Nikon's Image Authentication Insecure

silanea writes "Elcomsoft claims to have broken Nikon's Image Authentication system which — apparently only in theory — ensures that a photograph is authentic and not tampered with through a digital signature. They were able to extract the signing key from a camera and use it to have a modified image pass the software verification, rendering the rather expensive feature mostly marketed to law enforcement all but useless. So far Nikon has not given a statement. Canon's competing system was cracked by the same company last December."

This is great news

[gnick]

Whew - I've always hated having to wear a ski mask when I "work". Now I can just claim image tampering.

Right

[elsJake]

Not like anybody would've expected that ...no way ...

Re:

[RDW]

'Not like anybody would've expected that ...no way ...'

Especially given Nikon's less than stellar record with encrypting stuff previously. Remember the fuss about Nikon's white balance encryption a few years ago?:

http://it.slashdot.org/story/05/04/25/0511241/Adobe-Blasts-Nikons-Closed-File-Format [slashdot.org]

Adobe cut a deal with Nikon over this to avoid potential DMCA violations (Adobe Camera Raw uses some Nikon code to decrypt white balance), but everyone else just reverse-engineered Nikon's 'secret' key, which turned

The danger of these systems is they appear secure

[SuperKendall]

This is great news, because now people will be able to cast doubt on images when there is cause to instead of being told "it's not possible it's a fake, it's signed". You know that if someone cracked it publicly someone else (probably many someone else's) have cracked it in private, and have kept around the ability to forge photographs in case of emergency... that ability is now reduced.

Re:The danger of these systems is they appear secu

[roc97007]

I think the authorities will still say "it's not possible it's a fake, it's signed" and it'll be up to the victim (or the victim's lawyer) to know that the signage has been broken.

The last time I was stopped in a speed trap (on motorcycle), I knew it was coming up (they always put a speed trap in this particular construction zone on weekends because people ignore the temporary "35" signs 'cause there's nobody working on Sunday, but I digress) and had slowed way down before taking the turn, but was waved over anyway. I was pretty sure he'd tracked the (obviously faster) car one lane over instead of me, and said so. He said "the gun can't be wrong, I had a firm lock on you." I can see the stupid radar gun in his hand right there, and it's not like there's a scope on it, or even if he actually had me in crosshairs, that it could tell the difference between a slow moving object in the foreground and a much faster object in the background. I maintained that he could not possibly have locked on me, because he would have read 33 MPH, which is what my speedo was displaying at the time. I said it obviously had "locked" on the car that passed me shortly after the corner. The cop said that this was impossible, radar guns don't make that kind of mistake.

Well hell, there's a huge body of evidence that radar guns make "mistakes" all the time. I laid out exactly how the error could have occurred, he continued to insist that the gun can't make mistakes. I finally said "ok, whatever. We'll see what the judge says." He went away, talked to his cohorts for awhile, came back and issued me a "verbal warning", let me go. Now, I strongly suspect that if I'd acted like I knew nothing about the technical details of radar guns, I'd have gotten a ticket.

Re:

[Anonymous Coward]

Good on you for standing up for yourself! I know that police like to use Gatso 24 AUS-series doppler radar units around the 40kmh school zones in Australia.

The problem with this is that the Gatso operations manuals as well as the police operations guidelines say that these units are not to be used in zones signed less that 60kmh (they're unreliable at low speeds) except that nobody in the public would know this or even consider questioning them over it. Most people wouldn't even bother to ask the officer wh

Re:

[davester666]

I don't understand why you weren't tazered?

Re:

[roc97007]

It was a few years ago...

Re:

[Ginger Unicorn]

Question marks are for questions?

Re:

[Vegemeister]

Yes. Like the one you just asked.

Re:

[AmiMoJo]

It is well known in the UK that radar and lasers are not an accurate way to measure speed. In fact speed cameras only use it to decide if they are going to take a photo or not, the actual speed measurement being based on the distance travelled between two photos taken a fixed time apart. That is what the white lines on the road are for.

