Nikon Image Authentication System: Compromised

April 28th, 2011 by Vladimir Katalov
Category: «Cryptography», «Elcomsoft News», «General», «Security», «Software»

ElcomSoft Co. Ltd. researched Nikon’s Image Authentication System, a secure suite validating if an image has been altered since capture, and discovered a major flaw. The flaw allows anyone producing forged pictures that will successfully pass validation with Nikon’s Image Authentication Software. The weakness lies in the manner the secure image signing key is being handled in Nikon digital cameras.
 
The existence of the weakness allowed ElcomSoft to actually extract the original signing key from a Nikon camera. This, in turn, made it possible to produce manipulated images signed with a fully valid authentication signature.
 
Not a Theory
 
This is not a theory. As a proof of concept, ElcomSoft researchers have successfully extracted the original image signing key from a Nikon digital SLR, produced and published a set of forged images that successfully pass validation with Nikon Image Authentication Software.
 
Credibility of Photographic Evidence
 
Credibility of photographic evidence is essential when images shot with a digital camera are used as court evidence or back insurance claims. Photographic evidence has been used by or political and armed forces to support military operations in the eyes of the public.
 
Some of that evidence has been proven to be a fake.
 
World’s Famous Hoax Photos
 
What exactly constitutes for a hoax? Publishers will routinely modify photos by cropping, correcting colors or enhancing contrast. While all that, per se, does not usually constitute a hoax, even small manipulations like these can significantly alter viewer’s perception of a scene, especially if combined with other tricks. Look at the following picture:
 

 
Taken by a Lebanese photographer Adnan Hajj in Beirut in the summer of 2006 right after Israeli bombing, the shot looked genuine enough to fool Reuters who published this shot in an editorial. The photographer used Photoshop clone brush to increase the amount of smoke appearing in the picture, as well as general contrast enhancement to make the picture appear more dark and gloomy. The original capture is far less smoky:
 
 
Same photographer published another shot of an Israeli F-16 jet. The caption he used said that the jet was launching missiles, while in fact what is seen in the picture was a defensive flare. Moreover, the original photograph showed only one flare, and the photo had been doctored to increase the number of flares falling from the F-16 from one to three, and misidentified to call them missiles.
 
 
While there are many ways to lie with a picture without referring to forging the original capture, we’ll concentrate on fakes that modified image content in order to convey the lie.
 
“Tourist guy” by Péter Guzli is probably the most often cited hoax. The hoax depicts a tourist on top of the World Trade Center on September 11, 2001, with a hijacked plane approaching in the background. In fact, the image was taken some four years ago; the photographer modified the picture to amuse his friends.
 
 
The following picture taken in Iraq in 2003 was produced by Brian Walski, a Los Angeles Times staff reporter. To produce a picture with more impact, he merged two images into one. He was fired as a result.
 
 
Finally, there’s this photograph of George W. Bush holding a book the wrong way up during a school visit. This was a famous and amusing hoax at the time, while in fact the image was forged: the hoaxers photoshopped the real image taken during the 2002 press event to rotate the book.
 
 
Fake or Genuine?
 
Traditionally, there are means to tell a fake photo apart from a genuine one. Inconsistencies in lighting and shadows, cloned or multiplied parts of an image as well as parts of other pictures being pasted into a faked photo are the most common tricks used by unscrupulous photographers, journalists, editors, political and armed forces. Telling a forged image apart from a genuine one has required the work of experienced experts.
 
To make image validation more definite and to simplify the process, major manufacturers of photographic equipment such as Canon and Nikon developed digital image authentication systems. Both Canon and Nikon include signing modules into their top of the line digital cameras, and provide validation software to the customers. Each picture is signed in-camera when captured. The verification process then enables users to determine whether an image has been altered after being shot. Both Canon and Nikon systems were designed to provide proof of image authenticity for the purpose of law enforcement and government agencies, insurance companies, businesses, and news agencies. As demonstrated by ElcomSoft, claims made by the two vendors have not lived up to the promises.
 
