JP4632445B2 - Image file generation apparatus, image file generation method, program, and storage medium - Google Patents

Description

  The present invention relates to an image file generation device, an image file generation method, an output device, a program, and a storage medium that can cope with falsification of image data.

  2. Description of the Related Art In recent years, so-called digital cameras have been widely used that convert an optical image into an electrical signal through a sensor such as a CCD or CMOS through an imaging lens and store the obtained image data in a semiconductor memory in a digital image data format.

  Image data taken with a digital camera not only saves time and effort to request development and printing at a DPE shop like conventional silver halide photographs, but also does not deteriorate over time, and can be stored and retrieved easily. I can do it. Furthermore, since there are many merits such as being able to transmit photographed image data to a remote place using a communication line, it has begun to be used in many business fields. As an example of this, the damage situation of an accident car in a traffic accident is photographed, and the property insurance industry used for accident assessment based on the photographed image data, a building to confirm the progress and specifications of construction at the construction site The construction industry. The Ministry of Land, Infrastructure, Transport and Tourism has already approved the use of image data taken with digital cameras for civil engineering site recording.

  However, the disadvantage of being image data is also pointed out. That is, the image data can be easily processed and corrected by using application software such as a commercially available photo retouch tool. For this reason, in accident photographs and reports in which image data is treated as evidence, there is a drawback that the reliability of image data captured and generated by a digital camera or the like is lower than that of silver salt photograph image data.

  In fact, there were cases where subsidies were illegally received by exploiting the ease of processing digital data and altering the completed photographs of buildings. Although it is not impossible to tamper with an image in a silver halide photograph, the cost for tampering with the image is much greater than the profits obtained by tampering with the image. Furthermore, since the image alteration result is unnatural, it is possible to easily detect the alteration. Therefore, tampering is difficult in practice, and as a result, silver salt photography is often used as evidence. Therefore, there is a concern that this tampering problem will become a major problem in the non-life insurance industry and the construction industry that allow the use of image data taken with a digital camera. Therefore, a mechanism for overcoming such a drawback is required in the digital camera.

  Currently, image data falsification detection systems using digital signature data using cryptographic techniques have been proposed.

  For example, the system disclosed in the US patent of Patent Document 1 includes an image file generation device that generates image data and an image data verification device that verifies the integrity of the image data. In the image file generation device, information for identifying the image data by executing a predetermined calculation based on the secret information unique to the image file generation device and the image data photographed and digitized by the image file generation device Digital signature data that is (detects tampering) is generated. The digital signature data and the image data photographed and digitized by the image file generation device are used as the output of the image file generation device. In the image data verification apparatus, verification is performed by comparing data obtained as a result of performing a predetermined operation on image data and data obtained by performing an inverse operation on the digital signature data. In the US patent, a hash function (compression function) and public key cryptography are used for generating digital signature data.

  Also, a MAC (Message Authentication Code) may be used instead of the digital signature data. This MAC is generated using a common key encryption or a hash function, and is characterized in that the processing speed is higher than that of public key encryption. However, it is necessary to strictly manage information used at the time of generation and verification also in the image data verification apparatus.

Further, a digital camera as an image file generation device and a printer as an output device are directly connected via a high-speed interface such as a USB (Universal Serial Bus). In this case, it is possible to print image data of an image file stored in a storage medium that is built in or detachably attached to the digital camera without interposing another device.
US Pat. No. 5,499,294

  Conventionally, a mechanism for detecting falsification of image data has been executed on the printing apparatus side which is a normal output apparatus. However, when the image file generation device side performs image data processing for printing, it is sent to the printing device side after being tampered with, and there is a possibility that the meaning of the falsification prevention data itself is lost. Also, consider an image file that is stored on the image file generation device side with verification data added to check the integrity (not tampered) of the image file, such as digital signature data and MAC. In this case, image data is sent from the image file generation device side to the printing device side in accordance with a command from the printing device connected to the image file generation device. When the image file is printed on the printing apparatus side, the print image data may be tampered with after being sent to the printing apparatus side. Therefore, in this case, the meaning of the verification data is lost.

  Accordingly, an object of the present invention is to first issue an image file on the image file generation device side in response to a print request from the output device side when a print instruction is issued for the image file stored in the image file generation device. It becomes possible to verify tampering.

