White Paper
Use of Video as Proof When
Submitted to a Court of Law
Copyright © 2004 VisioWave SA
All Rights Reserved
Key facts
Digital video security
Digital technologies have key advantages for the operators of video security networks in
public areas (airports, public transportation, urban environment, … ) :
•
•
•
•
Great flexibility in the deployment thanks to the abundance of transmission
technologies supporting IP or ATM protocols: cable networks, optical fibers,
wireless, ADSL, carrier currents, …
Infinite possibilities of extension and interconnection of networks
Non-degradation over time of the quality of the recorded digital image and of
the recording medium, in spite of rewritings
Broad storage capacities allowing the permanent recording of all the
cameras with a history of several days and a perfect quality.
The digital technology has thus imposed itself replacing the solutions of traditional
analogical transport and recording.
Use of video when submitted to a court of law
Evolution of needs
In parallel, the images from video security cameras are used more and more
systematically as evidence in law-suits of aggressions or offences committed in public
places. The law has recognized the validity of images resulting from recordings of
security cameras on standard VHS magnetic tapes, in so far as they are the original
tapes, and provided, in certain cases, the authentication of the tape to detect possible
attempts at modification of the contents.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
2/ 12
The reluctance facing the digital image
The use of digital images as a substitute of the traditional recordings on magnetic tape
poses a certain number of problems in this context :
•
It is not possible to distinguish the copy from the original in a digital
recording, both being strictly identical. In fact, any digital recording is at the
same time a copy (since the data was copied many times during its
treatment before arriving to the hard disk) and an original (since it is the
most faithful representation available of the signal originally captured by the
camera).
•
The digital tools of image modification are widely diffused and accessible to
the general public by the means of software on PCs. Their increasing
effectiveness and their generalized use – today almost all the photographs
are digitally modified to improve the quality or to remove any type of defect
before printing – cause mistrust as for the authenticity of the images
presented as proof.
•
There is no standardized procedure to prove the authenticity of the images.
This results in a reluctance of the courts to accept images resulting from digital
processes as proof.
A paradoxical situation
This reluctance, due to the act of questioning the practice accumulated during tens of
years is however paradoxical. The digital recordings allow a better conservation, and
thus a better reliability of the proof by the use of an image and are often of a definitely
better quality than the images extracted from magnetic tapes, which are continuously
overwritten. In addition, it should be noted that a VHS cassette is the complete opposite
of a protected media since its access is within the range of a great number of individuals
through the use of common, domestic equipment.
Clearly, this mistrust of the courts is a major obstacle for the extraction of the maximum
benefits of a digital video security system. The deployment of an image authentication
process on such a network makes it possible to overcome this difficulty.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
3/ 12
Choice of authentication process
In order to be effective, the principal qualities that such a process must have, are:
Integration of all the information of identification
To authenticate the origin of an image, it is necessary to have, aside from its timestamping, all of the data which are necessary for the identification of the camera and its
physical angle of image capture. For example, in a mobile environment, the process
must make it possible to associate geo-localization by GPS co-ordinates for each image.
Authentication from beginning to end
The authenticity must be able to be checked from beginning to end of the digital data
processing sequence, independently of the number of transfers on data-processing
networks, recordings or copies of files which have been carried out. A process valid only
on a point-to-point link, like SSL for example, will not make it possible to ensure the
authenticity of an image, which will have been engraved thereafter on a CD-ROM type
media. In particular, the value of the proof should not be weakened by the time it takes
to file the images.
An acceptable, additional administrative workload
The process must at least be based on time-specific manual operations, like the entry of
passwords, or regular operations, like periodic changes of access keys. A process being
based on human interventions will indeed impose the management of training and the
accreditation of the personnel entitled to proceed with these interventions. The
authentication is likely to be questioned, if the proof of the respect of the administrative
procedures for interventions cannot be brought.
