Nikon Image Authentication System: Compromised

April 28th, 2011 by Vladimir Katalov

ElcomSoft Co. Ltd. researched Nikon’s Image Authentication System, a secure suite validating if an image has been altered since capture, and discovered a major flaw. The flaw allows anyone producing forged pictures that will successfully pass validation with Nikon’s Image Authentication Software. The weakness lies in the manner the secure image signing key is being handled in Nikon digital cameras.
 
The existence of the weakness allowed ElcomSoft to actually extract the original signing key from a Nikon camera. This, in turn, made it possible to produce manipulated images signed with a fully valid authentication signature.
 
Not a Theory
 
This is not a theory. As a proof of concept, ElcomSoft researchers have successfully extracted the original image signing key from a Nikon digital SLR, produced and published a set of forged images that successfully pass validation with Nikon Image Authentication Software.
 
Credibility of Photographic Evidence
 
Credibility of photographic evidence is essential when images shot with a digital camera are used as court evidence or back insurance claims. Photographic evidence has been used by or political and armed forces to support military operations in the eyes of the public.
 
Some of that evidence has been proven to be a fake.
 
World’s Famous Hoax Photos
 
What exactly constitutes for a hoax? Publishers will routinely modify photos by cropping, correcting colors or enhancing contrast. While all that, per se, does not usually constitute a hoax, even small manipulations like these can significantly alter viewer’s perception of a scene, especially if combined with other tricks. Look at the following picture:
 

 
Taken by a Lebanese photographer Adnan Hajj in Beirut in the summer of 2006 right after Israeli bombing, the shot looked genuine enough to fool Reuters who published this shot in an editorial. The photographer used Photoshop clone brush to increase the amount of smoke appearing in the picture, as well as general contrast enhancement to make the picture appear more dark and gloomy. The original capture is far less smoky:
 
 
Same photographer published another shot of an Israeli F-16 jet. The caption he used said that the jet was launching missiles, while in fact what is seen in the picture was a defensive flare. Moreover, the original photograph showed only one flare, and the photo had been doctored to increase the number of flares falling from the F-16 from one to three, and misidentified to call them missiles.
 
 
While there are many ways to lie with a picture without referring to forging the original capture, we’ll concentrate on fakes that modified image content in order to convey the lie.
 
“Tourist guy” by Péter Guzli is probably the most often cited hoax. The hoax depicts a tourist on top of the World Trade Center on September 11, 2001, with a hijacked plane approaching in the background. In fact, the image was taken some four years ago; the photographer modified the picture to amuse his friends.
 
 
The following picture taken in Iraq in 2003 was produced by Brian Walski, a Los Angeles Times staff reporter. To produce a picture with more impact, he merged two images into one. He was fired as a result.
 
 
Finally, there’s this photograph of George W. Bush holding a book the wrong way up during a school visit. This was a famous and amusing hoax at the time, while in fact the image was forged: the hoaxers photoshopped the real image taken during the 2002 press event to rotate the book.
 
 
Fake or Genuine?
 
Traditionally, there are means to tell a fake photo apart from a genuine one. Inconsistencies in lighting and shadows, cloned or multiplied parts of an image as well as parts of other pictures being pasted into a faked photo are the most common tricks used by unscrupulous photographers, journalists, editors, political and armed forces. Telling a forged image apart from a genuine one has required the work of experienced experts.
 
To make image validation more definite and to simplify the process, major manufacturers of photographic equipment such as Canon and Nikon developed digital image authentication systems. Both Canon and Nikon include signing modules into their top of the line digital cameras, and provide validation software to the customers. Each picture is signed in-camera when captured. The verification process then enables users to determine whether an image has been altered after being shot. Both Canon and Nikon systems were designed to provide proof of image authenticity for the purpose of law enforcement and government agencies, insurance companies, businesses, and news agencies. As demonstrated by ElcomSoft, claims made by the two vendors have not lived up to the promises.
 
Breaking into Nikon Image Authentication System
 
Back in 2010, ElcomSoft performed a security analysis of Canon’s proprietary image authentication system. Similar to Nikon’s, the system was supposed to prove image authenticity in the eyes of the media, law enforcement, government, and business organizations. As demonstrated by ElcomSoft, a major security flaw exists in Canon’s implementation, which has not been addressed in any way even today, after half a year after discovery.
 