In order to solve the above-mentioned problem, in an embodiment of the present invention, an image file generation device, which captures an image of a photographing target, generates image data, and generates verification data related to the image data. A verification data generation unit; a storage unit that stores the image data and the verification data as an image file in a storage medium; and an external file connected to the image file generation device from the image file stored in the storage medium. Selection means for selecting an image file to be transmitted to the output device , transmission means for transmitting the image file selected by the selection means to the output device, and verification of the selected image file based on the verification data and verification means, if tampering is confirmed by the verification means, to said transmitting means, prior to the selected image file And control means for controlling to stop the transmission to the output device, with a, to provide an image file generation device, characterized in that.

In order to solve the above-mentioned problem, in another embodiment of the present invention, there is provided an image file generation method in an image file generation apparatus, which is an image data generation step of capturing an image of a shooting target and generating image data; A verification data generation step for generating verification data relating to the data; a storage step for storing the image data and the verification data as an image file in a storage medium; and the image file generation from the image file stored in the storage medium A selection step of selecting an image file to be transmitted to an external output device connected to the device ; a transmission step of transmitting the image file selected in the selection step to the output device; and the selection based on the verification data. a verification step of verifying the image file, when tampering with the verification process is confirmed, to said transmitting step, before And a control step of controlling so as to stop the transmission to the output device of the selected image file, to provide an image file generating method, characterized in that.

In order to solve the above problems, in another embodiment of the present invention, a program for causing a computer to execute each step of the image file generation method of the above embodiment is provided.

In order to solve the above problems, in yet another embodiment of the present invention provides a computer-readable Symbol憶媒body that stores a program of the embodiment.

  According to the present invention, when a print instruction is issued to an image file stored in the image file generation device, the image file generation device first receives an image file request in response to a print request from the output device. It becomes possible to verify tampering.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments applied to the invention will be described with reference to the drawings.

  FIG. 1 is a diagram for explaining a configuration example of an image data verification system according to an embodiment of the present invention. The image data verification system according to the embodiment of the present invention includes an image file generation device 10, an output device 20, and a communication path 30 that couples them.

  The image file generation device 10 has an image data generation function for generating image data of a subject and a verification data generation function for generating verification data that is data for verifying whether the image data has been altered. Further, the image file generation device 10 has a shooting parameter generation function for generating shooting parameters (for example, shooting time, focal length, aperture value, ISO sensitivity, photometry mode, image file size, etc.). In addition, a function for generating an image file with verification data for generating an image file with verification data (consisting of data such as image data and verification data) and a function for verifying whether the image file has been altered using the verification data And a verification function for displaying the verification result. Also, it has a communication function for communicating with the output device 20 via the communication path 30. The image file generation device 10 may be an imaging device such as a digital camera, a digital video camera, or a scanner, or may be another electronic device that has a built-in camera unit and can generate an image file including image data. .

  The output device 20 has a communication function that can be connected to the image file generation device 10 and a print function that prints image data of the image file received from the image file generation device 10 using the communication function. On the communication path 30, various types of data are exchanged between the image file generation device 10 and the output device 20 in accordance with a communication protocol such as IEEE1394 or USB.

  FIG. 2 is a functional block diagram illustrating the main functional configuration of the image file generation device 10 according to the embodiment of the present invention. In FIG. 2, reference numeral 201 denotes an imaging unit having an optical sensor such as a CCD (Charge Coupled Device), which generates subject image data and imaging parameters in accordance with instructions input from the operation unit 210. Normally, image data is compressed to reduce the amount of data. As a compression algorithm, JPEG (Joint Photograph Experts Group) has been standardized and can be used in this embodiment. A compression method according to the JPEG standard will be described below. First, image data (for example, 800 pixels × 600 pixels) obtained from the imaging unit 201 is divided into blocks of 8 × 8 size. Therefore, in the case of 800 pixels × 600 pixels, it is divided into 7500 blocks. Hereinafter, the compression process is executed in units of blocks.

  Next, DCT (Discrete Cosine Transform) is performed for each block unit. In this DCT process, 64 coefficients from a low frequency term to a high frequency term are calculated for each block. Next, the coefficient is quantized according to a specific quantization table, and is quantized so that a relatively high frequency coefficient becomes “0”. Finally, after the quantized coefficients are rearranged according to a specific rule, Huffman coding is performed. By performing such compression processing, the image data obtained from the imaging unit 201 is compressed. As imaging parameters, imaging time, focal length, aperture value, ISO sensitivity, photometry mode, image file size, and the like can be considered.

  Reference numeral 202 denotes a hash function calculation unit that generates digest data (hash value) from data such as image data using the hash function H. As the hash function H, MD5, SHA1, RIPEMD, etc. are generally known.

