crypto photos

Canon sells this thing that purports to tell you whether a picture has been altered after it was taken: Data Verification Kit DVK-E2. Anyone know how this works?

The obvious way (to me) would be:

  • Crypto-hash the image and metadata;
  • Sign the hash with a private key that is baked into the camera hardware;
  • Store the hash and signature in a new jpeg block in the file.

Then anyone can verify the image by checking the hash and signature against the manufacturer's public key. The attack is that if you can peel the chip in any camera and get the private key, then you can generate fake photos forevermore.

But, their description on the web page makes it sound like the smarts are not in the camera, but in the CF card? This seems like a really strange way to do it. If the CF card is doing the signing (as files come in to its file system) then wouldn't the act of writing any old edited file to the card from a PC cause it to become signed?

A simpler attack is: take a photo; alter it; print it out; take a photo of that.

Tags: , ,

21 Responses:

  1. drreagan says:

    Not sure if it is the technique used with this particular piece of kit, but I read an article recently that looks at statistical analysis of the bitmap values and the variations within it for spotting digitally altered photographs.

  2. bitwise says:

    They claim to be able to detect single-bit errors, which to me says it's either a cryptographic hash (or they're lying).

    My guess is that they just decided to take advantage of the existence of all the new "secure" DRMed hardware companies are peddling to try to make it so that nobody can even read or write the special "secure" functions of the card except them. Not that that solves a useful problem-- the files will all be moved to a server or CD, right?

    Well, maybe not: maybe the card IS the permanent, verifiable version. Once a photo is taken off the card it's no longer verifiable. If a police department has to store and verify, say, crimescene photos, they need to store lots of proprietary "secure" digital cards. Which means they need to buy lots of cards...

  3. ciphergoth says:

    The signed record includes all the information about the shutter settings and so forth when the photo was taken. So you'd have to get it to focus at the right distance, which means blowing the picture up to the appropriate size. It could be quite expensive and difficult to really fool such a camera well. It could also take time to set up properly, which since the picture is timestamped could make certain frauds more difficult.

    • novalis says:

      No -- you just have to pass the right inputs to the signing chip. This is still much easier than peeling it to get at the baked-in private key.

      Also, you could probably just use a lens setup to make it think it was focusing at a larger distance than it in fact was.

      • ciphergoth says:

        I would imagine the entire camera is designed as a tamper-resistant enclosure, so getting the signing chip out without destroying the private key would take some time and care. For some frauds you might also need to put the camera together again without the tampering being evident, which would make it even more challenging.

        On the main theme of this article, the use of a special CF card and proprietary algorithms does indeed suggest that the security is low. It's pretty clear how you'd do this with PK.

  4. cirollo says:

    Canon has this page discussing the original version of the Data Verification Kit. They have this diagram:With the old version, you had to use their "IC Card," in the form factor of a credit card with a chip embedded in it. It looks like they took more-or-less the same device and packaged it into an SD-compatible card.So, you're right that the card generates a hash for the picture, as does the camera, and the two hashes are compared. Since the card doesn't seem to be tied to a particular camera body, I guess the private key has to be the same for every device, instead of having a unique private key for each camera (as a previous comment suggests).

    • jwz says:

      That's confusing -- if the camera generates a signature, I don't understand why a special card is needed at all...

      With the description in that diagram, it kinda sounds like there's no crypto going on at all. It sounds like the camera has a hash algorithm in it, and the card has the same hash algorithm in it, and the security lies in the fact that the algorithm is secret. Otherwise, there would be no need to use the card to generate the second hash: you could just use software for that. But by baking that software into a credit card, they make it harder to disassemble.

      So, maybe this is just security-through-obscurity snake oil.

      "It takes about 2.5 seconds to attach a code to the image in JPEG/fine mode"

      Damn that's slow!

      • cannibal says:

        Yes, it has to be a hash, and yes, somewhat snake oily. You must use their propietary SM cards, so you're talking tamper-resistant, not tamper-proof, because they're not publishing anything anywhere I can find about what algorithms they're using. Long discussion at

        One doc says you can put both a CF card and a SM card in the camera at once, and store the image on both, which it suggests increases security?? My guess is that the hash is stored on the SM card only no matter what, and there is no signing at all, if you were signing you wouldn't need special media, it is some mechanical/electronic feature to make the SM card tamper resistant. Best way of doing that IMHO would be to use WORM tech on an area of the card. Using proprietary hardware gives them a market advantage that they wouldn't get if they used a proven signing algorithm on the hash, because then you could verify any file, and people wouldn't have to buy only their cameras.

        I'll call this to Bruce Schneier's attention and see what he thinks. I hope they don't get ISO certification without publishing their algorithms, and letting some serious hardware hackers take a shot at the cards. Might be a good paper in breaking it.

      • harryh says:

        In terms of security I would think that a secret hash algorithm would be roughly equivilant to a secret private key that's stored on all the devices that deal with this thing.

        • jwz says:

          A secret algorithm is probably a bad algorithm, and subject to cryptanalysis that doesn't require chip-peeling. So it's likely to be cheaper to crack.

          • elisteran says:

            A secret hash function is equivalent to a private key. One way to model DES in codebook mode, for example, is as a large family of hash functions (the family would have 2^{56} members or so, one hash for each private key). The private key in DES simply selects which hash function to use.

            • jwz says:

              Yes, but if it's a bad hash function, then it's equivalent to a badly chosen private key. Think "weak PRNG."

