Authentication of Evidence
Authentication is the process by which the reliability of evidence is established.
The party leading the evidence in court must show that it has not been altered
since it was collected and that the location, date, and time of collection can
be proven. That is accomplished using standardized evidence-handling procedures
and chain-of-custody records and relies primarily on physical security measures.
Digital evidence offers new challenges for authentication and,
at the same time, new opportunities to significantly strengthen
the proofs of reliability. It has been argued that digital images
may require that special care be given to document the collection
and analysis procedures and chain of custody to ensure admissibility
(Berg 2000). Those concerns can be extrapolated to digital evidence
of all forms. As binary data on (usually) magnetic media, digital
evidence is potentially more susceptible to postcollection alteration,
or the accusation thereof by a defense attorney, than is analog
evidence. To offset that vulnerability, digital evidence is also
amenable to the many information-assurance methods that have been
developed for Internet applications and electronic commerce. This
paper explores the potential for applying information assurance
to authentication of digital evidence in general and discusses a
prototype application to digital video in particular.
The purpose of this paper is to stimulate dialog on the utility
and requirements for information-assurance enhancements to current
evidence-handling and chain-of-custody documentation procedures.
Information-Assurance Services
The Information Assurance Technical Framework (National
Security Agency 2002) captures information-assurance guidance reflecting
the state-of-practice in the U.S. Department of Defense, federal
government, and industry information-assurance community. It describes
the following five primary security services relevant to information
and information processing systems: access control, confidentiality,
integrity, availability, and nonrepudiation. Those five somewhat
interdependent services are summarized here.
Access control is comprised of measures that prevent unauthorized
user access to networked hardware, software, and data. It is accomplished
by four functions:
- Identification and authentication determines the identity of
a person who seeks access to a resource or data. Information-assurance
terminology uses authentication in the sense of the reliability
of identity credentials, which is similar to but more specialized
than evidentiary usage.
- Authorization determines the access rights of a person (or process)
given a valid identity.
- Decision determines whether a person's access rights are sufficient
for the access requested and grants or denies access accordingly.
- Enforcement imposes the access-control decision.
Access control, as described in the Information Assurance Technical
Framework, does not include physical security.
The confidentiality security service is defined as the protection
of data from unauthorized disclosure. The data may be in storage
or in transmission. This overlaps with access control but is sufficiently
important to the information-assurance community to merit separate
treatment in the Information Assurance Technical Framework.
The integrity security service includes any or all of the following:
protecting data from modifications, detecting modifications, and
recording modifications. Identification and authentication is an
essential aspect of integrity as observed in the Information
Assurance Technical Framework.
Note that integrity protection is of no value unless
it is combined with a mechanism that provides authentication of
the source. Without source authentication, anyone could tamper with
the original data and then just reapply an integrity mechanism.
Availability is concerned with ensuring that network data and services
are provided to users with a specified quality of service, when
the network is subject to normal loads, failures, and outright attacks.
Nonrepudiation services provide proofs that participating parties
were involved in a communication (e.g., an electronic commerce exchange).
The objective is to render it infeasible for a person to deny having
had access to information or information-processing resources or
engaging in specific activities with regard to said information
and resources.
Information Assurance Applied to Digital Evidence
The confidentiality and availability services have no apparent
bearing on authentication of digital evidence. Confidentiality does
not apply because all evidence must be disclosed during discovery,
whereas availability is primarily a network issue. Those services
will not be discussed further.
The physical security implicit in normal evidence-handling procedures
provides a significant measure of access control. The information-assurance
version of access control would serve to enhance that in some situations.
For example, when some medium containing original digital evidence
is connected to a computer for copying or analysis, information-assurance
considerations would include the following:
- Is that computer connected to a local area network?
- Who has access to the local network?
- Is everyone with access to the local network authorized to access
the evidence?
- How is the local network protected from other networks?
- Who has access to the computer during duty and off-duty hours?
- Is the computer free from unauthorized applications?
- Are all access attempts automatically logged?
- How are access restrictions enforced?
Those and potentially other questions are highly relevant to establishing
a complete picture of access control for the evidence and should
be addressed in the evidence-handling procedures.
The information-assurance service most clearly relevant to the
authentication of digital evidence is integrity. The Information
Assurance Technical Framework discussion on data integrity
is of central importance. The relevant section is reproduced as
Appendix A to this paper. By implementing the means to reliably
detect modifications to digital evidence by an integrity service,
it will be possible to prove that no modifications were made.
