Canon's Image Verification System Cracked

TJNoffy writes "The H Security's H-online reports that 'Hacker Dmitry Sklyarov has succeeded in extracting the secret signing key from numerous digital SLR cameras and has used it to sign modified images which Canon's latest OSK-E3 security kit verifies as legitimate. Canon's Original Data Security System is intended to show whether changes have been made to photographs and to verify date and location information. The system is primarily used for ensuring the integrity of evidence, for reporting accidents and for construction records.'"

Cryptography FAIL

Anyone who uses a hash, instead of something asymmetric like RSA, for "signing" doesn't know what they are on about. I would have hoped that Canon could afford better programmers.

Re:Cryptography FAIL

[Myria]

Anyone who uses a hash, instead of something asymmetric like RSA, for "signing" doesn't know what they are on about. I would have hoped that Canon could afford better programmers.

It doesn't matter; if you can extract the software inside the camera, you can do anything the camera does. It doesn't matter whether they use SHA, RSA, or ROT-13.

The correct solution would be to put the key in a tamper-resistant hardware cryptographic processor, and secure the firmware on the camera against running unverified code. Canon did neither.

Re:Cryptography FAIL

[SuricouRaven]

I'd still get broken eventually. I'd rather not rely on the camera - instead have it hash the picture, then immediately transmit the hash to five different legal firms. This would add a significent expense, of course - but if people feel they'll have a need to prove in court their photo wasn't tampered with, they should be prepared to pay a premium for a camera that comes equipped with a mobile phone network interface.

Re:Cryptography FAIL

[mlts]

What they should have done was have exactly as you stated -- a tamper resistant CPU, akin to smart cards. This would have a private key generated and stored on the chip. Canon would have a certificate that would sign the private keys (so someone couldn't just fake a private key with a hacked camera body.)

This way, if camera "A" got compromised, every other Canon camera out there would still be protected. It appears that the method they used, if one camera got hacked, every one was broken open because they all used the same private key.

Re:Cryptography FAIL

[fuzzyfuzzyfungus]

Really, cryptographic jiggery-pokery is a problem best solved outside the camera. Generating an MD5 or SHA1 onboard is fine(even if you don't care about the crypto, it's a nice check against memory card corruption, and most nicer cameras have the entire frame in memory at some point before writing it to the card so the hashing should be fast); but leaving the crypto to a removable, interchangeable, person/organization unique crypto smartcard would really be the way to go.

That way, you wouldn't need to trust the camera(other than to be not broken, calculating false MD5s would be useless and swiftly detected), plus you could easily swap out the high-value portion of the hardware so that multiple authorized users could share a camera, and their cards could be physically protected when not in use.

Re:Cryptography FAIL

[EvanED]

How do those firms know they're getting the original picture?

The providence has to start at the camera.

Re:Cryptography FAIL

[EvanED]

"providence" should, of course, have been "provenance".

Re:Cryptography FAIL

[jack2000]

Because we all know smart cards have never been cracked. There aren't people that churn out smart cards, and all smart cards are oh so impervious to hardware based attacks.

Re:Cryptography FAIL

[mlts]

It depends on the smart card. I'd love to see someone extract a private key out of a CAC, for example. There are other smart cards which have been completely compromised, but newer ones made within the past couple years are getting to the point of having decent security.

Nothing is 100% secure, but CACs are good enough for the DoD, and that says something.

Re:Cryptography FAIL

Windows is good enough for the DoD. That says something too.

Re:Cryptography FAIL

[kiwix]

You don't seem to have a very good knowledge of cryptography yourself... Good signature algorithms use both a hash and something asymmetric.

Most signature algorithms start with a hash of the original file, because signing a big document would require a lot of computations. This does not reduce the security of the signature, as long as you don't use a broken hash function (and even if your hash function is as broken as MD5, the impact in this kind of scenario would be quite limited). Note that it is actually necessary to do some some kind of preprocessing of the message because RSA has bad multiplicative properties.

BTW, I don't see any mention of the algorithm used by Canon in TFA but they mention a key and hash functions do not have a key, so they're not just hashing the picture (which would indeed by stupid).

Re:Cryptography FAIL

[fluffy99]

They blew it entirely if every camera has the same signing certificate as well. What they should have is a root CA, and intermediate CA which issues certificates to each camera based on their serial number. This would also imply the certificate is not part of the software but perhaps burned into an eeprom on the camera . Then the signed photos "bogus or not" would have the serial number of the camera. To forge the photo and have it appear to come from a particuler camera still may not be that difficult, but a single compromise doesn't compromise the integrity of the entire system.

Re:Cryptography FAIL

[StikyPad]

The DoD is hardly an ideal model of security. I'll leave it at that.

Re:Cryptography FAIL

It depends on the smart card. I'd love to see someone extract a private key out of a CAC, for example. There are other smart cards which have been completely compromised, but newer ones made within the past couple years are getting to the point of having decent security.

Nothing is 100% secure, but CACs are good enough for the DoD, and that says something.

Wikileaks got their leaked data via DoD.

Re:Cryptography FAIL

[phyrexianshaw.ca]

I've got to second the above posters.

though FAR from secure,
for the DoD, CAC's are "good enough".

Re:Cryptography FAIL

[IshmaelDS]

That's not true, if I wait till after it's been copied off the camera that means I only know what was submitted is free of tampering from that time on. I have no clue what was done to it before you submitted it. This is why the encryption needs to be on the camera.

Re:Cryptography FAIL

[easyTree]

Windows without passwords or firewalls is good enough for the DoD. That says something too.

.

Re:Cryptography FAIL

[Bigjeff5]

For verification you need a private key + a public key. The public key is a hash of the photograph itself. The private key is known only to Canon. The private key absolutely must exist on the camera in order for it to generate a signature of the photo (generated from hash + public key).

For verification all the Canon software needs to do is perform the same operation the camera would have: combine a hash of the photo with the private key and generate a signature. If the two signatures match, the photo is verified.