When they do use radar or laser measurements you can almost always get off in court. Many people find that simply pointing the speed gun at the judge and showing him the read

Re:

[roc97007]

I wasn't "trying to get out of a ticket". I wasn't guilty of the infraction of which I was accused. Have we really gotten to the point where professing innocence is a sign of guilt?

Re:

[pnutjam]

only the last part of your argument was correct, "let see what the judge says".

The racially ambiguous (not quite white, if you prefer) do not argue with cops...

Re:

[rolfwind]

This is great news, because now people will be able to cast doubt on images when there is cause to instead of being told "it's not possible it's a fake, it's signed". You know that if someone cracked it publicly someone else (probably many someone else's) have cracked it in private, and have kept around the ability to forge photographs in case of emergency... that ability is now reduced.

And yet corporations the world over are clamoring or have made this type of hacking, even on your own bought stuff, illega

Glitch in the Matrix?

[easyTree]

I'm getting a serious case of déjà vu...

Easy to fake

[jdbannon]

Just take a picture of the photo-shopped image with your Nikon camera. Bam! That was sure hard to crack.

Re:

[Gordo_1]

Ah yes, the ever present analog loophole. How soon before the camera manufacturers come up with a technology that prevents the digital signature from being applied to a picture when a large 2-dimensional plane parallel to the sensor is detected? And how long before some Julian Beever [wikipedia.org] wannabe finds a way around that?

Re:

[ThatsMyNick]

when a large 2-dimensional plane parallel to the sensor is detected?

You mean like a wall?

Re:

[petermgreen]

What I suspect he means is a device placed directly on the sensor to allow pixel perfect "fakes" to be applied to the sensor directly.

Re:

[ArundelCastle]

when a large 2-dimensional plane parallel to the sensor is detected?

You mean like a wall?

Yes, to photograph a wall authentically you'd need to purchase a special 2D camera with no depth of field.

Re:

[ProfessionalCookie]

Or you need a not-flat wall.

Re:

[jimicus]

I've already got one of those, it's called a macro lens.

Re:

[Alex Belits]

Yes! DRM'ed murals!

Re:

[Darinbob]

Then they'll jail you for breaking copyright!

Re:

[thegarbz]

I've heard this before, but how exactly do you propose to do this? Every image taken of a displayed medium be it paper under theoretical perfect lighting, or monitors with theoretical perfect backlight suffers quality issues that make it plainly bloody obvious that the picture was taken of a picture. There's no way around this for a few reasons.

Firstly the resolution of cameras will clearly show the defects in the material
Secondly the gamuts of printed paper and displays are smaller than those of the camera

Re:

[jdbannon]

I think you could do a pretty good job with a semi-pro ten color inkjet. The gamut will be near sRGB. You can upscale the image and blur a bit to kill moire. Reducing the camera capture resolution and compression quality a touch would further hide any defects. Most importantly, if you tell a courtroom "Look, the picture looks good and Nikon cameras make magic pictures that can't lie." They are going to say "OK!" not "Why don't we analyze the image gamut and maybe look for double vignetting or warping that

Re:

[thegarbz]

No I believe that any evidence that one party strongly believed is fake would go under intense scrutiny. There's always a chance people can take the image at face value. The clear indication in the above example is that the camera's dynamic range is waaay larger than that of even the best inkjet paper and under perfect conditions the image would look flat. (remember you can't touch up the picture in post to fix that one).

An expert would be able to tell. Heck post it on a photography forum and an amateur wou

Re:

[QuasiSteve]

The signing happens on a separate chip. This means that all you actually need to get a fictional piece of graphics to be signed is to fake being the device's sensor. This is well beyond the capabilities of the average Joe - but certainly not beyond technical capabilities.

The signing method itself being cracked, of course, puts the ability to get any image signed into the hands of said average Joe.

Re:

[thegarbz]

Oh indeed. No question about that :)

Re:

[Anonymous Coward]

And your signed exif data will show that the photo was taken with a macro lens focused 2 feet away.

