Slashdot Mirror

← Back to Stories (view on slashdot.org)

Canon's Image Verification System Cracked

Posted by Soulskill on from the picture-is-worth-a-thousand-lies dept.

TJNoffy writes "The H Security's H-online reports that 'Hacker Dmitry Sklyarov has succeeded in extracting the secret signing key from numerous digital SLR cameras and has used it to sign modified images which Canon's latest OSK-E3 security kit verifies as legitimate. Canon's Original Data Security System is intended to show whether changes have been made to photographs and to verify date and location information. The system is primarily used for ensuring the integrity of evidence, for reporting accidents and for construction records.'"

8 of 118 comments (clear)

  1. Wow by Monkeedude1212 · · Score: 5, Funny

    I didn't even know such technology existed!

    I thought they just posted it on /b/ asking "reel or phake?"

    And they just tallied the number of "Photoshoped" responses versus the total responses.

  2. What kind of proof was this supposed to be anyway? by igreaterthanu · · Score: 5, Insightful

    With TPM chips being cracked previously, after apparently being tamper-proof, even if they implemented it using an algorithm that was suitable for the job (i.e. not use SHA but ECC or RSA) it would still be possible to get the signing key. It's flawed in the same way DRM is flawed, you can't give someone else the key and not give them the key at the same time.

    --
    I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
  3. Re:Cryptography FAIL by Myria · · Score: 4, Insightful

    Anyone who uses a hash, instead of something asymmetric like RSA, for "signing" doesn't know what they are on about. I would have hoped that Canon could afford better programmers.

    It doesn't matter; if you can extract the software inside the camera, you can do anything the camera does. It doesn't matter whether they use SHA, RSA, or ROT-13.

    The correct solution would be to put the key in a tamper-resistant hardware cryptographic processor, and secure the firmware on the camera against running unverified code. Canon did neither.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  4. The key that can be extracted by blair1q · · Score: 5, Insightful

    ...is not a secret key.

  5. Free Dmitry Sklyarov! by paulproteus · · Score: 4, Informative

    At the time of his arrest, Dmitry Sklyarov was a 27-year-old Russian citizen, Ph.D. student, cryptographer and father of two small children (a 2-1/2 year old son, and a 3-month-old daughter).

    Dmitry helped create the Advanced eBook Processor (AEBPR) software for his Russian employer Elcomsoft. According to the company's website, the software permits eBook owners to translate from Adobe's secure eBook format into the more common Portable Document Format (PDF). The software only works on legitimately purchased eBooks. It has been used by blind people to read otherwise-inaccessible PDF user's manuals, and by people who want to move an eBook from one computer to another (just like anyone can move a music CD from the home player to a portable or car).

    Dmitry was arrested July 17, 2001 in Las Vegas, NV, at the behest of Adobe Systems, according to the DOJ complaint, and charged with distributing a product designed to circumvent copyright protection measures (the AEBPR). He was eventually released on $50,000 bail and restricted to California. In December 2001, was permitted to return home to Russia with his family. Charges have not been dropped, and he remains subject to prosecution in the US.

    Although Dmitry is home now, the case against Elcomsoft is continuing (to the detriment of the company), Dmitry's actions in Russia are controlled by a US court, and DMCA is still the law (to the detriment of everyone). This site will carry updates as they come...

    Source: http://www.freesklyarov.org/ (for those who don't remember 2001's Defcon incident)

    --
    |/usr/games/fortune
    1. Re:Free Dmitry Sklyarov! by iammani · · Score: 5, Informative

      Thats really old news, and no one seems to have cared enough to update the website. Here are some updates...
      "The charges against Sklyarov were later dropped in exchange for his testimony. He was allowed to return to Russia on December 13, 2001. On December 18, 2002 following a two-week trial in San Jose, California, a jury found that Elcomsoft had not wilfully violated the U.S. law." -- wikipedia

  6. Re:_much_ police evidence by Canon by mlts · · Score: 3, Insightful

    From what I've seen, usually images are vetted by people, either experts or others being asked by the judge, "Do you swear that these images are authentic?" An affirmative answer to this usually has more weight in our justice system than signatures and certificates, even though it is a lot harder to fake a cryptographic signature than lie under oath. A defense attorney would be rebutted by a prosecutor stating:

    "These men swore an oath that this was the authentic image. Versus some random numeric mumbo-jumbo of stuff that can say an image is wrong even when it looks exactly the same to the eye."

    If you are lucky, the jury might be clued enough to consider that reasonable doubt. However, most likely the jurors won't be computer savvy. They likely will not know the difference between a PKI system versus a ROT-13 encrypted message and their eyes will glaze over if presented with technical encryption details.

    Convincing Joe Sixpack of something takes a different way of thinking than persuading an educated /. person who has a clue about cryptography and knows the difference between actual security versus theater.

  7. Re:Anonymous Coward Fail by pclminion · · Score: 4, Insightful

    No matter how you design the camera the system is not secure. The entire concept is, in fact, impossible to implement. All I need to do is take a picture, retouch it however I want, then project it back into the camera using a high-quality lens system.