This is pretty much how any verification system of this type will work. There aren't any practical alternatives.

The article didn't come out and say how they did it, but it said they obtained the key from the camera itself. If you can get the key off the camera, the whole system is broken. It doesn't matter what kind of hash function you used, if you have the private key you can generate a valid signature from any image you want - edited or not.

My guess is that the firmware wasn't secured or sufficiently tamper resistant. The key must exist on the camera, so Canon must take steps to ensure the key is inaccessible. They did not do a good enough job of this, and now their verification system is worthless. They'll have to start all over now.

hash functions do not have a key

Somebody doesn't know how hash functions work. For a hash of a file, the key is the file itself. The key is whatever you used to generate the hash - they don't happen by magic. Often for authentication the key itself is a hash - the signature is a hash of a hash. In the case of Canon's image verification, at least half of the key is a hash, the other half is also probably a hash (since they are so nicely random and can be generated from crazy things), but it may not be. Technically just concatenating the public key and the private key is a hash function (albeit an ultra simple one) which generates a new hash, from which a hash function generates the final signature. A hash of a hash of two hashes. That's all these are.

The point here is that hashes do not exist without a key. If it has no key, it's just a random number with no meaning behind it.

Re:Cryptography FAIL

[BlackBloq]

Actually the only way is a chemically reacting substrate known as film. Try faking a a real photo and getting that past forensics. Snarf!

Re:Cryptography FAIL

[MichaelJE2]

What if you just put a smart card reader on the camera, and use insert-smart-card-issued-correctly-here with it?

Re:Cryptography FAIL

[fluffy99]

For verification you need a private key + a public key. The public key is a hash of the photograph itself. The private key is known only to Canon. The private key absolutely must exist on the camera in order for it to generate a signature of the photo (generated from hash + public key).

For verification all the Canon software needs to do is perform the same operation the camera would have: combine a hash of the photo with the private key and generate a signature. If the two signatures match, the photo is verified.

You're rambling, and it's a bit obvious you don't understand how PKI works. Verification does NOT require the private key. You need the public key, and the public key of any root or intermediate certs used to create the certificate in the camera.

Re:Cryptography FAIL

[SuricouRaven]

Timing. That's why it has to be immediate. Photoshopping takes time - if the photo hash arrives minutes after the events it's supposed to be recording, then it may be tampered with.

Re:Cryptography FAIL

[EvanED]

And how do they know when the picture was taken? Think detectives are finished going over a crime scene a few minutes after getting there? Of course not. Even if they're done on-scene relatively quickly (large crimes can take days or longer), they'll box all the evidence up and take it back to the lab. Maybe they'll get to it by the end of the week. Maybe not.

Basically, courtworthy photos are being produced long after there's been time to do some photoshopping.

Re:Cryptography FAIL

[SuricouRaven]

Also, there's always the old classic trick: Print out, place in front of camera, illuminate evenly. Would have to do some optical trickery to alter the focal distance, or just use a really big card.

Re:Cryptography FAIL

To forge the photo and have it appear to come from a particuler camera still may not be that difficult, but a single compromise doesn't compromise the integrity of the entire system.

I don't think so. Having a per-camera private key doesn't make this setup more secure, because if a key can be extracted from one camera, it can also be extracted from another camera of the same model by the same procedure. So a compromise should be viewed as a per-model one, not per-device, and thus a per-model private key is as good for the purposes of proving the authencity of the photo as a per-device key.

Re:Cryptography FAIL

[Pinky's+Brain]

The resolution of chemical film is high, but far from infinite and it's still just a 2D plane ... with a printed 2D image of sufficient resolution, a good lighting setup and a good lens you can get anything you want on film ... modelling the original camera and the development process is just that, a modelling problem. A solvable problem.

Re:Cryptography FAIL

[fuzzyfuzzyfungus]

That would be the idea. The smartcard would be directly connected to the camera, and a required part of the image-saving processs(if crypto were desired, if you just wanted to happy snap, it would be irrelevant); but would be removable, and would be where all the cryptographic secrets live, and so could be easily subjected to whatever physical security measures suit the organization using it(unlike a mass-market camera, which is going to be physically avaiable to anybody with a few hundred or few thousand dollars and/or fast fingers...)

The camera would take the image, do a SHA1 or MD5(since, having the image in RAM would make it fast for the camera, even with a largish image) and then, if a smartcard is present, pass the image hash to the smartcard to be signed and returned and written to flash along with the image. The private key is never exposed to the camera, and the only "secret" you could learn from buying a camera of the same model is what ASIC they are using to do an off-the-shelf hashing algorithm on a low power budget. And, the moment Agent Smith removes his smartcard from the camera, there is absolutely nothing sensitive remaining in that camera body.

Re:Cryptography FAIL

That would only work with time-sensitive data. Pictures taken of a crime scene? Photochop them, do the hash-and-send, then claim that you took the picture at the time when you actually just sent it.

Re:Cryptography FAIL

[AmiMoJo]

Take a photo with normal camera. Photoshop it. Get it printed professionally. Point security enabled camera at photo and shoot a "secure" copy.

Wow

[Monkeedude1212]

I didn't even know such technology existed!

I thought they just posted it on /b/ asking "reel or phake?"

And they just tallied the number of "Photoshoped" responses versus the total responses.

Re:Wow

[thue]

I assume it is just a signed checksum of the main image, stored in the image metadata. If my guess is correct, the technology is well known.

And if so, it is not a surprise that the private keys were extracted. Because you are giving the end-user the key inside the camera.

Re:Wow

[DIplomatic]

I didn't even know such technology existed!

I thought they just posted it on /b/ asking "reel or phake?"

And they just tallied the number of "Photoshoped" responses versus the total responses.

Yeah and what's even funnier is the sub-forum with Smiling Leo and Eating Keanu in all the backgrounds!

Re:Wow

[jack2000]

there's automated software that detects artifacts, also the compresion pattern passes software uses when making images, there was a guy calculating the lightsources from reflective spherical surfaces (including eyes), there's many ways.