Almost half a year later, ElcomSoft has discovered that a similar vulnerability exists in digital SLR cameras manufactured by Nikon. The existence of this vulnerability proves that image authentication data can be forged, and thus Nikon Image Authentication System cannot and shall not be relied upon. As a consequence, successful image verification as reported by Nikon Image Authentication Software cannot be used as a proof of authenticity.
 
Details
 
If you’re not interested in technical details on how Nikon image authentication works, you may skip this chapter without losing too much.
 
Higher-end digital SLR cameras manufactured by Nikon up to this day implement an integrated Image Authentication feature. This mechanism was introduced as means to securely validate the authenticity of image data and prove that the image has not been altered since captured.
 
When Image Authentication is enabled, the camera embeds authentication information in shots being are taken by signing image data and metadata with a digital signature. The authentication information allows alterations to be detected when using Nikon’s Image Authentication Software.
 
According to Nikon, images signed with Nikon Image Authentication can be used for verifying image authenticity by law enforcement and other government agencies, the media, and insurance companies, as well as for other business applications.
 
Internals of Image Authentication System are not published, and algorithms used to calculate verification data are not publicly known.
 
ElcomSoft research shows that image metadata and image data are processed independently with a SHA-1 hash function. There are two 160-bit hash values produced, which are later encrypted with a secret (private) key by using an asymmetric RSA-1024 algorithm to create a digital signature. Two 1024-bit (128-byte) signatures are stored in EXIF MakerNote tag 0x0097 (Color Balance).
 
During validation, Nikon Image Authentication Software calculates two SHA-1 hashes from the same data, and uses the public key to verify the signature by decrypting stored values and comparing the result with newly calculated hash values.
 
The ultimate vulnerability is that the private (should-be-secret) cryptographic key is handled inappropriately, and can be extracted from camera. After obtaining the private key, it is possible to generate a digital signature value for any image, thus forging the Image Authentication System.
 
What ElcomSoft Did About It
 
ElcomSoft has notified Nikon and CERT as a trusted third party about the issue, and prepared a set of digitally manipulated images passing as originals when verified with Nikon’s secure authentication software. Nikon provided no response nor expressed any interest in the existence of the issue.
 
Will Nikon Do Anything About It?
 
The big question is whether or not Nikon is going to do something about the issue. So far it seems highly unlikely. Acting as responsible citizens, ElcomSoft contacted Nikon, informing Nikon USA, Nikon Europe, and Nikon Japan about the issue. No meaningful response was received, unless the standard canned response counts: “For support for your product please contact the dealer you purchased it from or consult the Nikon distributor in your area.”
 
The bigger question, however, is if they can do anything about the issue. The worms are out of the can. The private signing key has been compromised, which automatically invalidates digital signatures placed by all current models manufactured by Nikon. If ElcomSoft, a small company, has done it, there’s no guarantee whatsoever it has not been done before or will not be done after.
 
In order to “fix” the problem, Nikon would have to re-design the way the signing key is being stored in the camera. They would have to hire someone who knows security well, which is what they should’ve done from the very beginning. They would have to publicly admit the existence of the problem in their old cameras. They would have to revoke the old signing key via an update to Nikon Image Authentication Software. They would have to generate a new signing key.
 
Does that sound like too much trouble for too little return? It certainly seems so. Here at ElcomSoft, we don’t believe Nikon would do anything, anything at all, to admit, investigate, or mitigate the situation. ElcomSoft notified Canon about a similar problem with their cameras more than half a year ago; nothing changed whatsoever.
 
Affected Nikon Digital SLRs
 
All current models that include Image Authentication are affected, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs.
 
Fake Photographs
 

ElcomSoft has performed the extraction of the signing key, and prepared a set of forged images that pass as fully genuine. Manipulated images successfully passing validation by Nikon Image Authentication Software are available at http://nikon.elcomsoft.com. To validate these images, you’ll need Nikon Image Authentication Software which can be obtained from Nikon or one of their dealers.


Tags: , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

7 Responses to “Nikon Image Authentication System: Compromised”

  1. Gareth Coleman says:

    Great work guys, keep it up.

    BTW I saw on Canon site a small advisory for owners to contact them, see here: http://www.canon-europe.com/Support/Consumer_Products/products/cameras/Accessories_Battery_Grips_etc/OSK-E3.aspx?type=important&faqtcmuri=tcm:13-812833

    So I think you should update your pages on the canon and nikon issues to state that Canon has made a low-profile appeal to owners to contact them for more information about the vulnerability.