The integrity implementation selected will depend on technical
and operational factors. On the technical side, the storage media,
data format, and data-extraction methods will be drivers. Computer
hard drives, digital video tapes, and optical disks will present
different challenges and requirements. The concept of operations
will have a significant influence over implementation methods. Stake-outs,
unattended covert surveillance, and seized evidence all present
different operational needs. Generally, it is desirable to ensure
the integrity of the data as close to the source format and as near
to the time and place of collection as feasible. Identification
of the user who collects the evidence and generates the integrity
data should be integral to the solution. In no case should the integrity
process modify the original data in any way because that would defeat
the objective of the integrity service.
The nonrepudiation service could be applied to bolster chain-of-custody
record keeping. Although investigators and forensic analysts obviously
have no use for such a service, insofar as they are not likely to
deny that they collected a piece of evidence or generated an analysis,
it is equally obvious that someone attempting to alter evidence
would seek to conceal their identity. Therefore from the perspective
of evidence authentication, it is important to be able to prove
who handled a piece of evidence and when they did so. Nonrepudiation
works together with access control to prevent unauthorized access
to evidence and maintain an audit trail of successful and unsuccessful
access attempts.
To put these generalities in context, the next section describes
a system that addresses access control, integrity, and nonrepudiation
for a particular application.
Digital Video Evidence System
A prototype system is currently under development for the U.S.
Postal Inspection Service that applies information-assurance methods
to authenticate digital video (Beser et al. 2003). The following
describes how the information-assurance services discussed above
are manifested in a digital video evidence system.
The U.S. Postal Inspection Service desires to preempt any challenge
to the admissibility of digital video evidence collected during
surveillance operations, where such a challenge might be made on
the grounds that digital video can be easily edited. The developmental
system addresses access control, integrity, and nonrepudiation through
the application of digital signatures in a government off-the-shelf
public key infrastructure.
The components of the overall system are shown in Figure 1. Consider
a collection-to-court sequence of events for a specimen of digital
video evidence. Beginning on the lower left of the figure, a postal
inspector reports to the public key infrastructure local registration
authority and is given a security token (e.g., a smart card). The
token is initialized with a cryptographic key pair and an identity
certificate. The identity certificate is an electronic document
containing the inspector's name, date and time, and the public key
of the key pair. The local registration authority serves as witness
to the identity of the inspector and key-generation process. The
identity certificate is digitally signed by the public key infrastructure
certificate authority. The identity certificate constitutes the
inspector's electronic credentials that others can trust because
of the certificate authority signature. This certificate-generation
process is expected to take a few minutes for an inspector who has
been preregistered. Registration with the public key infrastructure
serves as access control because only authorized users will be able
to register. Public key infrastructures have been described in more
detail elsewhere (Lyons-Burke 2000) and will not be discussed further
here.
The key pair enables the inspector to generate digital signatures
on the security token using the private key of the pair, whereas
the public key will enable anyone to verify those signatures. Refer
to Appendix B for a description of digital signatures and the roles
of public and private keys.
Figure 1. Digital Video Evidence System
Next, the inspector takes the security token, a digital camcorder, and the
special-purpose digital video authenticator to the field to collect evidence.
This step is illustrated on the lower right. The digital video authenticator is
depicted as a laptop, which was used for the proof-of-principle prototype. A picture
of the prototype is shown in Figure 2. The field prototype, currently under development,
will be a smaller form factor. The digital video authenticator is connected to
the camcorder by the IEEE-1394 Firewire interface. The inspector turns on the
unit, which will wait for the user to connect a security token and enter a personal
identification number to access the token. It will not operate without an inserted
token. This feature provides for nonrepudiation for subsequent steps.
Figure 2. Proof-of-Principle Digital Video Authenticator
with Camcorder
After the token handshake, the digital video authenticator generates
another cryptographic key pair. The private key of this pair is
used in the unit to generate digital signatures for the digital
video. The public key is concatenated with optional, user-supplied
session information and is digitally signed by the security token
to produce an integrity certificate. Both the identity certificate
and integrity certificate are written to removable media in the
digital video authenticator. The integrity certificate provides
for nonrepudiation regarding the identity of the inspector who generated
the associated keys.