Re:Wow

[c++0xFF]

After reading the presentation, I see that you're pretty much right. Each camera model has a different key, which is stored on the camera itself. This is then used to create a HMAC.

It doesn't even look like this was all that hard, since the key was so easily extracted. I agree with the conclusion in that presentation: Cannon needs to hire people who understand security, if they want this feature to mean anything.

Re:Wow

[mrmeval]

What idiocy. Couldn't they have used the same public key in every camera then encoded a hash and stuff it in metadata? They would control the secret key and their software would ship the image and metadata to them for validation. Or is that still too simple?

Re:Wow

[HungryHobo]

unless you want to pass it through a third party(who can still only verify date and time it was passed through their servers) there's not much you can do on the camera that's foolproof.

There's quite a large numbers of methods for detecting if an image is tampered or not though.
Some of them rely on sensor noise in the camera, some on natural image statistics, some on looking for chromatic aberration or slight aberrations in how a particular camera model encodes an image.

I studied this for my final year project and came to the conclusion that if given a high quality raw image along with the camera it was claimed to have been taken with and given enough time to take a lot of test images with the camera in question it's extremely possible to decide to a high degree of certainty whether the image has been tampered with.

You can make it far far harder by not stretching or scaling anything, taking anything you're inserting from an image taken with the same camera in the same part of the image (not swapping left to right), never compressing anything in a lossy way until you've got the final image, not getting any source images or elements from anything which has ever been compressed in a lossy fashion like jpeg, making sure that specular highlights and shadows match exactly and that the scale of everything is exactly right though there can still be some clues left by the editing tool and by the presence or lack of imperfections caused by errors in the camera like slight lens aberrations.

It takes quite a bit of work but it can be done and there are suits of tools made available to law enforcement.
That's without any signing which is a fairly weak method unless you can snap the image and push it through the signing authority fast enough that you couldn't reasonably claim anyone had time to edit it since the event.

Re:Wow

[HungryHobo]

then someone just extracts the public key, create a new hash for the edited image and stuff it in metadata.
this suffers from the same problem as copy protection, you have to give the user everything they need to create an arbitrary image and they will always be able to take the hardware apart.

Re:Wow

[Domini+Canes]

Mixing up a hodgepodge of cryptography-related words is no recipe for describing a good security system for securing anything.
Do you even understand what you've written in your two sentences?

Re:Wow

[mrmeval]

Yes you are correct. I was not thinking clearly.

Re:Wow

Please dont quote your faggot ass 4chan bullshit here.

Hmm??

[Jugalator]

What?

Is this a Canon-only feature, or on Nikon cameras too?

Re:Hmm??

[hedwards]

It's an addon that people have been able to get for Canon products for years. I'm not sure of the exact details, but IIRC it was a system that uses a separate memory card to store information for verifying that the image hasn't been altered. I haven't read anything about it recently, but the point of it was to deal with the problems of using digital cameras for the purposes of recording a crime scene and similar sites.

Nikon may make one, but I'm not aware of it if they do. The addon itself is fairly expensive and really only of interest to a small number of people. From my limited experience photos are often times admitted as evidence with just the assurance that it hasn't been manipulated. I don't endorse that view, I just know that judges do allow it in, not sure how long that's going to last.

Re:Hmm??

[lastomega7]

Nikon cameras do. There's an option to turn it on in the menus, but it's off by default. It even verifies the image in-camera, showing a symbol during image review if the image is authentic. And at this point it's looking a lot more useful than the Canon version, but who knows if some less attention-grabbing person/group has broken it?

_much_ police evidence by Canon

[fishbowl]

This could be a very big deal, if you can use it to establish reasonable doubt. *Many* police agencies use Canon. The traffic light and speeding cameras in Arizona are Canons. Of course, at your trial they will use the whole "controlled chain of custody" argument to say the images could not have been tampered with and the signing will be irrelevant, but who knows?

Re:_much_ police evidence by Canon

[mlts]

From what I've seen, usually images are vetted by people, either experts or others being asked by the judge, "Do you swear that these images are authentic?" An affirmative answer to this usually has more weight in our justice system than signatures and certificates, even though it is a lot harder to fake a cryptographic signature than lie under oath. A defense attorney would be rebutted by a prosecutor stating:

"These men swore an oath that this was the authentic image. Versus some random numeric mumbo-jumbo of stuff that can say an image is wrong even when it looks exactly the same to the eye."

If you are lucky, the jury might be clued enough to consider that reasonable doubt. However, most likely the jurors won't be computer savvy. They likely will not know the difference between a PKI system versus a ROT-13 encrypted message and their eyes will glaze over if presented with technical encryption details.

Convincing Joe Sixpack of something takes a different way of thinking than persuading an educated /. person who has a clue about cryptography and knows the difference between actual security versus theater.

Re:_much_ police evidence by Canon

[fishbowl]

But they *do* use that "numeric mumbo jumbo" as evidence, already. Juries are already instructed as to its acceptability. This is no hypothetical consideration.

Re:_much_ police evidence by Canon

[MrEricSir]

So when the traffic ticket arrives at my house showing Osama Bin Laden and Bill Clinton blowing a red light while eating Big Macs, I'll assume it was a fake next time instead of paying the ticket.

Re:_much_ police evidence by Canon

[F.Ultra]

Exactly. I don't really understand what this "security" measure is supposed to solve. So we know (if the system hadn't been compromised) that the picture in question has been taken with this specific camera. So what? It does not authenticate what I recorded, only the recording so the picture can be staged any way I like before I press the button and the camera signs the picture. Well, I guess that they are trying to protect aganst "they photoshopped the picture" but you can of course photoshop it and then recapture it, so whats the deal?

Re:_much_ police evidence by Canon

usually images are vetted by people, either experts or others being asked by the judge, "Do you swear that these images are authentic?"

"Well, I'll swear it looked pretty good when I put it together in Photoshop and ran signpicture.exe on it... err, I mean, yes your honor, those are the authentic images, you can see that from the signature right there."

