is one case with three Y and zero N. (3!/3!=1.)
• Only in case G where both the row CRC and column CRC are damaged, and the pixel is not damaged, would a false negative be generated.Failure189 of the row CRC self test would cause all the pixels in the row to be marked damaged_PFN190. The column CRC would also fail198 the column CRC self test and the pixel would remain marked as damaged_PFN. In case H, both the row CRC and column CRC are damaged and would appear to mimic case G, except that this is not a false negative because the pixel is also damaged.
• Using the same table it can be shown that a false positive (a damaged pixel being improperly authenticated as undamaged) is not a possible condition. Cases B, E, F, and H have damaged pixels. In case B, the row CRC is undamaged and the newly computed192 row CRC would not193 match the original row CRC. Thus all pixels in the row would be marked190 as damaged. In case B the column CRC is also undamaged. The computednew column CRC201 would not202 match the original CRC and the pixels in the column marked as damaged would remain marked as damaged. Only if the new column CRC matches theoriginal column CRC203 would all the pixels in the column, including the damaged one, be marked204 as ok.
• In case E, the row CRC is damaged and it would fail189 the rowCRC self test188 causing all pixels in the row to be marked208 as damaged_PFN. The column CRC is undamaged and would pass200 the column CRC self test. The new column CRC would not202 match the original CRC and the pixels in the column marked as damaged_PFNwould remain marked as damaged due to the fact that when a row CRC is damaged, the row of pixels is marked as “damaged potential false negative” or damaged_PFN. Only if the new column CRC matches theoriginal column CRC203 would all the pixels in the column, including the damaged one, be marked204 as ok.
• In case F, the row CRC is undamaged and would pass191 the rowCRC self test188. The newly computedrow CRC192 would not match193 the original row CRC causing all of the pixels in the row to be marked190 damaged. In case F, the column CRC is damaged and it would not198 pass the CRC self test and the pixels in the column marked as damaged would remain marked as damaged.
• In case H, the row CRC is damaged and would fail189 the rowCRC self test188 causing all pixels in the row to be marked208 as damaged_PFN. In case H, the column CRC is damaged and would not198 pass the CRC self test. The pixels in the column marked as damaged_PFNwould remain marked as damaged_PFNdue to the fact that when a row CRC is damaged, the row of pixels is marked as “damaged potential false negative” or damaged_PFN.
• Under RCA, false positives, a damaged pixel being improperly authenticated as undamaged, cannot occur if the authenticator program has been acquired from a trusted source and is free from alteration
• The following is information on True Negatives, False Negatives and False Positives using element level authentication (ELA) with damaged element recovery (DER). If a pixel is damaged (altered from its original state) and the damage is detected by the ELA operations then the pixel is a true-negative, part of an image properly determined not to be authentic. Using ELA it is possible to generate a false-negative, that is where a pixel is in fact authentic, but is being marked as damaged.
• There are sixty-four (64) possible cases of primary image pixel authenticity/damage, backup image pixel authenticity/damage, primary row CRC authenticity/damage, backup row CRC authenticity/damage, primary column authenticity/damage, and backup column CRC authenticity/damage.