During video taping, the digital video authenticator receives the compressed
video data stream (Society of Motion Picture and Television Engineers 1999) from
the camcorder over the Firewire simultaneously as the camcorder records. The authenticator
delineates the stream into frames and then further parses the frames into segments
for video, audio, and control data. Each segment is digitally signed in a pipeline
process that matches the 30-frames-per-second throughput of the camcorder. Those
signatures are the core data used in subsequent analysis to verify the integrity
of the video.
After the recording session, the inspector terminates digital video
authenticator operation. The unit automatically destroys the private
key used for signing the video. Destruction of that critical private
key is a strong form of access control. The key existed only during
a single recording session while it was in custody of a known user.
No further signatures can be generated that are compatible with
the public key in the integrity certificate.
The collected video, identity and integrity certificates, and digital
signatures are submitted to the evidence storage facility in accordance
with standard operating procedures. Working copies can be made as
needed. An option to be exercised by the U.S. Postal Inspection
Service is to return to the local registration authority, surrender
the security token, and destroy the key pair resident on that device.
The intent is to alleviate the need for the inspector to carry a
security token at all times. One advantage of keeping the token
is that the inspector would not need to complete the token initialization
step every time digital signatures were to be generated.
The fourth step in the digital video evidence system in Figure
1 is to verify the integrity of any video clip of evidentiary interest.
This might be done routinely or only when a clip is challenged.
In any event, the digital video certificates and signatures and
public key from the public key infrastructure certificate authority
will be provided to the analyst. That analyst will use software
tools to be provided in a digital video verification workstation
to assess the integrity of the video clip.
Integrity verification is a multipart process. The analyst must
first establish the validity of the various public keys involved.
That is accomplished by the chaining of certificates. The public
key from the public key infrastructure certificate authority, which
is trusted and independently verifiable, is used to verify the inspector's
identity certificate. The public key from the inspector's identity
certificate is used to verify the integrity certificate. The public
key from the integrity certificate is used with the digital signatures
to verify the audio, video, and control portions of each frame.
Therefore, trust in the integrity of each frame segment can be unequivocally
traced back to trust in the public key infrastructure, which must
meet federal standards for access control, confidentiality, and
integrity of its keys.
Once the keys are validated, the analysts will perform an automated,
frame-level integrity verification. Not all video frames will pass
the integrity verification. Tape defects, recording or playback
noise from dirty heads, and variability in error detection and correction
capability among playback equipment will cause frames to fail verification.
The analyst may be able to deduce the cause of failure in some cases
(e.g., unreadable audio data are replaced by a square-wave output
in some systems). Furthermore, the digital video authenticator is
a soft real-time system, meaning, it will fail to generate signatures
on a fraction of the frames (roughly 1 in 9,700 for the prototype).
Those and other factors will be taken into account in a final assessment
of authenticity.
The investigative analysis of the evidence will have the advantage
of the authenticity report, as indicated in the upper, central portion
of Figure 1. The analysts will be confident that they can rely on
the admissibility of the video clip or even a specific frame of
interest. To be conservative, failed frames can be excluded from
consideration for presentation in court.
Generalized Information-Assurance Solution
The information-assurance methods employed for the digital video
example may be applied to provide information-assurance services
for other digital evidence formats. Generalizations for access control,
integrity, and nonrepudiation are discussed below.
Access control can be achieved by a public key infrastructure.
It provides for identifying and authenticating authorized users
through the user registration process. Identity certificates and
associated cryptographic keys are protected using security tokens.
The decision and enforcement aspects of access control are performed
by analysts who need merely observe whether an identity certificate
is valid based on the public key infrastructure certificate authority's
public key. Defense expert witnesses will also have access to the
identity certificates and public keys, enabling independent validation
of authorized users at any time.
Integrity can be ensured through the generation of digital signatures of the
original digital evidence in the original format at the time of collection. For
the digital video example, that format is compressed DV-25 as recorded on the
digital tape, and the time-of-collection requirement is interpreted to mean concurrently
with recording and at the video-frame rate. Digital signatures can be handily
applied to any formatted data. Unformatted data, or data with an unknown format,
can be arbitrarily segmented or protected with a single signature for an entire
data file or directory. However, the single-signature option should be avoided because the introduction of a single bit error will render the evidence
unverifiable.
Nonrepudiation is accomplished by logging and digitally signing
events using the private key corresponding to the identity certificate.
