Nikon Image Authentication System cracked

Nikon Image Authentication Software Screen (credit: Nikon)

ElcomSoft was able to crack Nikon’s Image Authentication System (priced @ $489). They were able to extract the original image signing key and use it in several forged photographs that successfully pass Nikon Image Authentication Software validation:

"Nikon's implementation of image authentication has a major design weakness. ElcomSoft researchers discovered a flaw in the way the secure image signing key is being handled in camera. The vulnerability allowed the researchers to actually extract the original signing key from a Nikon camera. This, in turn, made it possible to produce manipulated images with a fully valid authentication signature. By using the signing key, ElcomSoft has prepared a set of hoax images that successfully pass validation with Nikon Image Authentication Software."

All Nikon DSLR models that support Image Authentication are affected, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs and D200. ElcomSoft provided several examples of manipulated images that would be authenticated as original:

Via Net-security

This entry was posted in Other Nikon stuff. Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • Julian fernandes

    Not sure I understand what this is about…

    • Tunparadise

      In my understanding, it is a feature on professionals Nikon camera that allows when used, to certify the authenticity of the image and that the image has not been manipulated. Example it is a feature that could be used in court when someone has to present photos as a proof and that the autenticity of the photo is crucial

      • foo bar

        let’s not forget, that the image verification of Canon has been cracked in November last year, by Elcomsoft as well 😀

      • PHB

        When I first saw the mechanism and the restrictions, I could tell straight off that it was bogus but I didn’t have time to investigate it myself. I did suggest that several other people who enjoy such work look into it. This is my field, yes, I am that PHB.

        The Nikon system requires special software and a hardware key to check the authenticity of the image. This is a major tell since this has been unnecessary with modern public key cryptography. The keys used to authenticate Web sites (create the padlock icon or the green bar) are part of a public key pair. Only the Web site has access to the private key that is used to authenticate the site. The public key allows the site to be verified but not to create a digital signature used for verification.

        The Nikon system appears to have used a much older form of cryptography known as a Message Authentication Code (MAC). The same key is used to authenticate the message and to verify the message. Thus everyone who has the ability to authenticate the messages has the ability to create fakes.

        I strongly suspect that every Nikon camera in the world that has image authentication has the same authentication key.

        The reason Nikon are doing it this way is almost certainly that they are worried about the time taken to do public key cryptography and the risk that it would slow down the frame rate. This should not be a concern, there are ways to use public key cryptography that can get round the problem and still provide an end-to-end verification of the image.

        This is a very important feature for police users of Nikons. It is also potentially a very important feature in photojournalism. We have seen quite a few fakes of late (the Iranian missile launchers, many others).

        • PHB

          OK, scrub the above, I found a more detailed description of what is going on.

          They are using public key cryptography. But with a weak key (1024 is no longer considered adequate) and Elcomsoft has merely been able to extract the private key from one camera.

          This is serious but nowhere near as serious as I thought it would be.

          At base the problem is that Nikon has never documented the feature so its value is negligible. If I was an expert witness in a case where the authenticity of the image was in doubt, I would demand the details of the Image authentication mechanism and if Nikon would not release them the evidence from the Image Authentication Mechanism would be thrown out anyway.

          Modern cryptographic protocols do not depend on secrecy for security. Every detail of the SSL/TLS and S/MIME protocols used for Internet security is public and the actual cryptography has proved very robust (management of the infrastructure is another matter).

          Nikon should install a certificate in every device and tie the public key to the signature. They should also publish the full details of this mechanism.

          Stopping people from extracting keys from an actual device is very hard. But it is quite practical to prevent key extraction without the device being destroyed in the process. Paul Kocher’s people at Cryptography Research specialize in that type of work.

          Tying an image back to one particular device makes a forgery much harder as we can examine the device to see if has been tampered with.

          • Soap

            1 – The key length is not the point of failure. They did not brute force the key, so bringing up its length distracts from the actual point of failure.

            2 – The other publc key implementations you mention which are fully documented have one thing in common, and that is that the private key never needs to be in the hands of the consumer. This is very much unlike the Nikon / Canon situation wherein the camera must at once hold the private key (for signing) and hide the private key from an attacker.