    They continue to sell the thing with promises of security though, despite you proving it doesn’t.

    Kind regards

    Gareth

  2. Tamas Feher says:

    Hello, I think Elcomsoft is too strict and too harsh versus the digicam vendors.

    It is not possible to design a secure device at all, if the private key is stored in the device. An adversary advanced enough will have superb lab gear, including a scanning tunneling electron microscope and can sort through the integrated circuits atom by atom, if necessary. The key will be retrieved eventually.

    Even if that does not work, the attacker could monitor power consumption or other side channel signals to deduce the keys. It is not reasonable to except a commercial digital camera to have TEMPEST features en par with a KH-11 spy satellite!

    I think photo authenticity should be provided by special digicams, which also shoot a 135mm common film frame, in addition to the higher quality CCD/CMOS digital image. Chemical based roll film megative contains an almost infinite amount of information, so experts could you use it determine or exclude fakery.

    Kind regards, Tamas.

  3. kosullivan says:

    This is what you get for implementing your own crypto. My suggestion to both Nikon and Canon is to include an ISO-7816 ID-000 port in their cameras (more commonly known as a SIM slot in mobile phones) and support one of the well-defined standards for public key operations on smartcards (PKCS#11 for example).

    This means that Nikon/Canon have far less pressure to build a robust cryptographic system as it is built-in to the many, many compliant and certified smartcards out there in the market. Instead they can concentrate on the much simpler problem of implementing the crypto according to the standard.

    The major added benefit is that customers with strict security requirements (i.e. law enforcement) don’t have to trust the crypto engines/key storage mechanisms developed by Nikon/Canon. They can put their own (trusted) smart-cards in the camera as simply as swapping a SIM in a mobile phone.

    For customers that don’t want this, they can simply trust the default smartcards supplied by Canon/Nikon.

    Customers, put pressure on them!
    Cheers,
    Ko

  4. kosullivan says:

    Nice work!

    This is what you get for implementing your own crypto. My suggestion to both Nikon and Canon is to include an ISO-7816 ID-000 port in their cameras (more commonly known as the SIM slot in mobile phones) and support one of the well-defined standards for public key operations on smartcards (PKCS#11 for example).

    This means they have far less pressure to build a robust cryptographic system as it is built-in to the many, many compliant and certified smartcards out there in the market. Instead they can concentrate on the much simpler problem of using the crypto functions properly.

    The major added benefit is that customers with strict security requirements (i.e. law enforcement) don’t have to trust the crypto engines/key storage mechanisms developed by their camera supplier. They can put their own (trusted) smart-cards in the camera as simply as swapping a SIM in a mobile phone. For customers that don’t want this, they can simply trust the default smartcards supplied with the camera.

    Cheers,
    Ko

  5. daniel says:

    Truth is out there at elcomsoft. :)

    By the way please make new benchmarks with new gpus from nvidia and amd(590&6990)
    for password recovery tools.

    Warmly regards

  6. MaHuJa says:

    >I think Elcomsoft is too strict and too harsh versus the digicam vendors.

    If I risk going to jail based on falsified evidence, backed by their claims, then no.

    If we then go by your statement of difficulty, the correct response is not to do it at all.

    However,
    If each produced camera has its own key (whose certificate is signed by a master cert of theirs) and the key can’t be extracted without leaving detectable traces on the camera, then we’re starting to get somewhere. The camera itself would have to be submitted as part of the evidence. Also, the verifiers would have to say which camera s/n it was taken with, and add a disclaimer “unless that camera has been tampered with”. Which makes it near worthless if you can’t have access to the original camera. Or one can tamper with it undetectably.

  7. cybernion says:

    I would like to know how the key was extracted. Perhaps it was using side-channel analysis. In that case, there are (patented) countermeasures that are known to provide a very strong resistance. If it was a protocol error the fix may be even easier.

    It sounds as if Nikon was using the same private key in all their cameras… a fundamental mistake. The approach mentioned by MaHuJa (May22) using unique certified keys would be much better. Tamper evidence is also a good suggestion, though not a perfect solution, because what do you do when a camera is legitimately lost or destroyed?

    While perfect security is impossible, practical security is doable. It seems like these camera companies need to hire some good outside consultants to help them do it right.

Leave a Reply