  In table form these cases are

  Y = damaged N = not damaged orok

  Group

  1 Primary Image pixel is authentic and Backup Image pixel is authentic

  Case

  A1

  B1

  C1

  D1

  E1

  F1

  G1

  H1

  I1

  J1

  K1

  L1

  M1

  N1

  O1

  P1

  Primary Image

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  Pixel

  Backup Image

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  Pixel

  Primary-Row

  N

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  Y

  CRC

  Backup-Row

  N

  N

  Y

  N

  N

  Y

  N

  N

  Y

  Y

  N

  Y

  Y

  N

  Y

  Y

  CRC

  Primary-

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Column CRC

  Backup-Column

  N

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Y

  CRC

• Group 2 Primary Image pixel is damaged and Backup Image pixel is authentic

  Case

  A2

  B2

  C2

  D2

  E2

  F2

  G2

  H2

  I2

  J2

  K2

  L2

  M2

  N2

  O2

  P2

  Primary Image

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Pixel

  Backup Image

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  Pixel

  Primary-Row

  N

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  Y

  CRC

  Backup-Row

  N

  N

  Y

  N

  N

  Y

  N

  N

  Y

  Y

  N

  Y

  Y

  N

  Y

  Y

  CRC

  Primary-

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Column CRC

  Backup-

  N

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Y

  Column CRC

• Group 3 Primary Image pixel is authentic and Backup Image pixel is damaged

  Case

  A3

  B3

  C3

  D3

  E3

  F3

  G3

  H3

  I3

  J3

  K3

  L3

  M3

  N3

  O3

  P3

  Primary Image

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  N

  Pixel

  Backup Image

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Pixel

  Primary-Row

  N

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  Y

  CRC

  Backup-Row

  N

  N

  Y

  N

  N

  Y

  N

  N

  Y

  Y

  N

  Y

  Y

  N

  Y

  Y

  CRC

  Primary-

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Column CRC

  Backup-

  N

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Y

  Column CRC

• Group 4 Primary Image pixel is damaged and Backup Image pixel is damaged

  Case

  A4

  B4

  C4

  D4

  E4

  F4

  G4

  H4

  I4

  J4

  K4

  L4

  M4

  N4

  O4

  P4

  Primary Image

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Pixel

  Backup Image

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Y

  Pixel

  Primary-Row

  N

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  N

  N

  Y

  Y

  Y

  N

  Y

  CRC

  Backup-Row

  N

  N

  Y

  N

  N

  Y

  N

  N

  Y

  Y

  N

  Y

  Y

  N

  Y

  Y

  CRC

  Primary-

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Column CRC

  Backup-

  N

  N

  N

  N

  Y

  N

  N

  Y

  N

  Y

  Y

  N

  Y

  Y

  Y

  Y

  Column CRC

• In order to be a false negative: (1) the primary image pixel must be, in fact, undamaged (N); (2) initial operations must improperly indicate that the primary image pixel is damaged; and (3) all subsequent operations must fail to correct that improper indication.
• The factor that in a false negative the primary image pixel must be, in fact, undamaged (N) limits the results toGroup 1 andGroup 3. The primary row CRC must be damaged (Y) to initially mark a row of PI pixels as damaged_PFN. If the ROW CRC is undamaged and the row of pixels is undamaged, then pixel will be marked ok. This is not a negative, false or otherwise and limits the results to cases B, F, G, H, L, M, N and P inGroup 1 andGroup 3.
• The primary column CRC must be damaged (Y) to preclude the correction of a pixel marked damaged by a damaged row CRC. In cases B, F, H, and M, the primary column CRC is undamaged (N) which would correct the improper identification of the pixel as damaged_PFNlimiting the results to cases G, L, N and P inGroup 1 andGroup 3.
• The backup row CRC must be damaged (Y) to preclude correction. In cases G and N, the backup row CRC is undamaged (N) and would correct the improper identification of the pixel as damaged limiting the results to case L and P inGroup 1 andGroup 3.
• The backup column CRC must be damaged (Y) to preclude correction. In case L, the backup column CRC is not damaged (N) and would correct the improper identification of the pixel as damaged_PFN. In case P1, the backup image pixel is also authentic, but because of the damage to all of the error detection structures (primary row CRC, primary column CRC, backup row CRC and backup column CRC) it cannot be validated as authentic. Only in cases P1 and P3 could an authentic pixel be marked damaged without the possibility of correction.
• Using the same tables it can be shown that a false positive (a damaged pixel being improperly authenticated as undamaged) is not a possible condition. Group2 andGroup 4 both contain damaged primary image pixels. If the primary row CRC is damaged, all pixels in the row are marked damaged. If the primary row CRC is undamaged, the new row CRC will not match the provided row CRC and all pixels in the row will be marked damaged. For the purposes of isolating a case of false positive, it does not matter if the primary row CRC is damaged (Y) or not (N). The pixel will be marked as damaged or damaged_PFN. Again, the primary image ROW CRC alone guarantees that a damaged pixel will be marked damaged or damaged_PFN.
• To be a false positive all detective and corrective mechanisms must fail in a mode to change the primary row CRC determination that the pixel is damaged or damaged_PFN. If the primary column CRC is damaged221 it will not change the determination that a pixel is damaged. If the primary column CRC is undamaged222 the new PI COLUMN CRC will not match the original PI COLUMN CRC. Thus, it will not change the determination that a damaged pixel is damaged. For the purposes of isolating a case of false positive it does not matter if the primary column CRC is damaged (Y) or not (N). The damaged pixel will remain marked as damaged.