  Reference numeral 203 denotes a memory for storing the secret key Ks. The secret key Ks corresponds to signature generation key data in a digital signature. If this key data leaks outside, there is a possibility that fake digital signature data is generated. Since occurrence of such a situation means the collapse of the verification system, it is necessary to strictly manage this key data. In the system of this embodiment, digital signature data is used as data for verifying the integrity of an image file. As a digital signature data generation algorithm, a generally known generation algorithm such as RSA or DSA (Digital Signature Algorithm) can be used.

  Reference numeral 204 denotes an arithmetic processing unit that performs arithmetic processing using the secret key Ks on the digest data generated by the hash function arithmetic unit 202 in order to generate digital signature data. Further, the arithmetic processing unit 204 has a memory for temporarily storing the image file, and also has a function of analyzing the image file.

  Reference numeral 205 denotes a display unit that displays an image file stored in the removable storage medium 207. In addition to displaying an image file, a display unit 205 also displays a message to the user and setting information related to shooting of the image file generation device 10. it can.

  An image file generation unit 206 generates an image file including image data, imaging parameters, and digital signature data. The file format of the image file can be a JPEG (JPEG File Interchange Format), TIFF (Tagged Image File Format), or GIF (Graphics Interchange Format) file format. However, an extended file format of each of these file formats or other image file formats may be used.

  Reference numeral 207 denotes a removable storage medium such as a memory card. The data generated by the image file generation unit 206 is stored here via the media control unit 208.

  A media control unit 208 has a function of storing an image file with digital signature data in a removable storage medium 207 and a function of reading an image file with digital signature data from the removable storage medium 207. Reference numeral 209 denotes an interface unit for performing communication with the output device 20 via the communication path 30. Reference numeral 210 denotes an operation unit having a trigger switch and the like for performing an instruction to shoot a subject, setting imaging parameters, and the like. It also has a switch for selecting whether to generate an image file with digital signature data.

  Reference numeral 211 denotes a memory and a microcomputer that executes a control program stored in the memory. The operation of each unit of the image file generation device 10 is based on an instruction input from the operation unit and a command from the output device 20. It is a control part to control. In addition, it has an image data processing function for processing image data instructed from the output device 20 for a stored image file, and a shooting parameter setting function for setting shooting parameters. Further, it has a file name acquisition function for acquiring the file name of the image file stored in the removable storage medium 207. In addition, the image file or a part of the image file is analyzed, a determination function for determining whether the digital signature data is added to the image file, and generation of response data for a command received via the interface unit 209. Do.

  Reference numeral 212 denotes a memory for storing information necessary for verification. In this memory, a public key Kp corresponding to the secret key Ks stored in the memory 203 in the image file generating apparatus 10 is stored. The public key Kp is a public key in a digital signature, and is key information that does not need to be managed as strictly confidential. Therefore, it is not necessary to perform strict management like the secret key Ks. An image data verification unit 213 determines whether the image file has been altered. The image data verification unit 213 also has functions of temporarily storing an image file stored in the removable storage medium 207, performing data analysis, checking the format of the image data, and the like.

  FIG. 3 is a diagram illustrating the communication path 30 in the embodiment of FIG. 1 of the present invention. One end of the communication path 30 is connected to the interface unit 209 of the image file generation device 10, and the other end is connected to an interface unit 401 of the output device 20 described later. The configurations of the interface unit 209 and the interface unit 401 are determined by a communication protocol when communicating between the image file generation device 10 and the output device 20. These configurations are well-known techniques and will not be described in detail.

  FIG. 4 is a functional block diagram illustrating the main functional configuration of the output device 20 in the embodiment of FIG. 1 of the present invention. Reference numeral 401 denotes an interface unit for communicating with the image file generation apparatus 10 as described above. Various commands and image file data are transmitted to or received from the image file generating apparatus 10 via the interface unit 401. As a communication protocol, USB, IEEE1394, etc. can be used, but other communication protocols can be used. A storage unit 402 stores data received from the image file generation apparatus 10 via the interface unit 401.

  Reference numeral 403 denotes an arithmetic processing unit that performs various calculations necessary for printing. Reference numeral 404 denotes a printing unit for printing an image file transmitted from the image file generation apparatus 10 and stored in the storage unit 402. Reference numeral 405 denotes an operation unit that performs input such as selection of a function that the user wants the image file generation apparatus 10 to execute. A control unit 406 includes a memory and a microcomputer that executes a control program stored in the memory, and controls operations of the respective units of the output device 20. Reference numeral 407 denotes a display unit for displaying various information transmitted and received from the image file generation apparatus 10 and information necessary for the user to select a function to be executed by the image file generation apparatus 10. It is.

