Jump to content

Encryption for professional cameras.

bencoyote

By bencoyote
in Digital Post Processing Forum

 Share

Recommended Posts

bencoyote

bencoyote

Posted
Posted

Advertisement (gone after registration)

I saw this in my news feed this morning:
https://freedom.press/news/over-150-filmmakers-and-photojournalists-call-major-camera-manufacturers-build-encryption-their-cameras/

and it was tangentially related to a side project that I've been working on in my spare time a proposed new version or addition to the DNG file format which would detect if the data within a DNG file is corrupted or has been altered.

Anyway, for professional cameras like the S and the SL and maybe the M you can satisfy this request very easily.
1) embed gpg in the camera. https://www.gnupg.org You would only need the part that encrypts files.
2) Add a new file format called DNE which is just encrypted DNGs.
3) If there is a valid GPG public key in in the root of the SD card. Use that public key to encrypt the files and allow the user to select DNE as a file format.
4) If that file format is select you just feed the data through one more step before storing it and that would be to encrypt with the GPG public key before writing it.
5) Play wouldn't work work with encrypted files and so encrypted files are ignored.

The encrypted files couldn't be imported directly. The photographer would have to copy the files. Decrypt them. Then he could import them.

One advantage of a system like this is that a photo agency, newspaper, or someone in a safe area could generate the public and private key pair and then either put put the public key on the card or have the photographer put it on the card and then the photographer themselves couldn't be forced to turn over the decryption key. They would not have the private key needed to decrypt the photos.

They could also transmit the encrypted DNE files back over insecure channels without concern because only the person with the private key could decrypt them.

 

If I were working on the camera firmware I could do this in a few days. I sent that off to Leica Technical info but I don't really expect much of a response from them. Any other thoughts about the idea or what to do with it?

Link to post
Share on other sites
pgk

pgk

Posted
Posted

If I understand you correctly then the idea would be to ensure that images cannot be viewed except by those authorised to hold the key, and they will be the only people able to view the images. Without they key the images are unfindable/unviewable? A problem that I can see you having is that the people who might find it 'beneficial' to be unable to provide the key (news photographer whose camera/cards have been seized as in the linked article), probably still shoot and use JPEG as their default file as, as far as I am aware, their primary need is often for speed of access to files. So they may not actually find  an encrypted RAW file to be as useful as it seems unfortunately. But why not contact them directly to see if they are interested? I suppose it would depend on just how secure the encoding actually is too.

Link to post
Share on other sites
bencoyote

bencoyote

Posted
  • Author
Posted

After thinking about it a bit more I realize that I could make it even simpler forget the menu item.

 

1) embed gpg in the camera.
2) If there is a valid GPG public key in in the root of the SD card. Use that public key to encrypt the files when writing them to the card and change the extension from DNG to DNE or something.

Link to post
Share on other sites
bencoyote

bencoyote

Posted
  • Author
Posted

If I understand you correctly then the idea would be to ensure that images cannot be viewed except by those authorised to hold the key, and they will be the only people able to view the images. Without they key the images are unfindable/unviewable? A problem that I can see you having is that the people who might find it 'beneficial' to be unable to provide the key (news photographer whose camera/cards have been seized as in the linked article), probably still shoot and use JPEG as their default file as, as far as I am aware, their primary need is often for speed of access to files. So they may not actually find  an encrypted RAW file to be as useful as it seems unfortunately. But why not contact them directly to see if they are interested? I suppose it would depend on just how secure the encoding actually is too.

It doesn't matter what file format. You just pass the data through one more filter on the way to the flash.

 

The point is, you don't want the person who is harms way to have access to the files. Otherwise, they can potentially torture the key to the encryption out of you. When the images could be used to sentence you to death as someone collaborating with the enemy then you don't want access to them. When you are out of harms way, you can get your editor to send you the private key and the passphrase and then you can decode the images. Or you can upload the images and the editor uses the public key and the passphrase to access all the raw images and footage.

 

One thing that you need to understand is the basics of Public Key Cryptography. Rather than trying to explain it myself I offer: https://en.wikipedia.org/wiki/Public-key_cryptography 

  • Like 1
Link to post
Share on other sites
bencoyote

bencoyote

Posted
  • Author
Posted

Would not adding a digital signature be the more appropriate tool than encrypting the file?

 

No a digital signature solves a different problem. That proves that the image has not been tampered with or corrupted. It also can provide a level of authentication that you or a particular camera were used to create the image. When that news article came up, I had been thinking about the problem that your suggestion would actually solve.