Re:_much_ police evidence by Canon

[phyrexianshaw.ca]

I think you mean: "Juries are already instructed as to its acceptability in a few courts in the USA. totaling less than 1% of the global courts"

most of the way around the world: you can't instruct a juror in ANY WAY. it's up to them to decide based on what the two sides have to say.

Re:_much_ police evidence by Canon

Wouldn't that be implying that you were with them in the car, or at the very least, that they stole your car?

Re:_much_ police evidence by Canon

[John+Hasler]

most of the way around the world: you can't instruct a juror in ANY WAY.

Jury "instructions" are not enforceable in any way.

it's up to them to decide based on what the two sides have to say.

Yes, that's how it works in the USA.

Re:_much_ police evidence by Canon

[John+Hasler]

The "deal" is that only the photographer has an opportunity to "photoshop" it (and it isn't easy for him). The homicide detective can't alter them even if he does carry them around in his jacket pocket all weekend.

Re:_much_ police evidence by Canon

[fluffy99]

No they want the courts to recognize pictures taken with a camera using XXX digital security without question. Much in the same manner that courts have set a precedence of blindly believing radar guns to be infallible (when we know scientifically that they are not).

This "feature" should came as no surprise...

[Lead+Butthead]

considering that scanners and photo copier have had firmware coded to look for currency for some time.

Re:This "feature" should came as no surprise...

Which is...completely unrelated to the article. You might consider reading the summary, or even the headline.

What kind of proof was this supposed to be anyway?

[igreaterthanu]

With TPM chips being cracked previously, after apparently being tamper-proof, even if they implemented it using an algorithm that was suitable for the job (i.e. not use SHA but ECC or RSA) it would still be possible to get the signing key. It's flawed in the same way DRM is flawed, you can't give someone else the key and not give them the key at the same time.

Re:What kind of proof was this supposed to be anyw

[Ungrounded+Lightning]

It's flawed in the same way DRM is flawed, you can't give someone else the key and not give them the key at the same time.

You also can't give everyone the same key without the cracking of one person's device cracking everybody's device. B-b

The key that can be extracted

[blair1q]

...is not a secret key.

Re:The key that can be extracted

A key that was once thought to be unextractable, was referred to as a secret key. Now that it can be extracted, it can no longer be called secret key. At the worst it can be referred to as, the key that was once upon a time a secret.

Re:The key that can be extracted

[meloneg]

Like this?

Re:The key that can be extracted

[Bigjeff5]

It's not extracted from the signature, dumbass, it's extracted from the private key holder - the camera.

The security in the camera was weak. If you can get your hands on the actual private key it doesn't matter how good your hash algorithm is, it can be repeated till the cows come home.

Re:The key that can be extracted

[GroovinWithMrBloe]

*whoosh* That was his point.

Free Dmitry Sklyarov!

[paulproteus]

At the time of his arrest, Dmitry Sklyarov was a 27-year-old Russian citizen, Ph.D. student, cryptographer and father of two small children (a 2-1/2 year old son, and a 3-month-old daughter).

Dmitry helped create the Advanced eBook Processor (AEBPR) software for his Russian employer Elcomsoft. According to the company's website, the software permits eBook owners to translate from Adobe's secure eBook format into the more common Portable Document Format (PDF). The software only works on legitimately purchased eBooks. It has been used by blind people to read otherwise-inaccessible PDF user's manuals, and by people who want to move an eBook from one computer to another (just like anyone can move a music CD from the home player to a portable or car).

Dmitry was arrested July 17, 2001 in Las Vegas, NV, at the behest of Adobe Systems, according to the DOJ complaint, and charged with distributing a product designed to circumvent copyright protection measures (the AEBPR). He was eventually released on $50,000 bail and restricted to California. In December 2001, was permitted to return home to Russia with his family. Charges have not been dropped, and he remains subject to prosecution in the US.

Although Dmitry is home now, the case against Elcomsoft is continuing (to the detriment of the company), Dmitry's actions in Russia are controlled by a US court, and DMCA is still the law (to the detriment of everyone). This site will carry updates as they come...

Source: http://www.freesklyarov.org/ (for those who don't remember 2001's Defcon incident)

Re:Free Dmitry Sklyarov!

[iammani]

Thats really old news, and no one seems to have cared enough to update the website. Here are some updates...
"The charges against Sklyarov were later dropped in exchange for his testimony. He was allowed to return to Russia on December 13, 2001. On December 18, 2002 following a two-week trial in San Jose, California, a jury found that Elcomsoft had not wilfully violated the U.S. law." -- wikipedia

Re:Free Dmitry Sklyarov!

And FYI:

If you see "Free Sklyarov" and think "Free Mitnick", don't. Sklyarov deserves way more respect than Mitnick. Completely different "crimes", completely different circumstances. Mitnick is a grey scenario; Sklyarov definitly deserves your support.

Re:Free Dmitry Sklyarov!

[Bigjeff5]

That was for Adobe.

This is Canon.

Dumbass.

I think alot of the cameras are video now as a pht

[Joe+The+Dragon]

I think alot of the cameras are video now as a photo is poor next to have a video of you not stopping for the red light.

Anonymous Coward Fail

[Chuck+Chunder]

That doesn't seem particularly relevant, the main problem here is that everything required to do the signing can be extracted from of the camera.

It's a simple necessity that, regardless of precisely how the signature is generated, all the information required to generate signatures is inside the camera and someone with the desire and resources can pull it out.

I think the only protection would be each camera having a unique key and being constructed in such a fashion so that getting at the crypto information and functionality requires taking the camera apart in a tamper evident and non-reversible fashion.

Then proof would consist of the the signed photos and verification that the corresponding camera is still intact and functional.

Re:Anonymous Coward Fail

[meloneg]

So, I can invalidate your evidence by taking a swing at your camera? Days, or weeks, after you took the incriminating pictures and copied them to another medium?

Methinks you need to think that through a bit more.