Re:

[jdbannon]

This is a better objection. But as a rough plan, I'd put on a manual focus lens, and connect the circuitry to an auto-focus lens laid next to it. Tell the camera to focus into the distance, but focus your inline manual lens as you need to.

And... at this point it's easier probably to use the software crack. The point, though, is that next week there will be a new and "truly unbreakable" version of the software that closes whatever hole was found, but it sure seems like access to the hardware lets you defeat

Re:

[SharpFang]

I guess the digital signature contains date&time. Of course this would assume camera's internal clock can't be tampered with.

Worth 1K Words

[Nom du Keyboard]

So a picture is still worth a thousand words, but 999 of those words may be a lie.

Re:

[Archangel Michael]

The picture is okay. It is the cake that is a lie!

Nikon didn't learn from DRM

[NeutronCowboy]

Where every local implementation of DRM has been broken. Sure, they could require a working internet connection for every picture taken, but I'm pretty sure even the laziest corporate-boot-loving shopaholic would draw the line at buying a camera with such a "feature".

Re:

[owlstead]

The internet connection would not work either: it would replace the security problems with the signing key with the security problems of the authentication key :)

Re:

[0123456]

Basically it's impossible to do, because 'tamper-proof' hardware isn't. The only question is how hard you can make it.

And note that you don't actually have to get the key, if you could somehow hack into the feed from the CCD into the camera you could feed the fake picture in that way and have the camera sign it for you.

Re:

[fuzzyfuzzyfungus]

As long as the signing key is unique per-camera(which I would bloody well hope it is, for forensic purposes), "tamper-evident" is arguably good enough, and probably easier to approach(as with any hardware security measure, the approach to the ideal is more or less asymptotic, with price spiking to near infinity as you reach the goal).

If the camera is tamper-evident, anybody who suspects manipulation of photos ostensibly from that camera can attack the credibility of the camera on technical grounds, just

Re:

[0123456]

If it's unique per camera, you'd need to be able to prove that key is in that camera.

Re:

[Darinbob]

Just have it sign another picture to verify.

Re:

[Zerth]

And also prove you don't have a second camera that has been tampered with to have the same key as the untampered camera?

Re:

[Darinbob]

Presumably you have keys that can't be replaced, even if you can read them. This should be true if the company has a good handle on security. It also depends upon the level of security you require: protection against casual tampers, or protection against determined and well funded attacks, or most likely enough protection to pass the reasonable doubt test in court.

And this will be just one piece of evidence in a trial. If the camera is vetted by experts (ie, not this particular camera model) then it won'

Re:

[sjames]

Tamper evident would be awfully hard to manage, there are just too many ways the key could leak, including at the factory when it is generated (just think how much such a leaked key+camera might be worth to some people). You would also have to build in anti-tempest style shielding.

Re:

[dgatwood]

As others have mentioned there is no way to prove that a photo has not been doctored so long as it is possible to doctor it, compensate for lens distortion, print the photo out, and take a picture of the picture. Therefore, using this for tamper detection would inherently be prima facie worthless even if DRM weren't a fundamentally unsolvable problem.

That said, you're all missing the primary purpose of this image authentication. It's not to prove that a photo has not been doctored. It is to prove with a

Re:

[dgatwood]

Let me correct that slightly. When it bubbles down into the lower end models, that's how it will be used. For now, it's a proof of concept.

Re:

[fuzzyfuzzyfungus]

For that purpose, cryptographic signing would seem to be pretty useless: by design, the slightest modification to the file breaks the signature, and the signature is readily strippable. Signing is for people who want to prove that they did. Some variation of the various "fingerprinting" techniques that the Copy Cops have been trying on films and such would be what you would need to go after somebody who very much wants to hide their involvement in the chain.

In many cases, I suspect, the unique pattern of

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[owlstead]

It is unique per camera, it says so in the press release which I linked in a separate post. Unfortunately, I could not Google up any other details.

As in most problems regarding crypto, the usage scenario is rather important. For instance, I can imagine that editors of newspapers trust the photographer enough to keep the camera secure. In that case you can use the signature to verify that it was taken by the camera and photographer. That may not hold in court though, where the evidence is always suspect of d

Re:

[RDW]

'It is unique per camera, it says so in the press release which I linked in a separate post.'