 

1) The camera manufacturer provides a camera specific certificate then the camera signs the data when it writes the data to the card.

2) The Photographer can also upload a certificate to the camera and then the camera also applies that certificate to the image in effect saying that this image was created by this person with this camera and the data hasn't been altered.

 

This would provide two layers of digital signatures to the file. This could also be important to photojournalists who need to prove that they have not altered the images that they provide to the photo agencies. Right now photo agencies want the RAW files to "prove" that the photographer didn't alter them. http://www.csus.edu/indiv/g/goffs/135%20photojournalism/associated%20press%20ethics%20code.pdf However, honestly editing the data in a DNG file would be trivial and without a digital signature created by the camera at the time when image data is written there is no way to tell that it has been done. However, adding this feature would require a change to the DNG file format. http://wwwimages.adobe.com/content/dam/Adobe/en/products/photoshop/pdfs/dng_spec_1.4.0.0.pdf 

 

To complicate matters, later on developing programs like lightroom may want to update some metadata so there needs to be a way inside the file for the developer program to modify some kinds of data without impacting the checksums involved in the signing of the photograph. So you would apply these signatures to particular block of data within the DNG file and not to the DNG file as a whole. Possibly some of that could be handled with Adobe's sidecar files.

Link to post
Share on other sites
pgk

pgk

Posted
Posted

Advertisement (gone after registration)

No a digital signature solves a different problem. That proves that the image has not been tampered with or corrupted. It also can provide a level of authentication that you or a particular camera were used to create the image.

I seem to remember reading that police photographers use or used some system which does this to ensure that images for use as evidence in court have not been adjusted. I'm sure it can be tracked down if you haven't done so already.

Link to post
Share on other sites
pico

pico

Posted
Posted (edited)

Can this subject be summarized as the camera employing PGP in firmware creating the encoded image with the public key embedded in the image? Or elsewhere? (Where would the public key exist?)

 

Can the public key be burned into the camera's firmware?

 

And if it is burned into the firmware, does that compromise the ownership of the SD card or camera? Example: a camera or SD card is confiscated - does the embedded information point to the owner, possibly the user? Before answering we must know what hidden information a digital Leica might have, and what information is available in the hidden/protected part of an SD card.

.

Edited by pico
Link to post
Share on other sites
Exodies

Exodies

Posted
Posted

I would like to see some kind of biometric lock on the camera - e.g. Fingerprint reader in the shutter button - to deter theft.

Problem with embedding the certificate in the camera is that they can expire or be revoked. They need to be readily replaceable.

Link to post
Share on other sites
pico

pico

Posted
Posted (edited)

I would like to see some kind of biometric lock on the camera - e.g. Fingerprint reader in the shutter button - to deter theft.

 

Would that likely increase the complexity and price well beyond market expectations?

 

So the fingerprint does not match, and the camera asks, "Am I on load from your wife/girlfriend/new friend"? Even if it does, then how often? Where is the log stored. Who can access it. It's crazy.

Edited by pico
Link to post
Share on other sites
bencoyote

bencoyote

Posted
  • Author
Posted

Can this subject be summarized as the camera employing PGP in firmware creating the encoded image with the public key embedded in the image? Or elsewhere? (Where would the public key exist?)

 

Can the public key be burned into the camera's firmware?

 

And if it is burned into the firmware, does that compromise the ownership of the SD card or camera? Example: a camera or SD card is confiscated - does the embedded information point to the owner, possibly the user? Before answering we must know what hidden information a digital Leica might have, and what information is available in the hidden/protected part of an SD card.

.

 

The public key would exist in the root directory of your SD card. This is the same place your profiles.m file is stored and the same place where you drop the new firmware file when you update your camera's firmware. 

 

The public key would not be encoded in the image. Oversimplifying the topic, it is the parameters for some mathematical functions which are used to transform the bytes from what would be written in the DNG file into a form that cannot be interpreted unless the reverse transformation is applied using a related set of mathematical functions and the parameters provided by the private key. The magic of public key cryptography is that you can widely distribute the public key and everybody can have it. However,  you must have the private key and its associated passphrase to decrypt it. 

 

There is no way to take encrypted data and use it to identify which public key was used to encrypt it. It is simply scrambled data, it would seem like gibberish. Once again that is more a property of a digital signature. Correctly implementing a digital signature is an entirely different topic. It is built on some of the same premises as public key cryptography but it is a much more complicated topic. Digital signatures would require a new version of DNG and it would require a lot of careful design to make sure that there are no weaknesses in the design that:

1) would allow tampered data to be substituted for authentic data

2) would allow someone to impersonate a particular camera or a particular photographer

3) would allow a photographer to fraudulently claim that the image was not signed by their credential.