Recognition and robustness
Finally, since this is a method intended for the identification of people accused by a
court of law, the process must rest on methods whose validity is marked by the
contradictory examination method of the scientific community. The process selected
must thus be based on public algorithms, widely used, and whose solidity has been
proven, preferably by the adoption within official standards.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
4/ 12
Methods of authentication
The different families of processes
Definition
A method of authentication makes it possible to associate to an image a set of data of
identification (hour of the image capture, place...)so as to prove the origin of it, and also
to associate a control of integrity, so as to prove the authenticity, as well as the
authenticity of the associated elements of identification. These two facets of the
authentication are indissociable. Indeed, it is not enough to prove the non-modification
of the contents of an image, if one cannot be certain of its date. Reciprocally, the
association of elements of identification is not enough in itself to prove the authenticity of
the contents. All the processes of authentication satisfy this definition, but are more or
less adapted to the context of proof in digital video security. The two main families of
authentication methods will now be reviewed, and this particularly under the light of the
selection criteria defined in the preceding section.
Watermarking/Watermarks
The methods of the type watermark, or "watermarking", are based on a modification of
the contents of the image, so as to insert:
•
Data of identification
•
A check-code of integrity for the data of identification
•
A pseudo-random spread spectrum noise undetectable to the eye,
in order to highlight a potential modification of the contents.
Inspired by the protection watermarks of royalties, they fundamentally differ from them
by the fragility of the watermark, which must not resist an attempt at deterioration of the
image, whereas in the case of the protection of the royalties, one seeks on the contrary
to resist deteriorations, e.g. of the type of JPEG compression, minor final improvements
or impression on paper medium.
In the field, these methods only function correctly on non-compressed images, in which
it is possible to insert low levels of noise without interfering in a disturbing way with the
contents of the image. The watermark applied to a non-compressed image will
unfortunately disappear if it is compressed so as to be recorded on a digital medium.
Since this is the case in video security, it will thus not be useful.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
5/ 12
If the method uses a robust watermark, it will make it possible to associate the elements
of identification inside the image with a good probability of success, but it will have to
strongly denature the contents of the image so as to avoid being erased by
compression. As a matter of fact, the calculation of the watermark uses a standard
model of the human visual system to insert invisible information in the image, whereas
the algorithm of compression will use this same model to destroy all the invisible details,
which are therefore uninteresting to compress.
Even if the risk of interference with the contents of the image is accepted, the integrity of
the contents cannot be proven in a convincing way, since the image was already
modified by an algorithm of compression without destroying the watermark. Small
deteriorations on details might therefore not be perceived. We can thus conclude that
the processes based upon watermarks do not correspond to the criteria of selection.
Certificates of digital signature
The second major family of authentication methods is derived from the codes of
authentication, known as MAC1algorithms, frequently used for the protection of
messages and electronic documents.
Starting from the image compressed in digital form and from the data of identification,
they produce a certificate of authenticity, attached to the image, and containing the
proof, in the form of a cryptographic footprint, of the bit for bit integrity of the image and
identification data as well as of the association of both. Any modification of the input
data produces therefore a different footprint.
They generally call upon the codes of authentication standardized for securing emails
and commercial transactions in electronic form. The most current codes are MD5 2 and
SHA-1 3.
The great strength of these methods is their capacity to detect the smallest modification
of contents in a direct and non-probabilistic manner. They are also much less complex
than the watermarking method, and are tested by more than 20 years of use for
securing banking transactions.
1
Message Authentication Codes
Message Digest # 5, MAC 128 bits standardized for Internet use by the IETF in the RFC1321
3
Secure Hash Algorithm # 1, MAC 160 bits standardized in 1995 by the American Federal Government (publication
FIPS-180-1) for use in the Digital Signature Standard (DSS).
2
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
6/ 12
Protection keys
Necessity for the protection through a secret key
As effective as they might be, all the processes of authentication must be protected by a
key, whose secrecy will make it possible to show that the process was correctly applied
at the original location and by the original device.