• Backup row and column CRCs are used for damaged element recovery, not element level authentication. Thus, for the purposes of isolating a case of false positive it does not matter if the backup row CRC is damaged (Y) or not (N), and it does not matter if the backup column CRC is damaged (Y) or not (N). The damaged pixel will remain marked as damaged.
• This eliminates all cases inGroup 2 andGroup 4 as possible sources of a false positive condition. As no other cases remain for consideration, false positives are not possible if the authentication program is free from unauthorized alteration.
• Using the same tables we can determine if a damaged pixel can or cannot be recovered from the damaged element recovery structures. To be considered for recovery a primary image pixel must be either, in fact damaged or a false-negative (a pixel marked damaged that is, in fact, undamaged). This limits consideration to damaged pixels inGroups 2 and 4, and cases P1 and P3 for the two possible false-negative situations.
• The backup image pixel must be, in fact, undamaged. AllGroup 4 cases where the BI pixel is damaged are not recoverable due to the fact that all false positives are not possible. The backup image control structures must authenticate it the BI pixel as undamaged. The backup row CRC can be damaged which would lead to the backup image pixel being improperly considered damaged. If the backup column CRC were undamaged, it would correct the improper designation of the backup image pixel as damaged.
• An undamaged backup row CRC would indicate that the backup image pixel is undamaged. A damaged backup column CRC would not change the determination of the backup row CRC that the backup image pixel is undamaged. Thus, as long as either the backup image row CRC or backup image column CRC are undamaged, an undamaged backup image pixel can be authenticated and used to recover the damaged primary image pixel. Only in cases J2, M2, O2 and P2 are both the backup image CRC structures damaged and unable to authenticate the undamaged backup image as undamaged.
• In the false positive cases of P1 and P3, both of the backup CRC structures are damaged and unable to authenticate the undamaged backup image as undamaged. Therefore, in all 16 cases ofGroup 4, cases J2, M2, O2 and P2, a damaged primary image pixel cannot be recovered. If P1 or P3 generates a false negative, the improperly identified damaged primary image pixel cannot be recovered.
• The following is information on the role of the random string in increasing the strength of the digital signature. A series of examples and explanations shows how the use of one time and random elements increase the resistance of a digital signature to successful fraudulent impersonation.
• Starting with a blank image and a constant signature algorithm, any true image could be altered to blank and the signature from a truly blank image could be added. The resulting altered image would be improperly validated as authentic with little effort. Clearly this is a weaker situation and an undesirable outcome as the same image generates the same signature.
• In the adaptive signature, a signature is generated from the contents of the image. In the case of a blank image, the same signature would be generated. An image could be manipulated to blank and the signature duplicated from a properly signed blank image. This would allow the improper validation as authentic in a manner similar to the preceding with the same undesirable outcome.
• An example of an adaptive signature is one that contains a one-time element. The addition of a one-time element allows for differing signatures even if the image itself is blank. One-time elements are never repeated such as date-time or image sequence number. Some convolution or manipulation of these one-time elements is desirable to preclude their easy forgery. This is a stronger solution as the same image generates differing signatures.
• An adaptive signature may also be a signature that contains one-time elements and random elements. A “random string” is a sequence of characters generated from many variables including selected values from a previous image. The algorithm to create the random string is a trade secret and may differ from device to device even among the same production run of otherwise identical devices. The algorithm used may also vary from use to use of the same device. Two blank images captured a second apart with the same device can generate two widely different signatures. Two blank images captured at the exact same moment by two different devices can generate two widely different signatures. This creates a stronger solution than the adaptive signature containing only a one-time element.
• Another variation is an adaptive signature with a one-time element and a one-time random element. The user has control over how often a new random string is created. If the random string were created anew after each image was captured, then pattern recognition of the resulting signature from the image is not possible as random elements are, by definition, not patterned. Unless the signature generation protocol and the random string generation algorithm were known or reverse engineered, the ability to sign a properly constituted Signa2 image resides solely inside the Signa2 devices. By varying the random string generation protocol between devices, varying between protocols between use to use of the same device, and regenerating the random string frequently, analysis of the results to determine the process (a form of reverse engineering) is an almost fruitless exercise.
• While the invention has been illustrated and described in detail in the drawings and foregoing description, the same is considered as illustrative and not restrictive in character, it being understood that all changes and modification that come within the spirit of the invention are desired to be protected.