I may be missing something, but I can't see this in the press release, so there may well just be a single key. However, every camera model with the image authentication feature also writes its (unencrypted) serial number to an EXIF tag. If image authentication had remained secure, you could have 'proved' which camera took the photo simply by reading the serial number from the metadata of an authenticated image (tamp

Re:

[obarel]

Well, they could require an internet connection for getting the pictures out of the camera.
Still, you'd have to place a very high value on authenticity (vs. convenience) to use it.

Possible algorithm:
1. Create a random symmetric key
2. Encrypt the picture using this key, and encrypt the key using the owner's public key
3. Create another random symmetric key
4. Encrypt the picture using (again) using this key, and encrypt the key using the company's public key

To extract:
1. You must send each picture to the compa

Re:

[obarel]

Replying to myself, but of course that wouldn't work...

The main problem is keeping the company's public key secure (otherwise I could just take any modified picture and follow the above). But that's impossible, as TFA proves...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[RDW]

The cameras are actually standard models - all the recent pro and semi-pro models (D200 and up) support this feature, though it's off by default. Once you activate it in the camera's menu, any image you take can be 'authenticated' by the software, which goes for about $500 USD.

Re:

[RightSaidFred99]

Yeah, just look at that thriving Xbox 360 pirate game environment.

With enough effort any DRM can be broken somehow. The only thing the content owner has to do is ensure that it's difficult and/or expensive enough to not be worth it.

And in case you didn't read the..summary, the camera is supposed to help provide a chain of evidence. Not sure why anyone would put "feature" in double quotes and act like nobody would buy a camera that supports this.

Re:

[GameboyRMH]

That was my first thought, this is a stupid DRM-like idea. It's just a more complicated version of relying on a Word file's internal datestamps or a JPEG's EXIF metadata.

The only way an image auth system could work is if the camera had an always-on Internet connection that could send the time, the picture's hash, and the file size to a "hash server" (where you can't edit entries) and even the applications of that would be very limited - it could only prove that a picture existed at a certain time. If you fa

Does it really matter?

[e9th]

Has there ever been a case whose outcome depended on the authenticity of a digital image?

Re:

[mythosaz]

I'm going to go with "lots." ...you know, like every one that involved a "photo" or "video" taken in the last decade.

Re:

[e9th]

I'm aware of all the 'shopped images out there. What I am looking for is a trial where one side or other claimed that an image in evidence was altered to affect the outcome.

Yes

[Anonymous Coward]

Yes [dartmouth.edu]

Re:

[e9th]

Thanks. There was only one useful item there, involving Tom Sizemore's conviction for beating up Heidi Fleiss. His attorneys claimed a photo of her injuries was faked. The judge gave prosecutors 60 days to either prove it was real or produce the photographer. Unfortunately, his conviction is still being appealed, and searching for further news takes me to more celebrity news sites than I can take.

What this makes me think is that if the police produce an image of you doing evil, all they need to do is have

Re:

[AndersOSU]

and really, we're better off that way.

Photographic and video evidence are already incredibly compelling. We don't need some forensic expert telling the jury it can't be faked. We need the photographer telling the jury he didn't fake it.

Re:

[LordLucless]

There was also this:

August 2005: A magistrate in Sydney, Australia threw out a speeding case after the police said it had no evidence that an image from an automatic speed camera had not been doctored. This case revolved around the integrity of MD5, a digital signature algorithm, intended to prove that pictures have not been doctored after their recording. It is believed that this ruling may allow any driver caught by a speed camera to mount the same defense.

Re:

[0123456]

Has there ever been a case whose outcome depended on the authenticity of a digital image?

If I remember correclty, three or four years ago a driver in the UK got out of a fine because he was able to prove that the photo used as evidence was faked. I don't remember the details, I think he parked in a car park and they tried to claim he overstayed using a doctored photograph as evidence?