            3 – What is this difference you speak of between a certificate and the existing solution of a private key? Both have exactly the same weakness – and that is the fact the signing “tool” must be available to the consumer while being hidden from the consumer.

            4 – Publishing implementation details of the system would be nice, and as you mentioned would help in a court situation (though Nikon does provide expert witness evidence when needed (their call 😉 )) but crying “security through obscurity = bad” in a crowded theater is just as bad as crying “fire!”.

            • PHB

              Nikon’s expert witness service is worthless. They have a financial stake in denying any problem. Courts should not accept claims based on trade secrets. There is no valid reason to rely on security through obscurity.

              The 1024 bit key is shorter than the current minimum NIST guidelines. They will cease to be valid for SSL certificates in the next 12 months. Using a 1024 bit key for securing evidence is really not acceptable. The reason I brought it up was that its the type of detail that should be published.

              And you don’t brute force public keys, you factor them which has a much smaller work factor (2^80 not 2^512).

              If the private key is the same in every camera, that would be bad. I would not expect that type of mistake, only the zigbee people have done just that.

              I really hope Nikon takes this opportunity to produce an open standard for image authentication that can be made open to unrestricted expert review.

            • Soap

              1 – It is not the same private key on all cameras or even camera types. This has been stated at least on IRC if not in the article.

              2 – Where does Elcomsoft ever mention that Nikon’s implemetation is RSA? The NIST guidelines you quote regarding 1024 bit keys relates only to RSA.
              While it is likely RSA is what Nikon uses I see no mention that it is. Yet another hole in this story.

              The story is thin, so I think the safest assumption is this is yet another in the long line of key handling flaws, not brute force, not factorization. Follow a published spec or no, if you can’t juggle your keys you’re fucked.

          • Soap

            Stopping people from extracting keys from an actual device is very hard.


            But it is quite practical to prevent key extraction without the device being destroyed in the process. Paul Kocher’s people at Cryptography Research specialize in that type of work.

            In the real world the key (or “key to the key”) leaks across open channels all the time.
            Designing and implementing a robustly hidden signing key has proven very difficult (I need not go into the list of embedded systems which have had their keys extracted, do I?) and expensive. Until that time SoC truly means the whole system on a chip non-destructive pathways will exist in most reasonable implementations. It is only a matter of how high of a hurdle you are willing to pay for, and how strong of an incentive the attacker has.

            • Soap

              Egads, I overquoted the second part. Quote should end at “in the process”.

              My apologies.

          • PHB Said:

            “If I was an expert witness in a case where the authenticity of the image was in doubt, I would demand the details of the Image authentication mechanism and if Nikon would not release them the evidence from the Image Authentication Mechanism would be thrown out anyway.”

            Not so fast. This approach has been tried with radar guns and breath alcohol analyzers and it does not work. Courts are willing to accept these things as black boxes. Requests for firmware source code have been routinely turned down.

            The real state of affairs now is the authenticity of an image depends on the credibility of the person presenting the image. The jury can choose to believe the image was or was not manipulated based on the testimony of the witness presenting it, or the testimony of an expert challenging it.

            Images that have not been manipulated can be misleading, or used in misleading ways as well.

            • dave

              It also depends on if the image is gathered as evidence or if the image is one introduced from outside the chain of custody. There are protocols that exist to ensure that forensic photographs are preserved in their original state on unalterable media and a written record of anyone who comes in contact with the camera and/or memory card from the time the image was taken until the time that image is recorded to a CD or DVD and placed in an evidence locker, as well as a written record of anyone who has access to the non-alterable media once placed in the evidence locker. Such evidence is routinely accepted in court, with or without an authentication key.

              However, despite the acceptance by the courts of protocols for digital forensic imagery, the courts still accept negatives and there are law enforcement agencies that are still more comfortable with film evidence rather than digital.

            • PHB

              Dave is right there.

              Challenging electronic evidence in court is hard when it is gathered by police and the other evidential rules have been correctly followed. But as Dave points out, the digital authentication is not actually adding anything in this case. The evidence is admissible in either case.

