Please create an account to participate in the Slashdot moderation system


Forgot your password?

Canon's Image Verification System Cracked 118

TJNoffy writes "The H Security's H-online reports that 'Hacker Dmitry Sklyarov has succeeded in extracting the secret signing key from numerous digital SLR cameras and has used it to sign modified images which Canon's latest OSK-E3 security kit verifies as legitimate. Canon's Original Data Security System is intended to show whether changes have been made to photographs and to verify date and location information. The system is primarily used for ensuring the integrity of evidence, for reporting accidents and for construction records.'"
This discussion has been archived. No new comments can be posted.

Canon's Image Verification System Cracked

Comments Filter:
  • Wow (Score:5, Funny)

    by Monkeedude1212 ( 1560403 ) on Friday December 03, 2010 @05:58PM (#34438002) Journal

    I didn't even know such technology existed!

    I thought they just posted it on /b/ asking "reel or phake?"

    And they just tallied the number of "Photoshoped" responses versus the total responses.

    • by thue ( 121682 )

      I assume it is just a signed checksum of the main image, stored in the image metadata. If my guess is correct, the technology is well known.

      And if so, it is not a surprise that the private keys were extracted. Because you are giving the end-user the key inside the camera.

      • After reading the presentation [], I see that you're pretty much right. Each camera model has a different key, which is stored on the camera itself. This is then used to create a HMAC [].

        It doesn't even look like this was all that hard, since the key was so easily extracted. I agree with the conclusion in that presentation: Cannon needs to hire people who understand security, if they want this feature to mean anything.

        • by mrmeval ( 662166 )

          What idiocy. Couldn't they have used the same public key in every camera then encoded a hash and stuff it in metadata? They would control the secret key and their software would ship the image and metadata to them for validation. Or is that still too simple?

          • then someone just extracts the public key, create a new hash for the edited image and stuff it in metadata.
            this suffers from the same problem as copy protection, you have to give the user everything they need to create an arbitrary image and they will always be able to take the hardware apart.

          • Mixing up a hodgepodge of cryptography-related words is no recipe for describing a good security system for securing anything.
            Do you even understand what you've written in your two sentences?

        • unless you want to pass it through a third party(who can still only verify date and time it was passed through their servers) there's not much you can do on the camera that's foolproof.

          There's quite a large numbers of methods for detecting if an image is tampered or not though.
          Some of them rely on sensor noise in the camera, some on natural image statistics, some on looking for chromatic aberration or slight aberrations in how a particular camera model encodes an image.

          I studied this for my final year proje

    • I didn't even know such technology existed!

      I thought they just posted it on /b/ asking "reel or phake?"

      And they just tallied the number of "Photoshoped" responses versus the total responses.

      Yeah and what's even funnier is the sub-forum with Smiling Leo and Eating Keanu in all the backgrounds!

    • there's automated software that detects artifacts, also the compresion pattern passes software uses when making images, there was a guy calculating the lightsources from reflective spherical surfaces (including eyes), there's many ways.
  • What?

    Is this a Canon-only feature, or on Nikon cameras too?

    • It's an addon that people have been able to get for Canon products for years. I'm not sure of the exact details, but IIRC it was a system that uses a separate memory card to store information for verifying that the image hasn't been altered. I haven't read anything about it recently, but the point of it was to deal with the problems of using digital cameras for the purposes of recording a crime scene and similar sites.

      Nikon may make one, but I'm not aware of it if they do. The addon itself is fairly expe
    • Nikon cameras do. There's an option to turn it on in the menus, but it's off by default. It even verifies the image in-camera, showing a symbol during image review if the image is authentic. And at this point it's looking a lot more useful than the Canon version, but who knows if some less attention-grabbing person/group has broken it?
  • This could be a very big deal, if you can use it to establish reasonable doubt. *Many* police agencies use Canon. The traffic light and speeding cameras in Arizona are Canons. Of course, at your trial they will use the whole "controlled chain of custody" argument to say the images could not have been tampered with and the signing will be irrelevant, but who knows?

