Video Authentication Manual Digital Verifier, Signature & Certificate WebCCTV Let’s make things safer!
Video Authentication Manual 2 Contents CONTENTS ..................................................................................................................................................................................................... 2 1 INTRODUCTION................................................................................................................................................................................ 3 2 CERTIFICATE MANAGEMENT .........................................
Video Authentication Manual 3 1 Introduction The latest generation of networked systems promises a much easier and faster way of moving video around (e.g. police, court room…), by simply sending it over the Internet. A public network like the Internet is not exactly the safest when talking about transport. However, digital video can be digitally secured and the possibility to trace the video back to its origin is now a reality. This technology is called digitally signing the video.
Video Authentication Manual 4 2 Certificate Management The Certificate Management section allows you to handle your certificates for exported movie signing. This section can be found in the Video Manager application under the menu Settings Certificate Management.
Video Authentication Manual 5 2.1 Self-signed certificates During the WebCCTV installation a self-signed certificate is created which has nonpersonalized information. It is recommended that you create a new certificate which will include your information as a signer. To do that, follow the steps below: 1. Specify your e-mail in the E-mail field. 2. Specify your location in the Location screen. 3. Click Generate button. Your new self-signed certificate has been generated.
Video Authentication Manual 6 2.2 CA signed certificates In spite of the self-signed certificates advantages, this approach is not the most secure. To improve your security, Quadrox recommends getting a certificate from a trusted certification authority (CA). There are Certification Authorities (CA) which are explicitly trusted worldwide so Microsoft pre-installed theirs certificates in the Windows Operating System.
Video Authentication Manual 7 3 Video Authentication Process The following diagram shows how a digital signature is used in the video authentication process: Video Authentication Process There are six steps in the process: Step 1 – Recording Step 2 – Export Step 3 – Signature & Movie Transportation Step 4 + 5 – Certificate Transportation & Trust Step 6 – Checking Signature 3.1 Recording Video from the camera is recorded in a standard ASF movie file.
Video Authentication Manual 8 signature message. This message is encrypted by the certificate, unique to each recorder, to form a digital signature. WebCCTV supports two formats of digital signature: .eml – S/MIME standard message like used in digitally signed emails. .p7m – true PKCS #7 standard signature message. It can be opened by specialized viewers like Cryptigo’s P7MViewer (http://www.cryptigo.com).
Video Authentication Manual 9 3.4 Certificate Transportation & Trust The certificate should be trusted by the court. By trusting the validity of a certificate (by manually checking that it is indeed what it claims to be), the court acknowledges explicitly that the certificate belongs to the machine on which the export was created. The court expresses this trust by explicitly adding it to the list of trusted root certificates. When doing this, the system will ask to manually verify the certificate, e.g.
Video Authentication Manual 10 Not trusted certificate warning screen Click the Certificate button. Certificate Information Screen Click Install Certificate button and follow further instructions leaving all settings by default. A Security Warning window will appear. To make sure that you are installing the exact certificate you need, find the Thumbprint line in the Security Warning window and compare it with the thumbprint of the original certificate on the recorder.
Video Authentication Manual 11 Certificate Information Screen Once your certificate is installed, repeat the first two points of this chapter. To verify the signature, see Chapter 3.5 Checking Signature. 3.4.2 Install Certificate by exporting from Video Server Follow the steps below: Open WebCCTV web-client. Go to System-> Certificate Management section. Click Export button and define location to store the certificate.
Video Authentication Manual 12 3.5 Checking Signature Once the certificate is trusted, the signature message can be decoded. Because the certificate is trusted, we know that a) the information in the signature is correct (wasn’t changed) and b) the signature was produced on the recorder from which the movie is claimed to have originated. If the signature was forged, the certificate will not decode it. Inside the signature, a hash value links the certificate uniquely to the movie file.
Video Authentication Manual 13 If the signature cannot be trusted because either the signature or the movie was tampered with, the following screen will be shown. Not trusted signature information screen The Digital Signature Verifier was created by Quadrox to make your life easier. However, it is not crucial to verifying the digital signature. You are free to manually check the signature, or by a tool of your own choosing. The tool is released as an open source tool under the BSD license.
Video Authentication Manual 14 Appendix A Trust certificate explicitly by means of the Outlook Express email client Follow the steps below: 1. Save .eml signature on the target machine. 2. Double-click on it to open. You will see the following screen that means your certificate is not trusted on this machine. MS Outlook Express Untrusted Signature Screen 3. Click Edit Trust button. 4. In the screen that appears select Explicitly Trust this Certificate and follow further prompts.
Video Authentication Manual 15 Trust certificate explicitly by means of the Microsoft Management Console Follow the steps below: 1. Go to Start->Run and specify mmc command. 2. In the window that appears, click File in the window menu and select Add/Remove Snap-in. 3. In the window that appears, click Add button. 4. In the next appeared window, choose Certificates and click Add button. Microsoft Management Console Screen 5. Then select My User account item and click Finish.
Video Authentication Manual 16 6. Close all previously opened windows by pressing Close and OK buttons. 7. Finally you will get the list of all installed certificates. Microsoft Management Console Screen 8.
Video Authentication Manual 17 Appendix B You can manually verify the digital signature by using either the .eml or the .p7m format. Signatures in .eml format can be viewed by MS Outlook Express. To do that, double click on the .eml file you just saved, Outlook Express opens the signature and you will see the following screen. Digital Signature Screen Signatures in .p7m format can be viewed by a p7mViewer or another relevant viewer (http://www.cryptigo.com).
Video Authentication Manual 18 A hash value or a checksum for a file is a short value, something like a fingerprint of the file. This feature can be useful both for comparing the files and their integrity control. A hash is a mathematically calculated number that uniquely defines the original information. There are always several information strings that have the same hash as a result, but it is infeasible to find a “second original” based only on the hash.
Video Authentication Manual 19 FastSum Screen Digital Signature Screen If the checksums don’t correspond with each other, this means the movie file is not valid and has been changed. Version 4.
Video Authentication Manual 20 Check hash value of an exported movie file by means of the FastSum application Follow the steps below: 1. Download and install the FastSum application (http://www.fastsum.com). 2. Create an empty text file with .md5 extension. 3. Edit the file in the following way: fb21f1ad9a8797c1e875321865193ee2 *QTEST2_Camera 1_2006-10-26_11-47-51_200610-26_11-52-50_radC5899.asf The string above is an example.
Video Authentication Manual 21 9. If the movie file wasn’t changed and the checksum corresponds to the movie file, you will see the following screen: Checksum Verification Wizard Screen 10. If checksum doesn’t correspond to the movie file, this means that the movie file is not valid and has been changed. You will see a screen denoting such an error: Checksum Verification Wizard Screen Version 4.