              A court is highly unlikely to throw out image evidence as inadmissible. But the real question here is what would happen in the case the authenticity of the image was being disputed. Does the IAS add anything or not?

              Lets say that the plaintif introduces a photograph as evidence and the defense is disputing the validity with a photoshopping expert. Is evidence from the IAS system admissible for the plaintif?

              I don’t think it would be. Nikon can provide an expert to assert that their system works but that expert should not be allowed to testify unless the defense has an opportunity to challenge the evidence and that can’t happen unless Nikon releases the details of their system.

              Even if IAS is completely properly designed and documented there are going to have to be other controls and rules of evidence.

              For example, I would want to see the evidence signed by a digital notary service as soon as possible after capture. And I would like to see the signature key tied to the actual camera used to take the photograph and that should be available for inspection.

              There is always going to be residual risk. But security is risk management, not risk elimination.

              Key extraction can be made very hard, it cannot be made impossible. The NSA use explosives as part of their anti-tampering measures, I don’t think we want those in our cameras.

              But in most cases the parties do not have the means or the motive to perform that level of attack. Take Bradley Manning, alleged wikileaker. CRM systems can be cracked, but Bradley Manning wouldn’t have been capable of cracking them.

              The person who should be in the Quantico brig is the idiot who thought a low level clerk should have unrestricted access to that amount of information without any form of CRM security.

          • Joel

            You can use public keys encrypt images and files, but you certainly cannot use a public key to sign an image or a file as being authentic. Think about that one for a second.. A public key by nature is public so it’s fine to use that for encrypting, knowing that only the holder of the private key can decrypt it, but you need a private key to sign an image/file and then the public key can be used to determine if that signing is authentic.

            • PHB

              The term ‘public key cryptography’ is used to refer to any use of a public key algorithm including signing and decryption which use only the private key. So a digital signature is referred to as public key cryptography even though its the private key that is used.

              As for the algorithm being RSA, the blog post I referenced above has more details at the end, including stating that the algorithm is RSA 1024.

              RSA 1024 is actually a problem here because a signature on a document has to be valid for as long as someone might need to rely on it. So RSA 1024 has been considered unacceptable for most signature operations and encryption of stored data for about ten years now.

              RSA1024 was considered acceptable for use in SSL/TLS because it is only used for initial key exchange and the certificates have validity for no more than 2 years.

              I did have a chance to ask Adi Shamir about this at the RSA show in the public session. His opinion is that we most likely have at least a decade before factoring 1024 happens. That is quite important for the industry as phasing out use of older browsers that can’t handle 2048 takes time.

        • Ken Elliott

          PHB is correct in his description of the problem.

          The silver lining for us normal guys is Nikon might offer one more firmware update to resolve this (or at least change the key for now) and we might pickup a feature, or bug fix.

          • Soap

            How do you propose Nikon distribute a new signing key in a firmware update? Encrypt new key 1 with old key 2? 😉

            Regardless, the key is unique per camera, and Nikon has not previously exhibited an ability to do per-camera firmware updates.

            Also the fact that this hack was a theft of the signing key. Replacing the stolen signing key with another fails to prevent future theft, and depending on the hack’s method of attack (as of yet un specified) preventing future attacks w/o hardware modification might not be possible. For all we know they simply pulled the key off via the discovery of unpublished JTAG pads!

            • PHB

              The way I was planning to do it was to flash the firmware on the camera with a new set of firmware that read out the private key.

              But that was when I had assumed that they were using a symmetric key MAC system with the same key in every camera. If the system had been designed that way it would be possible to forge a picture to make it appear that it came from any Nikon camera I chose. So I could fake a picture as coming from a Reuters or an FBI camera with only knowledge of the serial number.

              Fortunately it appears that the system is not that broken. Though systems that are designed that way are currently being deployed in critical infrastructure systems like chemical and electric plants.

              If the system is properly designed it should only be possible to fake a photograph as coming from the camera it is taken with. That is not really a major concern since even if there is a secure hardware module on the camera an attacker could take it apart and fake the data coming off the sensor. The signature module would then sign whatever data was presented to it.

        • Darkness

          All speculation…

        • Arthur Nava

          Crack the D7K Firmware.

        • Joel

          Shared key crypto fail!!