    • I think alot of the cameras are video now as a photo is poor next to have a video of you not stopping for the red light.

    • by mlts ( 1038732 ) * on Friday December 03, 2010 @06:47PM (#34438706)

      From what I've seen, usually images are vetted by people, either experts or others being asked by the judge, "Do you swear that these images are authentic?" An affirmative answer to this usually has more weight in our justice system than signatures and certificates, even though it is a lot harder to fake a cryptographic signature than lie under oath. A defense attorney would be rebutted by a prosecutor stating:

      "These men swore an oath that this was the authentic image. Versus some random numeric mumbo-jumbo of stuff that can say an image is wrong even when it looks exactly the same to the eye."

      If you are lucky, the jury might be clued enough to consider that reasonable doubt. However, most likely the jurors won't be computer savvy. They likely will not know the difference between a PKI system versus a ROT-13 encrypted message and their eyes will glaze over if presented with technical encryption details.

      Convincing Joe Sixpack of something takes a different way of thinking than persuading an educated /. person who has a clue about cryptography and knows the difference between actual security versus theater.

      • by fishbowl ( 7759 )

        But they *do* use that "numeric mumbo jumbo" as evidence, already. Juries are already instructed as to its acceptability. This is no hypothetical consideration.

        • I think you mean: "Juries are already instructed as to its acceptability in a few courts in the USA. totaling less than 1% of the global courts"

          most of the way around the world: you can't instruct a juror in ANY WAY. it's up to them to decide based on what the two sides have to say.
          • most of the way around the world: you can't instruct a juror in ANY WAY.

            Jury "instructions" are not enforceable in any way.

            it's up to them to decide based on what the two sides have to say.

            Yes, that's how it works in the USA.

      • Exactly. I don't really understand what this "security" measure is supposed to solve. So we know (if the system hadn't been compromised) that the picture in question has been taken with this specific camera. So what? It does not authenticate what I recorded, only the recording so the picture can be staged any way I like before I press the button and the camera signs the picture. Well, I guess that they are trying to protect aganst "they photoshopped the picture" but you can of course photoshop it and then
        • The "deal" is that only the photographer has an opportunity to "photoshop" it (and it isn't easy for him). The homicide detective can't alter them even if he does carry them around in his jacket pocket all weekend.

      • No they want the courts to recognize pictures taken with a camera using XXX digital security without question. Much in the same manner that courts have set a precedence of blindly believing radar guns to be infallible (when we know scientifically that they are not).

    • So when the traffic ticket arrives at my house showing Osama Bin Laden and Bill Clinton blowing a red light while eating Big Macs, I'll assume it was a fake next time instead of paying the ticket.

  • by igreaterthanu ( 1942456 ) * on Friday December 03, 2010 @06:09PM (#34438130)
    With TPM chips being cracked previously, after apparently being tamper-proof, even if they implemented it using an algorithm that was suitable for the job (i.e. not use SHA but ECC or RSA) it would still be possible to get the signing key. It's flawed in the same way DRM is flawed, you can't give someone else the key and not give them the key at the same time.
    • It's flawed in the same way DRM is flawed, you can't give someone else the key and not give them the key at the same time.

      You also can't give everyone the same key without the cracking of one person's device cracking everybody's device. B-b

    • by mlts ( 1038732 ) *

      Cracking one chip doesn't mean that they all are cracked. The concept is sound, and all it takes is another rev of the chip to have better anti-tamper protection. For example, one cryptographic token maker, someone had a website about being able to use hot water to pop the case in two for access to the chip. They (IIRC) learned their lesson and started using poured epoxy with no seams before putting the case on. None of their newer tokens have been cracked, as far as I know.

      Right now, TPM chips have no

      • by chrb ( 1083577 )

        Cracking one chip doesn't mean that they all are cracked.

        Whilst it is true that future updates might be harder to crack, this doesn't diminish the impact of this particular hack - the image authentication on every Canon EOS camera that has already been sold is now untrustable, and can be challenged in court.