Blog entry is down: database error, press release

[owlstead]

Their press release can be found here:

http://www.elcomsoft.com/nikon.html [elcomsoft.com]

The press release does mention that you have to extract the key from the camera. If this is relatively easy then the system is totally broken. If it is not, you could create some kind of revocation list - but it would be the equivalent of a sloppy patch. Security is hard to accomplish, it does not surprise me that a camera manufacturer fails hardware protected signature creation.

One Key?

[John.P.Jones]

Disclaimer, I didn't RTFA.

Wouldn't each camera have its own signing key so all they could do is forge pictures from a single camera? They couldn't forge pictures from another camera without its key. Is there evidence of the key extraction left on the camera?

Re:

[Darinbob]

I haven't read the article, but much of this depends on who you're going to trust and who you suspect of tampering. Ie, if this is a surveillance camer in a bank, then you just have it securely mounted with tamper seals along with internal tamper protection; you trust the manufacturer to generate unique keys per camera when they sign a document claiming this is what they do; etc. This way when a defendant claims they weren't there and that the prosecutor doctored the photos, you have reasonable evidence t

Don't take my Kodachrome away

[NicknamesAreStupid]

Photographic film does not have this problem, though their prints can. Film contains a holographic image, albeit not like the dramatic ones you generally see. It has always been impossible to fake it.

Re:

[PopeRatzo]

Film contains a holographic image

I didn't know that. Can you point me to any information about this? I'm googling here and not coming up with anything about emulsion negatives containing holograms, but probably because I'm not formulating the search very well.

If you have any links I'd really appreciate it.

Re:

[adolf]

If you think of the emulsion layer as being a three-dimensional object that has some depth to it, instead of a two-dimensional plane with zero thickness, I believe that you'll find that it is obvious: It will not be exposed equally throughout that depth, and there will be definite and observable paths that the light has followed within the emulsion layer.

I don't know if I'd call it "holographic," just due to the confusion that the term itself presents in common use (as GP pointed out), but it seems like an

Re:

[PopeRatzo]

If you think of the emulsion layer as being a three-dimensional object that has some depth to it, instead of a two-dimensional plane with zero thickness

Thank you for giving me the opportunity to learn a little bit about what "holographic" means.

It's one of the countless areas in which I have been mostly ignorant. This is why I like reading Slashdot.

Re:

[adolf]

Naah. Thanks, to you, for raising the question.

I hadn't ever had a reason to think about it in this context until you questioned the issue. And since you did, I got to learn something myself. It happened to be immediately obvious to me, in my little pea-sized brain, and it seems my brief description has made it obvious to you as well.

But again, I'd never have thought of it if you weren't curious yourself. We both learned a bit.

Re:

[The13thSin]

Interesting, though I'm somewhat skeptical at the idea that any film at any iso has the resolution to actually retain any usable information from that. Also consider that when something is shot with a small aperture, all the light comes from pretty much one point (think about how lenses work) and even with a large aperture, the difference in direction is not spectacular. This makes me further doubt that film (especially in 35mm) could have any further information (that is detectable with any normal forensic

Re:

[$RANDOMLUSER]

"Kodachrome" is exactly right. I worked in a large (3M) film processing lab (factory, really) back in the early 70's. Probably once a week, the local sheriff or PD would have an officer come by with some SLIDE (chrome) FILM (typically autopsy or crime-scene photos) to process - they'd stand by and watch while their film was processed - maintaining the CHAIN OF CUSTODY [wikipedia.org] at all times, and requiring signatures from workers when the film was out of sight (like in a darkroom). They never had their slides mounted

Re:

[LaminatorX]

1) "Holographic" does not mean what you think it means.

2) There is a device called a film recorder which uses lasers to draw an image onto film from a digital file.
An expert might, be able to detect it examining the film under a microscope.

Re:

[MichaelSmith]

1) "Holographic" does not mean what you think it means.