  • Steve Perry

    Hmm. I guess it’s no real surprise to anyone who has ever used Capture NX that Nikon is a little weak in the software dept…

    • foo bar

      Canon image verification has been compromised last year as well:

      • PHB

        The guy who cracked it is Dimitry Skylarov

        There is a full presentation on the Canon crack:

        The Canon system is very close to the Zigbee system which has been broken endlessly and never stood a chance of working. In comparison, the Nikon system is a lot stronger and could at least be of some use. But we can’t really say because the system is secret and so we don’t even know what type of attacks it is meant to provide a defense against.

        The fact that the Canon and Nikon systems are broken does not mean that every system has to be breakable. There are quite a few security protocols that have never been broken.

  • Eric

    forget -> forged ?

  • D40-owner

    Yay…. another win for hackers..
    This is actually bad news, image authentication is big in sports and news photography.

    • Darkness

      No it isnt

  • Bas

    Bad for Nikon, but an example again of “that what is secured, can and will be cracked”.

  • Magnus

    Really bad news for legal purposes, as far as I understand. This kind of images were previously possible to use as proofs, but with the crack, they can no longer be used, and there is nothing to replace it with. I’m not sure if Canon or the other camera makers have anything equivalent.

    On the other hand, I guess a software update might fix it. Perhaps.

    • No, a software update won’t solve this. And I’m not surprised that this was cracked, either. Nikon, a photography business, trying to keep all the skilled researches and hackers at bay? Not likely.

      This system is now utterly cracked, and I hope it won’t come back as a new system only would fool more people into believing this is secure enough for the purposes stated. Someone above said that this was used as image authentication in news and sports. He’s wrong.

  • I’d rather prefer that they crack the NEF format to open it fully and thus make it fully usable on Lightroom 🙂

    • Darkness

      whatever happend to open RAW by the way? joke..

    • Trevor

      I’m curious, what can Lightroom not do with NEF files? I’ve used Lightroom for years with ORF, NEF, and DNG and haven’t noticed a difference.

      • yakker

        A lot of people (myself included) feel that the Lightroom interpretation of the NEF is far from accurate compared to what comes out of Nikon’s software, like View NX 2 or Capture NX 2. I’ve tried LR twice, and both times the rendering of reddish colors was so bad I gave up. Everything else about LR is much nicer than Nikon’s software, I’d really like to be able to use it.

  • Authenticity

    So now fake/cooked RAW and fake files too?

  • Darkness

    Am I missing something? Some Rusky outfit that happens to sell encryption tools spends months cracking Sony Playstation, Nikon or Canon, that no-one else had a problem with? Would you like your Police and government to buy data security tools from the Russians? LOL!!! Wake up and smell the vodka gentlemen!

    • Phil

      It doesn’t matter where the source of the crack is. Russia, China, India, it means nothing. The fact that it’s cracked is all the matters.

    • Arthur Nava

      Russia has many many software cracking groups, along with the middle east. I would venture a guess to say most of the software cracks that are out there come from these two regions.

      • Soap

        Amazing what happens when you have a culture which values engineers and an economy which can’t pay them!

  • Vitaliy Filippov

    Any system which involves hiding some information from the user, is bad.
    Remember that Stuxnet virus had several valid digital signatures.

  • Canon has the same type of image verification but was also cracked a while back. Every image verification software has at one point or another been compromised

  • See the problems you all create by choosing not to use film?

  • Ian

    No to serious to a average end-user only to law enforcement agencies, which no doubt are numerous, but everything that in encrypted will eventually be hacked, it just the time frame in which it happens, until we find a totally secure hardwired system and no software.

  • Darkness

    Do not access the blog, my PC scan Trend Micro says “the latest tests indicate this site contains malicious software or could defraud visitors”!!! It categorizes the site as Hacking and states “it is a site that provides software for bypassing computer security systems”Joke.