Claims (27)

1. An apparatus for allowing a data stream to be authenticated, comprising:

a memory; and

a circuit that is adapted to store a data stream in said memory, said circuit allowing it to be determined whether or not the data stream has been altered after it has been stored in said memory by:

storing at least one parameter in said memory with said data string, said at least one parameter being generally representative of at least one condition under which said data stream was generated,

utilizing said data stream and said at least one parameter to generate a first signature that is stored in said memory with said data stream,

generating a second signature from said data stream and said stored at least one parameter, and

determining whether said first and second signatures are the same.

2. The apparatus ofclaim 1 wherein said circuit and said memory form a part of a digital camera.

3. The apparatus ofclaim 1 wherein said at least one parameter is selected from a group consisting of: a random number, GPS coordinates, zoom settings, AutoFocus status, focus quality sampling, roll, pitch and yaw values, compass headings, flash status, CamID, Seq, and a Security Value.

4. The apparatus ofclaim 1 wherein said data stream is a digital sample of an environment.

5. A method for allowing a data stream to be authenticated comprising the steps of:

storing a data stream in a memory;

storing at least one parameter in said memory, said at least one parameter being generally representative of at least one condition under which said data stream was generated;

utilizing said data stream and said at least one parameter to generate a first signature that is stored in said memory with said data stream;

generating a second signature from said data stream and parameters at a point in time subsequent to computation of said first signature; and

comparing said first and second signature to see whether said first and second signatures are the same.

6. The method ofclaim 5 wherein said circuit and said memory form a part of a digital camera.

7. The method ofclaim 5 wherein said data stream is a digital sample of an environment.

8. The method ofclaim 5 wherein said at least one parameter is selected from a group consisting of: a random number, GPS coordinates, zoom settings, AutoFocus status, focus quality sampling, roll, pitch and yaw values, compass headings, flash status, CamID, Seq, and a Security Value.

9. An apparatus for generating a data stream that can be authenticated, said apparatus comprising:

a circuit that is adapted to generate a data stream;

a memory in which said data stream is stored after it is generated;

a sensor that is tightly coupled to said memory and that generates at least one internal and unique parameter at substantially the same time as when said data stream is generated;

means for monitoring the integrity of the tight coupling between said memory and said sensor when said at least one internal and unique parameter is generated; and

wherein, if said integrity is compromised, said monitoring means also providing an indication of said compromised integrity to a user.

10. The apparatus ofclaim 9, wherein said memory form a part of a digital camera.

11. The apparatus ofclaim 9 wherein said at least one parameter comprises a random number.

12. The apparatus ofclaim 9, wherein said circuit is adapted to append at least one additional parameter to a data file in said memory which contains said data stream, said at least one additional parameter being generally representative of a condition under which said data stream was generated.