Re:Anonymous Coward Fail

[pclminion]

No matter how you design the camera the system is not secure. The entire concept is, in fact, impossible to implement. All I need to do is take a picture, retouch it however I want, then project it back into the camera using a high-quality lens system.

Re:Anonymous Coward Fail

[marcello_dl]

cool but a camera equipped with autofocus and exposure and white balance surely can detect you're feeding it a fake, if it checks for it of course. Unless of course you completely reverse engineer the camera and simulate the effects of adjustments in the projected scam, which if the camera employed fuzzy logic is not doable.

Maybe a partial retouch over a genuine scene is feasible, but its usefulness is kinda limited.

Re:Anonymous Coward Fail

No matter how you design the camera the system is not secure. The entire concept is, in fact, impossible to implement. All I need to do is take a picture, retouch it however I want, then project it back into the camera using a high-quality lens system.

I'm sure that it would be exceptionally hard to do that well enough that a *very* skilled expert- were this important enough to get them involved- couldn't spot at least some tell-tale signs.

After all, you're taking a photograph of a photograph, and it's going to be very difficult to make it look *absolutely* like a direct photograph of the original scene.

Re:Anonymous Coward Fail

[thegarbz]

Yes and no. I'm willing to bet that this being the equivalent of the analogue hole will actually show up quite horribly in the resulting picture. Remember the originals are the verified files so you'd need to project the image at a resolution such that the high resolution sensors won't see it as a screen.

Furthermore there's issues with all pictures laid out in a grid, such as from a digital project or a computer screen. Even if you had a very high resolution system to project the image back into the camera the result will be a nasty moiré pattern. I don't think you'd be able to pull this off convincingly as all faults in the picture taking process (crap lens, camera shake, missed focus) present very specific and easily identifiable image patterns. I doubt such a perfect lens projection system is possible.

Re:Anonymous Coward Fail

[pclminion]

A sub-micron stage could probably be used to position the camera to line up the projected pixels exactly on top of the CCD elements. I bet you could do well enough to make it impossible to tell by anyone but the most seasoned expert in photoanalysis. And if you need to call in an expert, that same expert will quite easily be able to determine that the image has been retouched. Which, again, makes the entire system quite a waste of time.

Re:Anonymous Coward Fail

[xded]

using a high-quality lens system.

Quality alone will give you nothing. You will have to look into the actual type of the lens setup. And what you need here is a process lens (sorry, no Wikipedia entry on that). But even supposing you get the optical setup in shape, then you need a >10Mpixel screen and you need to align it. Supposing you get it and you align it, then you're left with a nice moiré pattern due to other non-linear distortions like shear and barrel. And you need to find an optical way to compensate for them.

Or, you reverse engineer the software. Or, the hardware.

And, guess what, the two latter options are the most likely to succeed.

Watch yourself from going iPhone DSLR all the way. Optics is though stuff, even if it doesn't look like so.

Re:Anonymous Coward Fail

[Chuck+Chunder]

All I need to do

All you need to do? That doesn't exactly sound easy, especially if EXIF type data is included in the signed data as you'd not only have to project the image correctly but have the camera using settings that are reasonable for the real image.

Any evidence is fakeable, you could assemble custom DNA strands if you wanted to and had sufficient resources.

I think there's a big difference between faking something in an entirely digital fashion and having to undergo difficult physical actions.

Re:Anonymous Coward Fail

[dgatwood]

Just turn the gain all the way down, then rip the CCD off the board and emulate it with an FPGA.

Re:Anonymous Coward Fail

[pclminion]

You sound like you're much more familiar with optics than me, though I have a bunch of experience on the digital (DSP) side which might assist me. At any rate, whether there is moire or not (I'd call it aliasing and/or nonlinear distortion, not "moire" but I get your point), the produced image will be properly signed by the camera. If the digital signature is to be used as some sort of proof-positive of authenticity, then whoever consumes that image should assume it is authentic.

Of course, the image is manipulated, and that might be discovered by examination. Which means the digital signature itself is of no use in authenticating the image -- and if that's the case, why bother having it? That's really my point. This system seems mostly useless to me.

Re:Anonymous Coward Fail

[thegarbz]

I still think you'll get moire effect unless you'll be able to project it at incredible resolutions surpassing that of the sensor, or the exact resolution of the sensor and perfect alignment. This is the downside of lining up two grids, one in the projector the other in the sensor. I'm not sure if the Beyer pattern layout of the pixels will be against you here too, but in any case I think it is currently completely technically infeasible.

I think you may actually be better of making a large chemical print of the retouched photo and then photographing that with some incredibly uniform lighting. That gets around the technical problems of needing ultra high res sensor and perfect alignment. The only remaining issue is the colour of the print. Given you can't retouch the photo the second time the print would need to be perfectly printed and lit.

Re:Anonymous Coward Fail

[locketine]

If the camera has a clock that is only set at the factory then the timestamp would be wrong as would the gps position if the camera is equipped with a GPS. Saying something is impossible often means one simply hasn't thought of a way to do it yet.

Re:Anonymous Coward Fail

[pclminion]

Touche. One of my personal mottos is "You can't achieve what you have already decided is impossible." Thanks for reminding me of it -- however, there is sufficient doubt in the potential of the current system to, in my mind, render it completely invalid from the standpoint of authentication.

Re:Anonymous Coward Fail

[dissy]

I was just thinking along those lines, for if they actually made the key unextractable.

One could emulate the CCD with an FPGA to feed it any image.

For the location data, you just spoof the low grade GPS signals from a few transmitters.
As far as I am aware, only the higher precision military code is encrypted/signed to prevent spoofing.

I would imagine they also get the time data from the same GPS signal. If so it will be adjusted along with the location.
If they use some high precision clock source that's internal (yet can't be synced with anything or manually changed), one could still time stamp a picture in the future just not in the past, simply by waiting.

The best way to go about doing this is prevent the camera from being opened without damage.
Private key in RAM, with the battery mounted in such a way that it loses contact if the casing is disturbed.