<Embodiment 1>
Next, a processing procedure of the image data verification system in the embodiment of the present invention will be described. First, generation processing of an image file with digital signature data will be described with reference to FIG. In step S501, the imaging unit 201 generates subject image data and shooting parameters from data from the optical sensor. The generated image data and shooting parameters are supplied to the hash function calculation unit 202 and the image file generation unit 206. In this way, not only the image data but also the shooting parameters are input data of the hash function, so that not only the image data but also the shooting parameters can be detected.

  In step S <b> 502, the hash function calculation unit 202 uses the hash function H to generate digest data from the image data and the shooting parameters, and supplies the generated digest data to the calculation processing unit 204. In step S503, the arithmetic processing unit 204 performs arithmetic processing on the digest data with the secret key Ks in order to generate digital signature data. Then, the arithmetic processing unit 204 supplies the generated digital signature data to the image file generation unit 206.

  In step S <b> 504, the image file generation unit 206 generates an image file with digital signature data from the digital signature data, shooting parameters, and image data, and supplies the generated image file to the media control unit 208. An example of the format of the image file generated in the present embodiment is shown in FIG. 6 (Exif compliant, Exif: Exchangeable Image File Format).

  As shown in FIG. 7, the image file is composed of shooting parameters 601, image data 602, and digital signature data 603. Further, the shooting parameter 601 includes a number of parameters relating to image data such as a digital signature data flag 604 indicating whether or not digital signature data is added to the image file, thumbnail data of the image data, and the like. Note that the digital signature data 603 is not necessarily present at a position after the image data 602, and may be included in the shooting parameter 601, for example. Furthermore, it may be embedded in the image data 602 as a digital watermark.

  Returning to FIG. 5, finally, in step S <b> 505, the media control unit 208 stores the image file with digital signature data generated by the image file generation unit 206 in a removable storage medium 207.

  Next, the printing process will be described with reference to FIG. When the user prints an image file stored in the image file generation device, the output device 20 and the image file generation device 10 are connected.

  First, in step S601, the output device 20 and the image file generation device 10 perform device authentication to determine whether or not each other is a valid device. If the device authentication cannot be obtained, the process ends there. However, if device authentication is obtained, the process advances to step S602, and the image file generation device 10 displays the file name of the image file stored in the removable storage medium 207 on the display unit 205.

  In step S <b> 603, the user designates an image file to be output from the file name displayed on the display unit 205 via the operation unit 210.

  In step S604, the image data verification unit 213 checks the format of the designated image file, and checks whether the designated image file is a correct image file. Further, the shooting parameter and the thumbnail data in the shooting parameter are respectively checked. Here, the shooting parameters are composed of parameters related to the image file such as shooting time, focal length, aperture value, ISO sensitivity, photometry mode, image file size, and device parameters such as the name of the imaged device and the device serial number. Is done.

  Next, the digital signature data flag 604 is checked in step S604 for the presence of digital signature data. If there is a digital signature data flag 604, the process proceeds to step S605, and verification processing for the next designated image file is started. First, the hash function calculation unit 202 uses the hash function H to generate digest data from the image data of the image file to be processed and the shooting parameters. If there is no digital signature data flag 604, the process proceeds to the subsequent step S608.

  In step S606, the arithmetic processing unit 204 generates comparison digest data. For this reason, the digital key data attached to the image file is subjected to public key cryptography using the public key Kp stored in the memory 212 to restore the digest data.

  In step S607, the image data verification unit 213 compares the digest data generated from the image data and the shooting parameters (generated in step S605) with the digest data generated in the arithmetic processing unit 204 (generated in step S606). To do. Then, it is verified whether the image data has been tampered with. If the image data with verification data has not been tampered with, the two digest data match, and the integrity of the image data can be verified. In this case, the image data verification unit 213 determines “no falsification”, displays “printable” on the display unit 205, and outputs data necessary for printing to the output device 20 in step S 609. Send through.

  On the other hand, when the image file with verification data is falsified, the two digest data do not match, and the integrity of the image data cannot be verified. In this case, the image data verification unit 213 determines that “tampered”, displays “tampered: not printable” on the display unit 205, and displays “tampered: not printed” on the output device 20 in step S 611. Is transmitted through the interface unit 209. In this case, the image file with verification data may or may not be transmitted to the output device 20.

  If it is determined that printing is possible, the process proceeds to step S612, where the output device 20 processes the data received by the interface unit 401 and stored in the storage unit 402 by the arithmetic processing unit, and then prints by the printing unit 404. On the other hand, if it is determined that printing has been made and printing is impossible, the process advances to step S613, and the output device 20 displays a message indicating that printing cannot be performed on the display unit 407 to the user.