      • quercus says:

        Slow? Sounds like a hash

    • bitwise says:

      Oh, OK: The card never goes in the camera; it's purely a PC peripheral. It's used strictly as a tamper-resistant hash verifier, so a user with a debugger can't get access to the algorithm. Strange.

    • cannibal says:

      No, that IC Card is a smart card. What they were actually storing on the smart card is an open question... was it just memory? Did it have the actual code for storing a private key? If so, why? Hmm... if I were a typically clueless vendor, I would use the smart card for storing a shared secret key, and "sign" all of the hashes with the same shared secret, using some awful algorithm like DES, or better yet, my own proprietary "encryption" that I came up with myself, because every programmer who isn't in the security business knows that "nobody else can break my encryption if I don't tell them what it is" (and I've never heard of obfuscation). Hmm, so the new SM card probably has the same shared secret on it, so all you have to do is figure out what that is. Maybe it is different for each SM card, more likely it is shared amoung all Canon products. I would think it would have to be for backward compatibility, because you couldn't put the old smart card in a camera. You could put the code on both the smart card and the SM card to do a hash verification operation, so the shared secret never leaves the card.

  5. gytterberg says:

    I want a camera with hash baked into it too.

  6. jesus_x says:

    Ok, from reading all the data available, and having some knowledge of law enforcement/forensic equipment, this is how it looks to me:

    Camera can use standard SD cards, which also work in any other SD compatible device, but ALSO can use their proprietary SM cards, which while in the same form factor, are not compatible with other SD devices, hence the need for the dedicated reader. Now, this proprietary memory allows the camera to store the image with the hash on the card, which is probably encrypted by the camera. The reader then decrypts the image when you load images off the card into the proprietary software (the reader is most likely not accessible without the special software). This keeps the file both encrypted, and the encryption/decryption algorithms outside the grasp of potential crackers using utilities like SoftICE or other debuggers.

    I agree the bit for bit verification is based on some hefty hashing functions, probably handled in the hardware of the reader as well. As for the cards, I can guarantee they're able to be erased and reused, but I agree the law enforcement folks will be encouraged to buy lots of them.

    The ability to verify the images probably is retained even once transferred off the cards until they're edited, obviously, but you'd have a hard time documenting the chain of custody, so you'd keep copies on the card until the case is over, and the images would be archived, and the card reused. You'd transfer copies of the images off of the card for use by detectives and labs and such, while leaving the image on the card for the chain of custody, and for double checking image integrity later (Is my copy still identical to the original?).

    As for faking, you could compare EXIF data to check camera stats (does it match with what they would have to be to take the image in question?), also, taking a picture of a picture is never as good as the original, so there very well could be telltale artifacts...

  7. unify says:

    It seems they're doing this for legal reasons, but why the assumption that only digital images can be altered? What's to stop someone taking pictures with a regular film camera, scanning the negative, modifying the image, and getting it printed out at a photo shop?

    • dvae says:

      The problems/solutions for detecting analog fakes have been around for (I'm guessing) 50 years. Digital camera's are new, and give the flexibility of the digital world, they are essentially less trustable.

      I'm no expert in foresics, but if I wanted to verify an analog picure here's what I'd do:
      1) get the negative, as without a negative there can be no claim to authenticity.
      2) Get the camera. Look for imperfections in the transport mechanism, see if the corresponding scratch exist on the negative. (Only useful on older camera).
      3) Analyse the grain structure of the print verses the expected grain structure of the file stock and the estimated lighting conditions. (Typically for copying images you use a slow film (ISO 50), but most originals are taken on faster film).
      4) Analyse the colour profile of the picture relative to the negative stock. (Each manufactures process and technologies has a different charactoristic colour space. Copying from one to another would have some effects.
      5) Looks for signs of digitisation. Film can have much higher resolution than film. Also digital artifacts, such as aliasing, can easily show up in a digital picture where there is high frequency detail.
      6) Look for JPEG artifacts (maybe the forger is stupid)

      • sjn says:

        Usually they have better luck by analyzing light and shadow and other such elements within the photo that are typically hard to reproduce accurately. With a modern film recorder, I can create a file that is indistinguishable from the real thing. The key is to create a file that is resolution equal to that the size film can carry. As well as making sure all of your edits carry the same grain as the original shot.

        IE: for a 4x5 transparency/neg you would create a file that is between 80-100 pixels per mm, for a 35-mm, you would work at 100-120 pixels per mm. These being the resolution capability of the materials

        People who have worked in retouching for a long time learn how to defeat 1,3,4 and 5 mentioned above in order to do their job correctly. Oh, and never make the mistake of 6.

        Where you can usually get caught out is when you are introducing elements from another shot, no matter how well the photographer set up lighting to match, there is almost always some tell tale element that gives it away as another source.

        More dangerous from an altering standpoint is when things are removed or shifted. What if I were to go in on a negative strip and alter all of the date stamps that many film cameras imprint on those strips. An extremely easy thing to do from an altering standpoint.

        When you get into digital photography altering becomes 10x easier than with film. From a technical standpoint. From the "good retouching" standpoint, in some ways they are more difficult. Digital has a tendency to capture more information than can even be displayed at one time on most monitors. And two separate camera manufacturers are going to capture a different gamut of color. We have had problems with multiple shots looking very similar on screen, and then printing out with glaringly different color casts. Even when you correct them to visually match, in many cases the actual color builds (RGB values) will be different numerically.

        Many things have been tried in the last few years. Embedding copyright info into the file, "invisible" watermarking. Others I am forgetting, I am sure. If someone could come up wtih a decent solution to uniquely identifying digital pictures, it would be a good thing. As I think we are no too far off from images being in-admisable as evidence, legally speaking.