    • by NoSig ( 1919688 )
      In a certain sense you are right that you can't give people the key and not give them the key at the same time. In the same sense public key cryptography does not work because you are giving people the (private) key, just in a form (the public key) that isn't easily accessible. Yet, public key cryptography does work because accessing the private key from the public key is so difficult that it isn't worth the bother. In the same way, you can make cameras where extracting the key is so difficult that it isn't
      • Bullshit.

        The private key is never shared, and when you generate a hash from the private key, information in the key is lost making it impossible to reproduce.

        If that were not true nobody would bother with encryption, because it would be immediately reversible.

        You can always brute force decrypt a key, but it is very difficult. The process works by guessing what the private key is and generating a signature, then seeing if it matches the true signature. Do this enough times and you'll eventually find the pr

        • by NoSig ( 1919688 )
          You seem to believe that you disagree with me though your post makes it clear that you don't. It's a little strange.
    • by Anonymous Coward

      The TPM is a joke when it comes to security processors. effective tamper detection and response are not possible at the price point TPMs in COTS PC's sell for.

    • you can't give someone else the key and not give them the key at the same time.

      You obviously don't know how one-way hashes work (encryption is a two-way or reversible hash, and what you said is true for encryption).

      Can you take an MD5 checksum of a file and generate the file? Of course you can't. The checksum does not contain anywhere near the same amount of information as the file contains. But that checksum is a repeatable signature of that file, and you'll notice immediately if it has been tampered with even slightly, because the checksums won't match.

      By the same token, if you t

      • you can't give someone else the key and not give them the key at the same time.

        You obviously don't know how one-way hashes work (encryption is a two-way or reversible hash, and what you said is true for encryption).

        I think you misunderstand me. My point is that for the camera to be able to perform said signing, the camera itself must contain the private key.

        Any method of attempting to conceal that key is flawed once someone else (i.e. someone who purchased the camera) is in possession of it. It may be difficult to do, but it is by no means impossible.

    • With TPM chips being cracked previously, after apparently being tamper-proof

      TPM chips were never claimed to be tamper-proof. One of the fundamental design assumptions was that they would not be secure against someone with access to the hardware. It's right in the documentation. This isn't because it's not possible to make it very hard to tamper with a chip, it's because it's expensive to make a strongly tamper-resistant device.

      Of course, it probably is impossible to make a completely tamper-proof device, no matter how much money you put into it, but you can make it hard enough

  • by blair1q ( 305137 ) on Friday December 03, 2010 @06:16PM (#34438254) Journal not a secret key.

    • It's not extracted from the signature, dumbass, it's extracted from the private key holder - the camera.

      The security in the camera was weak. If you can get your hands on the actual private key it doesn't matter how good your hash algorithm is, it can be repeated till the cows come home.

  • by paulproteus ( 112149 ) <slashdot@asheesh. o r g> on Friday December 03, 2010 @06:16PM (#34438256) Homepage

    At the time of his arrest, Dmitry Sklyarov was a 27-year-old Russian citizen, Ph.D. student, cryptographer and father of two small children (a 2-1/2 year old son, and a 3-month-old daughter).

    Dmitry helped create the Advanced eBook Processor (AEBPR) software for his Russian employer Elcomsoft. According to the company's website, the software permits eBook owners to translate from Adobe's secure eBook format into the more common Portable Document Format (PDF). The software only works on legitimately purchased eBooks. It has been used by blind people to read otherwise-inaccessible PDF user's manuals, and by people who want to move an eBook from one computer to another (just like anyone can move a music CD from the home player to a portable or car).

    Dmitry was arrested July 17, 2001 in Las Vegas, NV, at the behest of Adobe Systems, according to the DOJ complaint, and charged with distributing a product designed to circumvent copyright protection measures (the AEBPR). He was eventually released on $50,000 bail and restricted to California. In December 2001, was permitted to return home to Russia with his family. Charges have not been dropped, and he remains subject to prosecution in the US.

    Although Dmitry is home now, the case against Elcomsoft is continuing (to the detriment of the company), Dmitry's actions in Russia are controlled by a US court, and DMCA is still the law (to the detriment of everyone). This site will carry updates as they come...