  By doing so, the image file generation device 10 automatically performs verification of the image file based on the digital signature data, and displays the verification result on the image file generation device 10 side or the output device 20 side. Furthermore, control for stopping output on the output device 20 side is performed. In this way, when an altered image file is about to be printed, a warning can be given to the user.

  In the above-described embodiment, digital signature data is used as verification data. However, the present invention is not limited to this, and other verification data such as MAC (Message Authentication Data) can also be used. FIG. 8 is a state transition diagram of the generation process and the printing process described with reference to FIGS. The same step numbers used in FIG. 5 and FIG. 6 are entered as appropriate, and detailed description thereof is omitted here.

<Embodiment 2>
In the first embodiment, when tampering is confirmed in step 607, the image file is not transmitted and printing is not performed by the output device 20, but printing is performed, but the fact of tampering is included in the printing result. It is also possible to print it out clearly. That is, in FIG. 6, if there is a print request for falsified image data in step S614, the process proceeds to step S615, and printing in which the fact of falsification is specified in the print result is performed. In addition, even if the fact of tampering is not clearly stated in the print result, printing is simply performed on the display unit 407, such as printing of tampered image data, changing the recording medium (paper quality, color), or changing the color of ink used. It is possible as an embodiment of the present invention.

  The object of the present invention can also be achieved by supplying a storage medium storing software program codes for realizing the functions of the above-described embodiments to a system or apparatus. That is, it goes without saying that this can also be achieved by the computer (or CPU or MPU) of the system or apparatus reading and executing the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the storage medium storing the program code constitutes the present invention.

  As a storage medium for supplying the program code, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, magnetic tape, nonvolatile semiconductor memory card, ROM, or the like can be used. . Further, the functions of the above-described embodiments may be realized by executing the program code read by the computer.

  However, when the OS (operating system) operating on the computer performs part or all of the actual processing based on the instruction of the program code, and the functions of the above-described embodiments are realized by the processing. Needless to say, is also included.

  Furthermore, the program code read from the storage medium may be written in a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer. After that, the CPU of the function expansion board or function expansion unit performs part or all of the actual processing based on the instruction of the program code, and the function of the above-described embodiment is realized by the processing. Needless to say.

The figure explaining the example of 1 structure of the image data verification system in embodiment of this invention is shown. 1 is a functional block diagram illustrating a main functional configuration of an image file generation device according to the present embodiment. The block diagram explaining the structure of the communication path in this embodiment is shown. The block diagram explaining the main function structures of the output device 20 in this embodiment is shown. The figure explaining the production | generation process procedure of the data of the image data verification system in this embodiment is shown. The figure explaining the printing process procedure of the data of the image data verification system in this embodiment is shown. The figure which shows an example of the image file format in this embodiment is shown. FIG. 5 shows a state transition diagram of data generation processing procedures and print processing procedures of the image data verification system in the present embodiment.

Claims (7)

An image file generation device,
Image data generating means for capturing an image of a shooting target and generating image data;
Verification data generating means for generating verification data related to the image data;
Storage means for storing the image data and the verification data as an image file in a storage medium;
From the image file stored in the storage medium, selection means for selecting an image file to be transmitted to an external output device connected to the image file generation device,
Transmitting means for transmitting the image file selected by the selecting means to the output device;
Verification means for verifying the selected image file based on the verification data;
Control means for controlling the transmission means to stop transmission of the selected image file to the output device when falsification is confirmed by the verification means. Image file generator. The image file generation apparatus according to claim 1, wherein the verification data is generated using at least one of a hash function and a cryptographic function. The image file generation device, a digital camera, or the image file generation device according to claim 1 or 2, characterized in that the scanners. The image file generation device according to claim 3 , wherein the output device is a printing device. An image file generation method in an image file generation device,
An image data generation step of capturing an image of a shooting target and generating image data;
A verification data generation step of generating verification data related to the image data;
Storing the image data and the verification data in a storage medium as an image file;
From the image file stored in the storage medium, a selection step of selecting an image file to be transmitted to an external output device connected to the image file generation device,
A transmission step of transmitting the image file selected in the selection step to the output device;
A verification step of verifying the selected image file based on the verification data;
A control step for controlling the transmission step so as to stop transmission of the selected image file to the output device when falsification is confirmed in the verification step. Image file generation method. The program for making a computer perform each process of the image file production | generation method of Claim 5 . A computer-readable storage medium storing the program according to claim 6 .

Images