ROM chips can be sanded down and with a microscope mapped out in 3d, then have its data reconstructed. So a second key (or a part of a key that needs combined with the part in the ram chip above) could be encoded in the CPU chip itself. Makes it a lot harder to extract this way.

There really isn't a way to make extracting the key impossible. All one can hope for is slowing someone down.
If they make the cameras expire before the time it would take to get the key, it would work, but wow would that be expensive!

There are a few dangerously destructive ways I can think of to protect a chip, but I would fear the damage it would cause if someone triggered it, or it went off accidentally or by mistake. Plus I doubt it would be legal to put thermite in one ;}

Re:Anonymous Coward Fail

[finglenark]

No matter how you design the camera the system is not secure. The entire concept is, in fact, impossible to implement. All I need to do is take a picture, retouch it however I want, then project it back into the camera using a high-quality lens system.

Yes in principle, you control the camera's environment so you control all the incident light, but other replies suggest it would be hard in practice. The real question is this: would it be more or less effort than obtaining the master key via a bribery/blackmail/infiltration/intimidation/ninja attack against cannon ?

Re:Anonymous Coward Fail

[slick7]

No matter how you design the camera the system is not secure. The entire concept is, in fact, impossible to implement. All I need to do is take a picture, retouch it however I want, then project it back into the camera using a high-quality lens system.

I hope Assange realizes this. The only way photos are truly verifiable are those taken on film, which for the most part is extinct.

Re:Anonymous Coward Fail

[dgatwood]

You don't even need to spoof the GPS signals. Just spoof the response from the GPS receiver. Most high-end cameras don't have built-in GPS receivers anyway (much to my dismay), so you end up using an external USB-based GPS receiver. It looks suspiciously like a serial port.... And even if you have a camera that does have integrated GPS, if you're going to the trouble to desolder a CCD, you can remove a GPS chip just as easily.

Re:Anonymous Coward Fail

[Firehed]

I can get fake evidence on film just as easily as I can get it on a CCD. Just print out the retouched version and take a photo of said print. This has been pointed out several times already though I think others are overcomplicating matters, claiming that you need perfect alignment and lighting. But as long as people don't know what the original looked like (and if they do, the fake won't work), none of that matters as long as a viewer can't tell it's a photo of a photo instead of an actual scene.

Re:Anonymous Coward Fail

[locketine]

I totally agree that their current system is compromised. I just think that someone really needs to step up and design a well thought out digital signature system for images before they become completely irrelevant as legal documents. It looks like cannon tried but fell short of that goal.

Re:Anonymous Coward Fail

[suutar]

If you can get physical access to the camera, yeah. There's no way to make it both so that the guy taking the picture can't fake it and nobody else can cast doubt on the authenticity. (Which I guess means there's no way to guarantee that nobody can cast doubt on the authenticity :) This at least would help guarantee that if the camera _is_ in good shape, the photos it generated are legit.

Re:Anonymous Coward Fail

[AmiMoJo]

There are CPUs designed to do what you suggest readily available. Most are ARM based and have a special tamper-proof on-board memory for storing private keys. They do all sorts of things to prevent anyone getting the key, including self-destructing memory that wipes if you try to remove the chip's casing around it or scan it with an electron microscope. Naturally program code is also encrypted to prevent you writing a program that reads out the key and replacing the devices firmware.

Even these systems are not 100% effective. You could, for example, replace the CCD sensor with an FPGA that feeds the CPU your modified image when it thinks it is taking a photo. As you say it is basically impossible to be 100% secure but there are some really good systems out there that make it extremely difficult and expensive to do.

One thing I don't understand, so maybe someone can help: How were analogue or ordinary digital photos ever admissable as evidence when they are clearly very easy to fake? For 100 years or more photos have been used in trials without any real way proving their authenticity. It wouldn't be hard to plant evidence and then photgraph it at the crime scene. For that matter what about fingerprints? The police have millions on file and planting fakes is not difficult.

Re:What kind of proof was this supposed to be anyw

[mlts]

Cracking one chip doesn't mean that they all are cracked. The concept is sound, and all it takes is another rev of the chip to have better anti-tamper protection. For example, one cryptographic token maker, someone had a website about being able to use hot water to pop the case in two for access to the chip. They (IIRC) learned their lesson and started using poured epoxy with no seams before putting the case on. None of their newer tokens have been cracked, as far as I know.

Right now, TPM chips have no physical protection, it is even stated prominently on sites that this is the case. However, eventually they will end up going the route of HDCP chips, and being epoxy-blobbed to the motherboard and/or put in a more tamper resistant package.

How did courts do it in the old days?

[davidwr]

They relied on chains of custody and affidavits by the photographer, that's how.

Re:How did courts do it in the old days?

[0123456]

They relied on chains of custody and affidavits by the photographer, that's how.

And it was a fsckload harder to fake photographs in those days.

There was a news story in the UK a couple of years ago about someone who was taken to court and the photograph produced as evidence was proven to have been faked. I think it was a only a parking fine so probably faked by a private company or some council employee, but I forget the details.

Re:How did courts do it in the old days?

And it was a fsckload harder to fake photographs in those days.

Or, you know, not. Ever been in a darkroom? The manipulations available in Photoshop are a poor approximation, and there are no algorithmic (or cryptographic) breadcrumbs to follow when attempting to prove .

Or did you mean "those days" as in "digital, but not signed digital?"

Humorous Summary

[mpapet]

What Canon can do?

-With current available models nothing
-With future models blah... blah... blah...
-Hire people who really understands security

Having been on that side of the industry, there's no way Canon's putting a smart card chip in camera. Why? Cost mostly. And then there's the significant problem of communicating from the camera OS to the smart card chip. And then there's the significant increase in the cost of manufacturing.

They aren't going to hire anyone either. This decision was made long ago and the constraints are still cost and calendar. Both extraordinarily tight.

Canon will generally defame Skylarov to any agency that feigns interest and be generally dishonest about the whole thing.

Re:Humorous Summary

[jack2000]

Claim some bullshit law and then gitmo the hacker, it's what's popular these days.