All significant events should be signed. In the digital video example,
the principal event is the generation of a cryptographic key pair
in the digital video authenticator. The generation of a digitally
signed integrity certificate serves as the means of nonrepudiation
for the creation of that key pair and the subsequent digital signatures
for the video. The critical events for each type of digital evidence
can be similarly identified. Then the appropriate means to log and
sign the events can be incorporated into the authentication system.
Daubert Compliance
The Daubert ruling (Daubert 1993) requires the
trial judge to make an assessment of whether a methodology or technique
invoked by expert testimony is scientifically valid and whether
the methodology can be applied to the facts in issue. The ruling
provides the following five example considerations to aid the judge
in making that assessment:
- Whether the technique can be and has been tested
- Whether the technique has been subjected to peer review and
publication
- Known or potential rate of error
- Existence and maintenance of standards controlling the technique
- General acceptance in the relevant scientific community
Digital signatures have not been used to date to authenticate digital
evidence in criminal court so are subject to a Daubert
challenge.
That fact leads to one primary design principle for authentication
systems—strict adherence to existing government and industry
standards and accepted practices. The National Institute for Standards
and Technology is the national standards-setting body for government
and commercial cryptographic algorithms and equipment. Adherence
to National Institute of Standards and Technology standards (e.g.,
Federal Information Processing Standards Publication 140-2) helps
ensure that those facets of the system are acceptable to the information-assurance
community. Similarly, using unaltered, industry-accepted data formats
(e.g., SMPTE Std 314M-1999 for digital video) will facilitate acceptance
by the technical community relevant to the evidence. In addition,
the resulting system must be extensively tested to establish expected
performance and error rates. Preliminary performance results for
the digital video example have been reported (Beser et al. 2003).
Conclusions
This paper briefly explored the application of information-assurance
practices to the problem of the authentication of digital evidence.
Technical feasibility has been demonstrated for the challenging
case of digital video. In that example, objective proof of integrity
is provided in a realm where evidence is in a lossy, compressed
data format stored on magnetic tape. Access control and nonrepudiation
reinforce the chain of custody by augmenting the physical security
embodied in standard evidence-handling procedures with an additional
layer of information security. Those information-assurance methods
are equally applicable to other forms of digital evidence. The means
are at hand to make the reliability of digital evidence a matter
of scientific fact.
References
Berg, E. C. Legal ramifications of digital imaging in law enforcement,
Forensic Science Communications [Online]. (October 2000).
Available: www.fbi.gov/hq/lab/fsc/backissu/oct2000/berg.htm.
Beser, N. D., Duerr, T. E., and Staisiunas, G. P. Authentication
of digital video evidence, In: SPIE Applications of Digital
Image Processing XXVI, San Diego, California, August 3-8, 2003.
Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 US,
579 (1993).
Lyons-Burke, K. Federal Agency Use of Public Key Technology
for Digital Signatures and Authentication, National Institute
of Standards Special Publication 800-25, October 2000.
Available: http://csrc.nist.gov/publications/nistpubs/800-25/sp800-25.pdf.
National Institute of Standards and Technology. Security Requirements for
Cryptographic Modules, Federal Information Processing Standards Publication
140-2, May 25, 2001.
National Security Agency Information Assurance Solutions Technical Directors.
Information Assurance Technical Framework, Release 3.1, September 2002.
Available: http://www.iatf.net/framework_docs/version-3_1/index.cfm.
Society of Motion Picture and Television Engineers. Data Structure
for DV-Based Audio, Data and Compressed Video 25 and 50 Mb/s,
SMPTE Std 314M-1999, July 1, 1999.
Appendix A: Excerpted from Information Assurance Technical
Framework Release 3.1 (2002)
4.3.3 Integrity
The integrity security service includes the following methods:
prevention of unauthorized modification of data (both stored and
communicated), detection and notification of unauthorized modification
of data, and recording of all changes to data. Modification of both
stored and communicated data may include changes, insertions, deletions,
or duplications. Additional potential modifications that may result
when data is exposed to communications channels include sequence
changes and replay.
The requirements for provision of integrity security services are
similar to those for confidentiality and include the location, type,
and amount or parts of the data that needs protection.
When integrity is discussed with respect to network security, it
is important to consider where in the protocol stack the integrity
service is provided. Different implementation (layering) options
will provide integrity to data in different protocol layers as well
as to data being communicated. Sophisticated integrity schemes are
likely to require service from the application using the data.