My reading of that post is that the track made through the depth of the film should tell you something about the distance to the object being photographed and the optics being used. Makes sense to me. Film is never 2D

Re:

[pz]

Hmm. Interesting that you would say so. Positives were routinely retouched and then shot onto internegatives that were then re-shot onto a print. For a properly shot interneg, you cannot tell that it was not a shot of the original image (as opposed to a dupe).

so stupid

[holophrastic]

and what stops me from taking a real photograph of a fake photograph? snap, photoshop, print, snap.

no one cares if the "photograph" is real or fake. We care if the content of that photograph is real or fake. So unless they digitally sign the universe to match the photograph, they've done nothing.

not to mention, have people forgotten that there are other ways to fake a photograph than with photoshop? Ever heard of actors, sets, studios, and lighting? Glass paintings, forced perspective, and dry ice?

again,

Re:

[owlstead]

"and what stops me from taking a real photograph of a fake photograph? snap, photoshop, print, snap."

I'm pretty sure that you can't rule this out, but I also think that there are many ways of messing that up. Pixel artefacts, discolouring, stripes, loss of resolution, seems between separate parts of the picture etc. etc. may make life more difficult. And many printer/copiers even deliberately add water-signs or other identifying features (HP yellow dots for instance).

Re:

[holophrastic]

ok, skip the print. photograph of a monitor. certainly it's not as easy as not having to do it; but we're not talking about someone's vacation photos. we're talking about something worth money, and hence time to forge.

Re:

[holophrastic]

you can delete the meta data entirely, or save the image in a format that doesn't store meta data at all.

As for the 2d ccd sensor taknig a 2d photograph of a 2d image, in theory it's got to be perfectable.

Re:

[owlstead]

You will have to take multiple pictures and combine them, or you'll loose so much detail it is not funny anymore. Current monitors have really bad resolutions. You cannot use a IPS screen because you can easily see the raster around the pixels. You cannot use a TN screen because they suck.

I had to go out of my way to buy a somewhat decent 3200 x 1200 resolution (using two screens).

Re:

[starbuzz]

Also, EXIF data [wikipedia.org].

The image metadata should match all exposure settings suitable for the scene. This is difficult to achieve in reproduction.

Re:

[blueg3]

Elcomsoft? The Russian company Elcomsoft practically lives to violate the DMCA.

Re:

[Sloppy]

If you have the camera in question, then you can take photos for which you are the copyright holder. Then as the copyright holder, you can authorize yourself to bypass the technological measure that limits access (wait, this measure doesn't limit access) to your photo, which makes the activity not be "circumvention" (as DMCA defines that word).

So basically: no and no.

Re:

[webmistressrachel]

I find that the 20+ year-old 70-210mm f/3.5 that I got with my 2nd-hand Nikon D70s purchase provides everything from a wide enough angle for landscapes to close zooms for shooting police activity. This and the 5 or so frames per second forces me to feel exactly the same way - I don't care about any of the DRM/JPG crap not working or being "forgable" as long as they don't ever, ever take away my RAW - which isn't editable anyway as it's a one-way format like a hash - raw data from the sensor, tagged with the

Elcomsoft makes excessive demands

[Anonymous Coward]

I think Elcomsoft is too strict and too harsh versus the digicam vendors. It is not possible to design a secure device at all, if the private key is stored in the device. An adversary advanced enough will have superb lab gear, including a scanning tunneling electron microscope and can sort through the integrated circuits atom by atom, if necessary. The key will be retrieved eventually.

Even if that does not work, the attacker could monitor power consumption or other side channel signals to deduce the keys. I

Use smart cards!

[Anonymous Coward]

This is what you get for implementing your own crypto. My suggestion to both Nikon and Canon is to include an ISO-7816 ID-000 port in their cameras (more commonly known as the SIM slot in mobile phones) and support one of the well-defined standards for public key operations on smartcards (PKCS#11 for example).

This means they have far less pressure to build a robust cryptographic system as it is built-in to the many, many compliant and certified smartcards out there in the market. Instead they can concentrat

How many convictions

[sjames]

I wonder how many convictions (especially for redlight and speed cameras) have been made on the strength of the "unbreakable" signatures?

If none, then why do police waste their money on this? If not none, how many do you suppose will get even a cursory judicial review?