  • Banned

    Haha, if Nikon is anything like Sony they would rather sue the world for discovering their weakness rather than fix the problem!!! (See PS3)

  • Sony just allowed hackers access to highly personal information on their 77million+ users of PSN and Qriocity, including passwords that were apparently stored in plain text on their servers. Sony is evil, corrupt, inept, and destructive to the market, end users, and not least of all themselves. I am hoping these gargantuan mistakes continue to happen at accelerated rates, allowing Sony to die a fast and permanent death. Sony has no place in the market after exhibiting this kind of utter disregard for what is appropriate and right.

    No, Nikon is nothing like Sony.

    • But, Nikon does use Sony’s sensors…..

      • Sony’s business paradigms are wildly backward to this century’s movement of open, transparent, and customer-centric business practices. Does this mean that everything they make is crap? Of course not. But good, even great products are not enough when you are blatantly stepping on your customer’s good will and reasonable rights on your march toward profit and market domination.

        Sony has shown itself to be grossly out of touch with proper transactional decorum lately. They cannot keep doing this without serious bottom-line repercussions. In fact, even flat out failure is likely if they don’t learn to serve their customer base instead of swindling them.

        And make no mistake: Sony’s chip performance in Nikon cameras is due to Nikon engineering, and not Sony’s. Last I looked at the comparisons between the Sony implementations vs. those of Nikon, it’s clear that not all Sony fabbed chips are created equal.

    • Ken

      So you don’t like Sony?

      • Who, in their right mind, would? Can you really champion a company with the abysmal track record they’ve had over the last number of years? When it comes to customer experience, Sony has been awarded a big fat fail so many times it has become difficult to keep track.

        • Ken

          I was being facetious. Your posts are generally very direct and to the point; one of the few posters that I actually pay attention to.

  • RaVax

    Question for cryptography experts: Could the “built in” key be based on each camera S/N, which I’d suppose is unique? Something like using PC motherboard’s UUID or NIC’s MAC Address?


    • Soap

      Could be, but that would be stupid.

      If an attacker knows that the seed for the key is the serial number finding one key (all that was done here) could allow them to predict the key for ALL cameras.

      Details aren’t published (that I’ve seen) but it is VERY likely this attack relies on physical possession, if not disassembly, of the camera.

      If one (Nikon) were so foolish as to use the serial number (or any other externally discoverable piece of information) as (or to seed) the private key they would be allowing a local exploit to become a remote exploit!

  • jerl

    This isn’t really a big deal though. The authentication system was never really that secure in the first place. For instance, anyone who wanted to spoof a false picture could easily just make a print and then take a picture with it- obviously some care will be needed to make it indistinguishable from a real image, but this method and any like it will always be able to bypass any sort of authentication Nikon can invent.

    • Soap

      The analog hole you describe is not nearly as large as you may think.

      Only a very limited range of photos copied in such a manner will plausibly have the same focal length and distance as a copy stand setup!

  • Almond

    Does this apply to film cameras?
    Have they been able to find a method to retrieve the software keys dynamically embedded on silver emulsion?

  • VJ

    As many have said, everything secured can be hacked in time… But I would think that part of the authentication is a checksum (sort of a digital summary, like md5sum or so); to modify an image and still get the same checksum is possible but would limit modifications you can do.

    It is a problem for only a very limited number of applications, but a problem nonetheless.

    • Soap

      What you described is known as a “hash collision” which is not what this attack is, or even is about. This is about public key encryption.

      This attack is the collection of the “private key” from the Nikon camera body. With said private key one can sign a dataset cryptographically “proving” (based on the assumption the key is held securely) the authenticity.

      • VJ

        I know… I just wonder if the combination of the private key with some hashing techniques might not provide for a way of making manipulating photos easier.

        The whole problem with encryption keys is that once the key is known, the whole system fails. This is the case for most systems (e.g. when hackers manage to extract the root key, or managed to get hold of it). Just like when some certificate keys for MS update were compromised some years ago, allowing hackers to make “update” that pass validation.

        While hasing does not prevent tampering with the image, getting the has key to match will greatly limit how you can edit. But then of course the hash should be compared to the original, and where to get the original…

  • BigEater

    With all this talk about hacking, when will one of you computer experts hack the Nikon operating system so that we can turn on missing features like higher video frame rates, focus peaking, and other modern conveniences.

  • shithead

    why even have this feature when you can just take photo with a clock a subject for authentication.

  • Back to top