13. The apparatus ofclaim 12, wherein said at least one additional parameter is selected from a group consisting of: GPS coordinates, zoom settings, AutoFocus status, focus quality sampling, roll, pitch and yaw values, compass headings, flash status, CamID, Seq, and a Security Value.

14. The apparatus ofclaim 9 wherein said data stream is a digital sample of an environment.

15. The apparatus ofclaim 9, further comprising,

means for utilizing a signature protocol to generate a first signature based on said data stream and said at least one parameter, said first signature being generated without altering said data stream and being appended to a data file in said memory in which said data stream is stored;

means for utilizing said signature protocol to generate a second signature based on said image;

means for comparing said first signature to said second signature,

if said first and second signatures are not the same, then generating an error signal that is displayed to a user to indicate that said stored data stream is not authentic, and

if said first and second signatures are the same, then generating an ok signal that is displayed to a user to indicate that said stored data stream is authentic.

16. An apparatus for generating a data stream that can be authenticated, said apparatus comprising:

a circuit that is adapted to generate a data stream;

a memory in which said data stream is stored after it is generated;

a sensor that is tightly coupled to said memory and that generates at least one internal and unique parameter at substantially the same time as when said data stream is generated; and

wherein said circuit includes a contact or terminal that receives a signal which is representative of the integrity of the tight coupling between said memory and said sensor at least when said at least one internal and unique parameter is generated; and

wherein, if said integrity is compromised, said circuit being adapted to provide an indication of said compromised integrity to a user.

17. The apparatus ofclaim 16, wherein said memory form a part of a digital camera.

18. The apparatus ofclaim 16 wherein said at least one parameter comprises a random number.

19. The apparatus ofclaim 16, wherein said circuit is adapted to append at least one additional parameter to a data file in said memory which contains said data stream, said at least one additional parameter being generally representative of a condition under which said data stream was generated.

20. The apparatus ofclaim 19, wherein said at least one additional parameter is selected from a group consisting of: GPS coordinates, zoom settings, AutoFocus status, focus quality sampling, roll, pitch and yaw values, compass headings, flash status, CamID, Seq, and a Security Value.

21. The apparatus ofclaim 16 wherein said data stream is a digital sample of an environment.

22. The apparatus ofclaim 16, wherein said circuit is adapted to use a signature protocol to generate a first signature based on said data stream and said at least one parameter, said first signature being generated without altering said data stream and being appended to a data file in said memory in which said data stream is stored;

wherein said circuit is adapted to use said signature protocol to generate a second signature based on said image; and

wherein said circuit is adapted to compare said first signature to said second signature,

if said first and second signatures are not the same, said circuit being adapted to generate an error signal that is displayed to a user to indicate that said stored data stream is not authentic, and

if said first and second signatures are the same, then said circuit being adapted to generate an ok signal that is displayed to a user to indicate that said stored data stream is authentic.

23. A digital camera, comprising:

a lens which is operatively coupled to a memory;

a sensor that is tightly coupled to said memory;

a circuit that is operatively coupled to said memory and said sensor, said circuit causing the lens to capture an image and store the image in a data file in said memory, said circuit also causing said sensor to generally simultaneously generate at least one internal and unique parameter that also is stored in said memory; and

wherein said circuit includes a contact or terminal that receives a signal which is representative of whether or not an unauthorized user has breached the integrity of the tight coupling between said memory and said sensor.

24. The digital camera ofclaim 23, wherein said circuit is adapted to provide an indication of whether the integrity of said tight coupling has been breached.

25. The digital camera ofclaim 23, wherein said at least one parameter comprises a random number.

26. The digital camera ofclaim 23, wherein said circuit is adapted to store in said memory append at least one additional parameter that is generally representative of a condition under which said lens was used to capture said image.

27. The digital camera ofclaim 23, wherein said at least one additional parameter is selected from a group consisting of: GPS coordinates, zoom settings, AutoFocus status, focus quality sampling, roll, pitch and yaw values, compass headings, flash status, CamID, Seq, and a Security Value.

Images