Breaking into Nikon Image Authentication System
 
Back in 2010, ElcomSoft performed a security analysis of Canon’s proprietary image authentication system. Similar to Nikon’s, the system was supposed to prove image authenticity in the eyes of the media, law enforcement, government, and business organizations. As demonstrated by ElcomSoft, a major security flaw exists in Canon’s implementation, which has not been addressed in any way even today, after half a year after discovery.
 
Almost half a year later, ElcomSoft has discovered that a similar vulnerability exists in digital SLR cameras manufactured by Nikon. The existence of this vulnerability proves that image authentication data can be forged, and thus Nikon Image Authentication System cannot and shall not be relied upon. As a consequence, successful image verification as reported by Nikon Image Authentication Software cannot be used as a proof of authenticity.
 
Details
 
If you’re not interested in technical details on how Nikon image authentication works, you may skip this chapter without losing too much.
 
Higher-end digital SLR cameras manufactured by Nikon up to this day implement an integrated Image Authentication feature. This mechanism was introduced as means to securely validate the authenticity of image data and prove that the image has not been altered since captured.
 
When Image Authentication is enabled, the camera embeds authentication information in shots being are taken by signing image data and metadata with a digital signature. The authentication information allows alterations to be detected when using Nikon’s Image Authentication Software.
 
According to Nikon, images signed with Nikon Image Authentication can be used for verifying image authenticity by law enforcement and other government agencies, the media, and insurance companies, as well as for other business applications.
 
Internals of Image Authentication System are not published, and algorithms used to calculate verification data are not publicly known.
 
ElcomSoft research shows that image metadata and image data are processed independently with a SHA-1 hash function. There are two 160-bit hash values produced, which are later encrypted with a secret (private) key by using an asymmetric RSA-1024 algorithm to create a digital signature. Two 1024-bit (128-byte) signatures are stored in EXIF MakerNote tag 0x0097 (Color Balance).
 
During validation, Nikon Image Authentication Software calculates two SHA-1 hashes from the same data, and uses the public key to verify the signature by decrypting stored values and comparing the result with newly calculated hash values.
 
The ultimate vulnerability is that the private (should-be-secret) cryptographic key is handled inappropriately, and can be extracted from camera. After obtaining the private key, it is possible to generate a digital signature value for any image, thus forging the Image Authentication System.
 
What ElcomSoft Did About It
 
ElcomSoft has notified Nikon and CERT as a trusted third party about the issue, and prepared a set of digitally manipulated images passing as originals when verified with Nikon’s secure authentication software. Nikon provided no response nor expressed any interest in the existence of the issue.
 
Will Nikon Do Anything About It?
 
The big question is whether or not Nikon is going to do something about the issue. So far it seems highly unlikely. Acting as responsible citizens, ElcomSoft contacted Nikon, informing Nikon USA, Nikon Europe, and Nikon Japan about the issue. No meaningful response was received, unless the standard canned response counts: “For support for your product please contact the dealer you purchased it from or consult the Nikon distributor in your area.”
 
The bigger question, however, is if they can do anything about the issue. The worms are out of the can. The private signing key has been compromised, which automatically invalidates digital signatures placed by all current models manufactured by Nikon. If ElcomSoft, a small company, has done it, there’s no guarantee whatsoever it has not been done before or will not be done after.
 
In order to “fix” the problem, Nikon would have to re-design the way the signing key is being stored in the camera. They would have to hire someone who knows security well, which is what they should’ve done from the very beginning. They would have to publicly admit the existence of the problem in their old cameras. They would have to revoke the old signing key via an update to Nikon Image Authentication Software. They would have to generate a new signing key.
 
Does that sound like too much trouble for too little return? It certainly seems so. Here at ElcomSoft, we don’t believe Nikon would do anything, anything at all, to admit, investigate, or mitigate the situation. ElcomSoft notified Canon about a similar problem with their cameras more than half a year ago; nothing changed whatsoever.
 
Affected Nikon Digital SLRs
 
All current models that include Image Authentication are affected, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs.
 
Fake Photographs
 

ElcomSoft has performed the extraction of the signing key, and prepared a set of forged images that pass as fully genuine. Manipulated images successfully passing validation by Nikon Image Authentication Software are available at http://nikon.elcomsoft.com. To validate these images, you’ll need Nikon Image Authentication Software which can be obtained from Nikon or one of their dealers.