    Source: [] (for those who don't remember 2001's Defcon incident)

    • by iammani ( 1392285 ) on Friday December 03, 2010 @06:27PM (#34438438)

      Thats really old news, and no one seems to have cared enough to update the website. Here are some updates...
      "The charges against Sklyarov were later dropped in exchange for his testimony. He was allowed to return to Russia on December 13, 2001. On December 18, 2002 following a two-week trial in San Jose, California, a jury found that Elcomsoft had not wilfully violated the U.S. law." -- wikipedia

  • They relied on chains of custody and affidavits by the photographer, that's how.

    • by 0123456 ( 636235 )

      They relied on chains of custody and affidavits by the photographer, that's how.

      And it was a fsckload harder to fake photographs in those days.

      There was a news story in the UK a couple of years ago about someone who was taken to court and the photograph produced as evidence was proven to have been faked. I think it was a only a parking fine so probably faked by a private company or some council employee, but I forget the details.

  • What Canon can do?

    -With current available models nothing
    -With future models blah... blah... blah...
    -Hire people who really understands security

    Having been on that side of the industry, there's no way Canon's putting a smart card chip in camera. Why? Cost mostly. And then there's the significant problem of communicating from the camera OS to the smart card chip. And then there's the significant increase in the cost of manufacturing.

    They aren't going to hire anyone either. This decision was made long ag

    • Claim some bullshit law and then gitmo the hacker, it's what's popular these days.
      • Skylarov has experience with such things, Adobe tried to use the DMCA on him. Who knows if they would have been ultimately successful, instead of going to trial they settled for his expert testimony in another copyright case.

        It obviously didn't put him off cracking these things, so he's probably not too worried.

        The fact that in the past he has been used as an expert witness in the field of encryption circumvention by an industry giant makes it tough to discredit him with respect to his expertise on the sub

    • by fishbowl ( 7759 )

      Cost? We're talking about D-model Canons. They are breathtakingly expensive and that's just the barrier to entry so that you can use the even more breathtakingly expensive L-series lenses (which is the point of buying into the Canon system.)

      • by Rich0 ( 548339 )

        Uh, I think my 450D supports the image authenticity checks, although I don't know if Canon uses a different system in their higher-end cameras. Sure, any DSLR is going to be moderately expensive, but $500 isn't exactly massive in cost.

        Also - any camera that supports EF-mount lenses will support the latest-and-greatest L-series lenses. You don't need a $2k camera to use a $2k lens. Their bottom-of-the-line $500 DSLR body will work just fine with them (and the cheaper ones also support the EF-S lenses - on

      • The equivalent glass from Nikon or Sony (formerlyMinolta) is also not cheap. Sigma/Tamron are a bit better, but often a step down in quality.

        You want to talk breathtakingly expensive, look at Leica, or Hasselblad.

      • Oh please, they are $3500 cameras. That's mid-range professional equipment, not "breathtakingly expensive" gear.

        Yeah, it's a hella-expensive camera to be taking your vacation photos with, but for "breathtakingly expensive" check out some of the $20k medium-format dslr's, or the $40k large-format Hasselblads.

        Those are breathtakingly expensive cameras. Hell the first 39mp large-format digital back for Hasselblad's V series was $40,000, and that didn't include the camera body!

        A $3500 Canon is expensive, but

  • Aren't they using cards that can only be written once? How about going back to using mini CDs?

    • That doesn't matter. If you can read the area where the private key is stored you can duplicate the signature process and produce another (falsely) verifiable image without the use of the camera.

      That's the problem. The authentication process is (practically speaking) unbreakable once it leaves the camera. However, if the camera itself can be broken into and the private key copied, then the most secure authentication process in the world won't prevent a false authentication.

      That's the problem with Canon's

  • Is it that all he did was extract the signing key from the camera itself and insert it into exif data? If so, all you would need is any valid key and you could replace any metadata you wanted for anything you wanted with any number of utilities.

God made the integers; all else is the work of Man. -- Kronecker