If a forger is in the possession of this key, he could indeed modify the image or falsify
the data of identification, then re-apply the process of authentication after modification
without it being possible to distinguish the forgery from the original.
This point is sometimes neglected in the low cost digital equipment, because of the
complexity of management of these keys, rendering the proof thus unusable when
submitted to a court of law.
Here also, two families of protection keys are largely used and thus reviewed in the light
of the selection criteria.
Processes with a symmetrical key
In a process with a symmetrical key, only one key protects the certificate of authenticity
(or the watermark). This key must be installed on the video capture equipment, and then
preserved by an entrusted person until it is given to the expert who carries out the
verification of authenticity on an image.
At no moment must this key be revealed, but its revelation is essential for the analysis of
the certificate. A new key will thus have to be installed on the equipment before any
request of verification, in order not to weaken the proof of the images taken after the
disclosure of this key for this equipment.
Moreover, it is necessary to install a different key for each video source, so as to limit to
the maximum the impact of a compromised key on the integrity of the system. The
management of these keys must be done by strictly identified people, and according to a
procedure making it possible to trace all the operations to secure against an attack on
the authenticity of the key presented to the expert. This is all the more necessary, as the
operator of the video network is the one who installs and preserves these keys.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
7/ 12
The symmetrical key processes do not require large computing resources and are very
widespread (DES4, AES5). But the great number of keys to be managed and the rigor of
the procedures of installation and conservation were the principal obstacles until now for
the generalized deployment of methods of authentication on digital security networks.
An alternative, used for a long time to secure the most sensitive electronic transactions,
is fortunately available.
Processes with asymmetrical keys
In an asymmetrical process, two keys protect the certificate of authenticity. A first key,
known as the "private" key, is installed on the equipment of capture and allows the
creation of the encrypted certificate. A second key, known as the "public" key, is
preserved so as to be used in the event of an assessment and makes it possible to
decipher the certificate.
The public key does not make it possible to create a fake certificate of authenticity, nor
to guess the private key. It can thus be preserved and handled without particular
protection measures and without weakening the strength of the process of
authentication. The conservation of the private key is not necessary, and it is generally
not even desirable to preserve it outside of the equipment of capture.
Calling upon the arithmetic of large numbers (several hundreds of figures) these
processes are very expensive in computing resources. The recent advances in the
studies of the elliptic curves made it possible to derive from the traditional algorithms
(RSA6, DSA7) less complex versions which are now integrated in the protection
standards of digital documents (EC-DSA8) and which are adapted to be used within the
framework of video.
4
Data Encryption Standard, cryptographic system (per block) developed in the 1970s by IBM and the American
government.
5
Advanced Encryption Standard, substitutes the DES, standardized by the American government in 2002
(publication FIPS-197)
6
Rivest, Shamir and Adleman, after the names of the developers of the first civil system of cryptography with a
public key.
7
DIGITAL Signature Algorithm, algorithm based on the problem of the selected discrete logarithm, chosen for the
American digital signature standard.
8
Elliptic Curve DSA, version using the properties of the elliptic curves of the DSA algorithm.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
8/ 12
VisioWave Solution
We now present the method of authentication implemented in version 2.3 of the
VisioWave Video Operating System.
Chain of image processing
As a logical conclusion, the solution adopted by VisioWave for its digital video
equipment is naturally based on MD5 certificates of authenticity, protected by an
asymmetrical encoding of EC-DSA type. This combination makes it possible to answer
all the criteria exposed in the first part at an optimal cost.
This digital signature is the starting point of a chain of operations which allows, starting
from an extracted file copied from a removable media, to bring the proof of the
authenticity of each image. The typical chain of image processing in a digital video
system is illustrated in Diagram 1.