Re:Humorous Summary

[fishbowl]

Cost? We're talking about D-model Canons. They are breathtakingly expensive and that's just the barrier to entry so that you can use the even more breathtakingly expensive L-series lenses (which is the point of buying into the Canon system.)

Re:Humorous Summary

After the last time he did something like this, I don't think he'll be dumb enough to come back to the US.

Re:Humorous Summary

[Rich0]

Uh, I think my 450D supports the image authenticity checks, although I don't know if Canon uses a different system in their higher-end cameras. Sure, any DSLR is going to be moderately expensive, but $500 isn't exactly massive in cost.

Also - any camera that supports EF-mount lenses will support the latest-and-greatest L-series lenses. You don't need a $2k camera to use a $2k lens. Their bottom-of-the-line $500 DSLR body will work just fine with them (and the cheaper ones also support the EF-S lenses - one or two of which are L-level quality for a lot less cost, but for marketing reasons they won't put an EF-S lens in that series since the people with the $2k cameras that don't support them would feel left out).

Finally, there are lots of half-decent lenses out there that don't have the red band on them. Sure, the L-lenses are certainly nice, but you can do quite fine with a lot less.

Re:Humorous Summary

[Bigjeff5]

Skylarov has experience with such things, Adobe tried to use the DMCA on him. Who knows if they would have been ultimately successful, instead of going to trial they settled for his expert testimony in another copyright case.

It obviously didn't put him off cracking these things, so he's probably not too worried.

The fact that in the past he has been used as an expert witness in the field of encryption circumvention by an industry giant makes it tough to discredit him with respect to his expertise on the subject.

The PhD helps too.

Re:Humorous Summary

[Bigjeff5]

Oh please, they are $3500 cameras. That's mid-range professional equipment, not "breathtakingly expensive" gear.

Yeah, it's a hella-expensive camera to be taking your vacation photos with, but for "breathtakingly expensive" check out some of the $20k medium-format dslr's, or the $40k large-format Hasselblads.

Those are breathtakingly expensive cameras. Hell the first 39mp large-format digital back for Hasselblad's V series was $40,000, and that didn't include the camera body!

A $3500 Canon is expensive, but not breathtakingly so.

For forensic evidence

[countertrolling]

Aren't they using cards that can only be written once? How about going back to using mini CDs?

Re:For forensic evidence

[Bigjeff5]

That doesn't matter. If you can read the area where the private key is stored you can duplicate the signature process and produce another (falsely) verifiable image without the use of the camera.

That's the problem. The authentication process is (practically speaking) unbreakable once it leaves the camera. However, if the camera itself can be broken into and the private key copied, then the most secure authentication process in the world won't prevent a false authentication.

That's the problem with Canon's system. It's not the signature that is the problem, it's the camera that is the problem.

Fine, publish the picture, encrypted

[davidwr]

Where legal certainty is required

Publish the original picture encrypted with the photographer's PUBLIC key in a public place or file it with 5 different legal firms. Only the photographer can decrypt it, at least for the time being (*cough*quantumcomputer*cough*).

Then using an independent set of hardware/software have the photographer retrieve the encrypted copy, decrypt it, print it out with the meta-data in human-readable form and a signed digest in a human-readable form, attach a human-readable affidavit saying "I took this photo at this date and location and the metadata is true and accurate" and have him store that with his files. Have witnesses if it's that important.

If there are any questions then the affidavit and printouts should authenticate the original.

For things that won't go to court

For things that won't go to court such as your newspaper that is trying to enforce professional integrity, you don't need this level of trust. For those cases just have the photographer take today's images and append meta-data to each one consisting of a digitally signed signed digest of the photograph and a digitally signed statement describing the circumstances of the photograph, e.g. "Joe Smith, December 2 Acme Hardware Store Grand Opening, for The Village News." Sure, it won't stop fraudulent use of "unprotected" pictures but it will deter re-use of pictures that are "protected."

Couple this with every news and stock photo agency putting similar "signed histories" on all of their existing works and publishing the digests of the digests, it will make it very very difficult for someone to re-use a several-year-old photo in an illustration and take credit for it without a big risk of being caught.

Re:Fine, publish the picture, encrypted

[EvanED]

Publish the original picture encrypted with the photographer's PUBLIC key in a public place or file it with 5 different legal firms. Then using an independent set of hardware/software have the photographer retrieve the encrypted copy, decrypt it, print it out with the meta-data in human-readable form and a signed digest in a human-readable form, attach a human-readable affidavit saying "I took this photo at this date and location and the metadata is true and accurate" and have him store that with his files. Have witnesses if it's that important.

You're missing the point. Filing with 5 different legal firms, encrypting it, etc.; all that doesn't help very much. If the point is to establish that a picture is unaltered and the way to get around that is "alter it before sending it to everyone" you haven't done much -- about the only thing you've protected against is people deciding later that they want to alter it, or knowing that they want to alter it but don't yet know how. Those are worthwhile things to protect against, but that still seems like it is locking half of a set of double doors. You still want to lock the other one. (In real life it might be more, say, 95% of the double doors.)

Reducing the trust in a system -- in this case, eliminating the trust of the police photographer -- is probably worthwhile.

Re:Fine, publish the picture, encrypted

[Anthony+Mouse]

Then using an independent set of hardware/software have the photographer retrieve the encrypted copy, decrypt it, print it out with the meta-data in human-readable form and a signed digest in a human-readable form, attach a human-readable affidavit saying "I took this photo at this date and location and the metadata is true and accurate" and have him store that with his files. Have witnesses if it's that important.

But only the photographer's private key can read it. Which means that nobody else can verify. What stops the photographer from replacing the first step with "retrieve encrypted copy, discard, use encrypted copy of modified version"?