In the crypto world they call those three properties: Integrity, Authenticity, and non-reputability. 

 

The simple PGP encryption of DNG and video files using public key cryptography is a fairly simple straight forward easy to solve problem. The kind of digital signature system that you are kind of reaching for is much more complicated and much more difficult to design and implement.

  • Like 1
Link to post
Share on other sites
bencoyote

bencoyote

Posted
  • Author
Posted

Having read many of the firmware upgrade cries for help in the forum I would not trust us to look after encryption keys.

 

Heh, I was talking to my coworker about this idea and I said something like, "It would take me about a day to implement something like that and about 3 weeks to write the documentation about how to use it properly." Which is to say I don't disagree.

 

However, I think that this is a professional feature. Something that fairly few people would really need to use and those people who would need to use it, would have a strong incentive to use it properly, their lives could literally depend on it. Therefore, I expect that the people who put themselves in that kind of jeopardy for the sake of a story would probably take the time to understand the technology well enough to use it properly. 

  • Like 1
Link to post
Share on other sites
Luke_Miller

Luke_Miller

Posted
Posted (edited)

I'm not sure I understand how this would be used.

 

Say I'm a photojournalist and am stopped by authorities who want to see what I have been photographing.  My image files are encrypted so they can't be viewed and I do not have the key.  So the authorities just say "Oh well" and let me proceed?  Or do they hold me until my agency provides the key and they review my images?

Edited by Luke_Miller
  • Like 1
Link to post
Share on other sites
Robert M Poole

Robert M Poole

Posted
Posted

I'm not sure I understand how this would be used.

 

Say I'm a photojournalist and am stopped by authorities who want to see what I have been photographing.  My image files are encrypted so they can't be viewed and I do not have the key.  So the authorities just say "Oh well" and let me proceed?  Or do they hold me until my agency provides the key and they review my images?

 

Maybe they wouldn't be view-able at all. So you show them that the card is empty and they let you proceed? With increased surveillance by governments (and even non government agencies) the idea of encryption is becoming more mainstream e.g. Facebook messages are now end to end encrypted. 

Link to post
Share on other sites
pico

pico

Posted
Posted

Maybe they wouldn't be view-able at all. So you show them that the card is empty and they let you proceed?

 

This is for Ben - is not the file structure retained? IOW, the card would not appear to be empty, but just a lot of gibberish files?

Link to post
Share on other sites
bencoyote

bencoyote

Posted
  • Author
Posted

This is for Ben - is not the file structure retained? IOW, the card would not appear to be empty, but just a lot of gibberish files?

 

The photos would not be viewable at all. 

 

The rest is an implementation detail. What I envisioned was that you would have a card which has a few touristy kinds of photos on it or ones that wouldn't get you in trouble. Then when asked to show the photos on your camera you could hit "play" and because the encrypted DNE files are unviewable, the camera skips over those and shows the "safe" DNG photos. Hopefully, the questioning would end there.

 

However a more thorough inspection of the card's contents would show that the card also contains encrypted DNE files. At that point, the protection that you have is that the interrogator can not get actual evidence that you have been somewhere or taken a picture of something which they find incriminating in some way. You are correct that they may assume that given the circumstantial evidence of the existence of encrypted DNE files, you have something incriminating but they would not actually have anything incriminating that they could use.

 

Furthermore, transmission of encrypted image files could be done over unsecured potentially monitored channels without introducing additional technology to do the encryption. For example: While the great firewall of China can block encrypted protocols like https or ssh, and VPNs. You could send the encrypted DNE files over an unencrypted http link from any random cyber cafe's computer and the firewall would only see a completely opaque block of data. That would be exceedingly hard to identify and block especially by an automated system that has to function in real time. 

  • Like 1
Link to post
Share on other sites
bencoyote

bencoyote

Posted
  • Author
Posted

 

Yes but I do not believe that it adds anything not completely obvious to the discussion. Absolutely, adding encryption adds complexity to the workflow and that would slow you down. I would never suggest that it is for everybody. It is a professional's feature and because of the extra complexity, it wouldn't be something that even professionals should use all the time. It is like wearing a helmet or a bullet proof vest. It is uncomfortable and restrictive but since it is potentially life saving, you wear it when you have to. 

  • Like 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...