24.10.23
Today I thought about the problem, when someone is taking a photo with a camera, it is incredibly hard to prove that this is the original picture and was not modified by some image editor.
So I took a look at the Digital Native file format by Adobe, an open standart for all camera producers to save the raw image in a format which is compatible with non related software and hardware.
In the DNG 1.7.0.0 Specifications from June 2023 there is a field for proprietary data. Which is nice for our idea because we can just embed some additional data instead of inventing our own file format.
The reason why we take DNG for this Idea is that we want to save the original image data, but I think it is also possible with other image format which support to embed your own data.
Now we only need some procedure to be able to trust a picture when we get it from someone.
The idea is to hash the image data, which is represented as a array of pixels. The hash algorithm which is used can be ether specified in the field or standardized, but I think it will be a good idea if we are able to change it afterwards if a hashing algorithm gets obsolete.
So now when we have this hash it is currently very useless if we just pasted that into the field, because we can just edit that too.
The next step is to sign the hash with a private key (The type of asymmetric encryption does not matter as long it is strong). Now we paste the signed hash and our public key into the field, which we use for our verification.
If someone now wants to check by whom this image was edited the last time they can just search for the public key on some key server. And if they want to check if this image was really modified by this person the last time they can check the hash if it matches the image data.
This procedure cannot assure if the picture was modified by its creator it only can prove its origin. Which is worth a lot if it is used in front of a court for example or by a journalist which want to prove some sources to be from a specific person.
If you also do not want to trust any person but only their pictures, there would be the option to produce cameras which already contain a key-pair which you cannot extract. Then the camera producer can provide a list of all public keys which are used. The best would be if they also list the serial number so it could be checked if the person who claims to be the creator of the photograph really is the creator of this picture.