Re:What kind of proof was this supposed to be anyw

[NoSig]

In a certain sense you are right that you can't give people the key and not give them the key at the same time. In the same sense public key cryptography does not work because you are giving people the (private) key, just in a form (the public key) that isn't easily accessible. Yet, public key cryptography does work because accessing the private key from the public key is so difficult that it isn't worth the bother. In the same way, you can make cameras where extracting the key is so difficult that it isn't worth the bother. Especially if each individual camera has its own key.

Re:What kind of proof was this supposed to be anyw

The TPM is a joke when it comes to security processors. effective tamper detection and response are not possible at the price point TPMs in COTS PC's sell for.

Re:What kind of proof was this supposed to be anyw

[chrb]

Cracking one chip doesn't mean that they all are cracked.

Whilst it is true that future updates might be harder to crack, this doesn't diminish the impact of this particular hack - the image authentication on every Canon EOS camera that has already been sold is now untrustable, and can be challenged in court.

not just canon

[Chirs]

The equivalent glass from Nikon or Sony (formerlyMinolta) is also not cheap. Sigma/Tamron are a bit better, but often a step down in quality.

You want to talk breathtakingly expensive, look at Leica, or Hasselblad.

Re:What kind of proof was this supposed to be anyw

[Bigjeff5]

you can't give someone else the key and not give them the key at the same time.

You obviously don't know how one-way hashes work (encryption is a two-way or reversible hash, and what you said is true for encryption).

Can you take an MD5 checksum of a file and generate the file? Of course you can't. The checksum does not contain anywhere near the same amount of information as the file contains. But that checksum is a repeatable signature of that file, and you'll notice immediately if it has been tampered with even slightly, because the checksums won't match.

By the same token, if you take a 256bit hash of a photo, multiply it by a 256bit secret key, and take a 256bit hash of the resulting number, then the key does not exist in the resulting hash (we'd call it a signature now, because it is repeatable if you have the key and a copy of the raw image). Parts of the key may exist in the hash (it's quite possible none of the key made it into the final hash), but you took a 256bit hash of a 64kbit number, so 99% of the information wasn't used in the final signature, yet you still got a unique 256bit signature out of the process. In other words, you can't take a ten megabyte file, turn it into a one megabyte file, and expect to reproduce the ten megabyte file using only the one megabyte file and the algorithm used to get it that small. You can take the ten megabyte file and reproduce the one megabyte file all day long, but you can't go backwards. You've permanently lost information, and in the case of signatures, that is by design.

It's easy to take two keys and produce a third key that is unique (can only be generated by the two keys) yet does not actually contain the two keys used to generate it.

What these guys have done is actually get a hold of the private key (the public key is a hash of the image) from the camera. If you have the private key you can break any authentication system, no matter how good your algorithms are.

Re:What kind of proof was this supposed to be anyw

[Bigjeff5]

Bullshit.

The private key is never shared, and when you generate a hash from the private key, information in the key is lost making it impossible to reproduce.

If that were not true nobody would bother with encryption, because it would be immediately reversible.

You can always brute force decrypt a key, but it is very difficult. The process works by guessing what the private key is and generating a signature, then seeing if it matches the true signature. Do this enough times and you'll eventually find the private key. Since you are looking 3.4^38 possible combinations, though, anything beyond 128bits is impossible to brute force in a practical sense (you could do it, but it would take decades). In a few years that won't be true, which is why we already have 256bit and 512bit encryption algorithms, and work is always being done to create bigger and badder encryption algorithms, but it is true right now.

Again these work by guessing the key, the key itself is not contained in the signature. In fact the public key isn't even in the signature generally, but it is public so of course you have ready access to it (in this case the public key is a hash of the raw image).

The problem in this case is with the security of the camera. They key must be contained on the camera or the camera won't be able to create the initial signature. So these Russian blokes simply broke into the camera and stole the key. They warned Canon before they did this that there were serious flaws with the security of their cameras, but apparently Canon wasn't responsive enough, so they went ahead and broke into the camera, got the key, and generated a half dozen obviously faked photos that Canon's software verifies as legitimate.

Re:What kind of proof was this supposed to be anyw

[igreaterthanu]

you can't give someone else the key and not give them the key at the same time.

You obviously don't know how one-way hashes work (encryption is a two-way or reversible hash, and what you said is true for encryption).

I think you misunderstand me. My point is that for the camera to be able to perform said signing, the camera itself must contain the private key.

Any method of attempting to conceal that key is flawed once someone else (i.e. someone who purchased the camera) is in possession of it. It may be difficult to do, but it is by no means impossible.

Re:What kind of proof was this supposed to be anyw

[swillden]

With TPM chips being cracked previously, after apparently being tamper-proof

TPM chips were never claimed to be tamper-proof. One of the fundamental design assumptions was that they would not be secure against someone with access to the hardware. It's right in the documentation. This isn't because it's not possible to make it very hard to tamper with a chip, it's because it's expensive to make a strongly tamper-resistant device.

Of course, it probably is impossible to make a completely tamper-proof device, no matter how much money you put into it, but you can make it hard enough that it's extremely difficult/expensive to successfully tamper. If in addition to that you make the key inside each device unique, so that spending the money to successfully compromise one device ONLY compromises that device, you can achieve a very high level of security. But that's expensive and difficult, which is why the Trusted Computing specifications never even attempted to go there.

Re:What kind of proof was this supposed to be anyw

[NoSig]

You seem to believe that you disagree with me though your post makes it clear that you don't. It's a little strange.

Tamper proof typewriter?

Image and video are a bit more difficult to modify than written text, but especially now in digital times they can be forged and changed almost as easily. People really should give up the idea that they reflect reality anymore than some text that some guy wrote.

Whether you trust something to be authentic representation of certain situation should rely on other things than digital signatures. These problems are messy and we have been battling them with written text for ages. It's a question of trust and there are no easy solutions.

The authorities should not stand for this!

They should throw him in jail the next time he comes to America.

(A secret jail would be better)

am I missing something?

[vuffi_raa]

Is it that all he did was extract the signing key from the camera itself and insert it into exif data? If so, all you would need is any valid key and you could replace any metadata you wanted for anything you wanted with any number of utilities.