Video Security
Network
Extraction
Storage
Removable
Media
Video
Assessment
Station
Diagram 1: Chain of image processing
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
9/ 12
Individual digital signature of the images
Each image is digitally signed through the creation of a certificate of authenticity as of its
compression on the equipment of capture. This certificate is attached to the image and
follows it when it is transferred on the network, recorded and copied. The certificates are
thus present in the extracted files which one wishes to use as proof.
The process of creation of the certificate is illustrated in Diagram 2.
bitstream
Compression
configuration
Administrator
0110100 10
identifier
"CAMERA 2"
control word
101100101001
MAC
MD5
serial number
#42146876851
GPS
system
clock
private
key
timestamping
15:41:23 GMT
Diagram 2: Creation of the certificate of authenticity
Verification
The verification, always carried out on an image extracted from a recording, consists of
the automatic verification of the control word and the posting of the data of identification
for visual verification. The process is illustrated in Diagram 3.
bitstream
0110100 10
identifier
"CAMERA 2"
MAC
MD5
serial number
Extraction
recalculated control word
101100101001
#42146876851
YES
Authentic
time stamp
15:41:23 GMT
=?
NO
False
certified control word
101100101001
public key
Diagram 3: Verification of the authenticity
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
10/ 12
Transparent creation of the keys and certificates
To facilitate the management of the public keys, the extracted files contain a copy of the
public key used for securing the certificates. The user is thus not obliged to maintain an
up-to-date data base of the public keys. To be ensured of the authenticity of the key
provided in the file, this one itself is attached to a certificate of authenticity secured by
the key of VisioWave and which is created at the time of the installation of the key at the
production site.
The public key of VisioWave, essential for the verification of the certificate, is widely
available via the authorities of international certifications where it is recorded. Upon
request, these authorities provide a certificate signed by their private key to attest of the
public key’s authenticity.
Thus, an operation without an administrative workload of filing of the public keys is
possible, and this without weakening the level of proof, through the use of this chain of
certification, according to the traditional diagram used in all the infrastructures of digital
signature.
Flexibility in the choice of the authenticity chain
As can be seen, this policy by default allows a "plug & play" authentication from
beginning to end, thanks to the flexibility of the cryptography algorithms using public
keys.
The operator of the video network remains of course free to define another chain of
authentication if he wishes an integration within an infrastructure that already has an
existing public key. In this case, he will have to generate and install the keys of
authentication and associated certificates on each equipment, according to the local
policy.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
11/ 12
Confidentiality of data
The system of authentication presented here exclusively relates to the verification of the
authenticity of the images presented in an extracted file. It does not allow, in itself, to
protect the confidentiality of these images (encrypting), nor to trace who the operators
were who made copies.
It is however often desirable, in the context of the presentation of images in front of the
courts, to control the access to the images during the investigation. The VisioWave
Video Operating System provides these services thanks to the integration with the
encoding software PGP. At the time of the images’ extraction via the primary storage
server, it is possible to protect the extracted file with a password. According to the way
in which this password is allotted, the operator will thus be able to:
•
Prove who carried out the copy and when, if he generates a single password
for each copy and notes it in a log.
•
Limit the images’ access to individuals who received a password from him.
The encryption of the extracted files thus provides an effective tool to the procedures of
image capture, by providing a "virtual seal" according to the standard format for the
protection of data files.
The choice of the encryption algorithm and the type of key (symmetrical or
asymmetrical) for this operation is left to the user, since PGP supports a broad selection
of standard algorithms.
Conclusion
Version 2.3 of the VisioWave Video Operating System provides a complete solution to
meet the needs arising from the use of digital images in legal proceedings. This solution
is given in the form of tools, based on international standards, whose flexibility makes it
possible to be integrated in a locally defined policy.
The deployment of the authentication process is done with a minimum effort, thanks to
the use of a system with a public key.
Complementary tools are provided for the additional needs for protection of the data
confidentiality and for the control of the creation of copies.
Use of Video as Proof When Submitted to a Court of Law - White Paper
Copyright © 2004 VisioWave SA - All Rights Reserved
12/ 12