Note that integrity protection is of no value unless it is combined
with a mechanism that provides authentication of the source. Without
source authentication, anyone could tamper with the original data
and then just reapply an integrity mechanism.
Data integrity can be divided into two types, based on the type
of data to be protected. Integrity can be applied to a single data
unit (protocol data unit, database element, file, etc.) or to a
stream of data units (e.g., all protocol data units exchanged in
a connection).
4.3.3.1 Single Unit of Data
Ensuring the integrity of a single data unit requires that the
originating (sending) entity calculate an additional data item
that is a function of (and bound to) the original data unit. This
additional item is then carried along with the data unit. The
entity that desires to verify the integrity of this data unit
must recalculate the corresponding quantity and compare it with
the transferred value. A failure of the two to match indicates
that the data unit has been modified in transit.
Methods for calculating this data item, which is a function of
the original data unit (the check value), vary in the processing
required and the services provided. Checksums, cyclic redundancy
check (CRC) values, and hashes (also known as a message digest)
all meet the requirement that they depend on the entire content
of the original data unit. A weakness of this method is that,
if an adversary modifies the original data, these functions are
easily reproducible and allow the adversary to generate a proper
value for the modified data thereby defeating the integrity service.
An additional mechanism can be applied to prevent access to the
check value (e.g., encryption or digital signatures) to overcome
this problem.
Another method of preventing successful modification of the check
value is to include a secret value along with the original data
unit. This property is exhibited by message authentication codes
(also known as message integrity check and keyed hashes).
The icheck [sic] value alone will not protect against an attack
that replays a single data unit. A time stamp may be included
along with the original data unit to provide limited protection
against replay.
4.3.3.2 Sequence of Data Units
To protect the integrity of a sequence of data units (i.e., protect
against reordering, losing, replaying and inserting, or modifying
data), some type of ordering information must be provided in the
communications protocol. Examples of ordering information are
sequence numbers and time stamps. Integrity of sequences can also
be provided by encrypting the sequence of data units using a cryptographic
algorithm in which encryption of each sequence depends on the
encryption of all previous sequences (also referred to as chaining).
Appendix B: Digital Signatures
Digital signatures as used in this paper are based on asymmetric
cryptography. For asymmetric cryptography, the cryptographic keys
are generated in pairs, where the individual keys are referred to
as the public key and private key. In any given information exchange,
one of the keys is used to encrypt a message to generate a cipher,
and the other is used to decrypt the cipher to recover the message.
Although either key may be used for either role, neither key can
both encrypt the message and decrypt the resulting cipher. Typically,
the private key is held as a secret key by a user, and the public
key is disseminated without restriction.
The digital signature generation process is outlined in Figure
B-1. First a binary message, such as a segment of a digital-video
frame, is input to a one-way secure hash function. That hash generates
a fixed-length bit string, or digest, that has two important properties-the
original message cannot be derived from the digest, and the probability
of two different messages producing the same digest (or probability
of collision) is remote. For example, a 128-bit digest provides
a probability of collision of 2-64, or about 10-19.
Applied to the authentication problem, this means that the probability
that digitally signed evidence can be modified and yield the same
digest as the original evidence is approximately 10-19.
Conversely, the probability of detecting a modification where digital
signatures are used as an integrity check is 1–10-19,
or 0.99... out to 19 decimal places.
Figure B-1. Digital-Signature Process
Next, the digest is encrypted using a private cryptographic key.
The encrypted digest constitutes the digital signature of the input
message. The encryption step ensures that in the event of tampering,
a modified digest cannot be computed and substituted along with
the modified evidence. Clearly, maintaining the secrecy of that
key is critical to a successful digital-signature implementation.
That involves stringent access-control mechanisms in the device
used to generate the signatures.
The integrity-verification process is outlined in Figure B-2. The
message is again subjected to the hash to obtain a digest. The recorded
digital signature is decrypted using the public key of the key pair,
and the decrypted digest is compared to the newly computed digest.
If there is any modification to the message, the newly computed
digest will differ from the decrypted one. If the signature has
been modified, the digest will not successfully decrypt using the
public key, and the digests will not match. The output of the process
is a pass or fail decision regarding the integrity of the inputs.
Figure B-2. Integrity-Verification Process
Acknowledgements
The work supporting the writing of this paper is funded by the Investigative Support and Forensics Subgroup of the Technical Support Working Group.
|