| Author | Thread |
|
|
11/30/2010 01:20:39 PM · #1 |
Canon's "image verification" tool cracked
"Dmitry Sklyarov and his colleagues at Elcomsoft have cracked the "image verification" system in high-end Canon cameras; this system digitally signs the photos you take so any alternations, "touch ups" or other modifications can be detected."
Does this mean all Canon users are banned from DPC? :-O
|
|
|
|
11/30/2010 02:28:43 PM · #2 |
If a problem at all I think it'll be very temporary. Proper image verification is too important for it to be overlooked.
Message edited by author 2010-11-30 14:32:11. |
|
|
|
11/30/2010 02:52:17 PM · #3 |
| I doubt the DPS Site Council every used this technique to validate Canon images. SC uses it's own method of verifying images. |
|
|
|
11/30/2010 03:00:49 PM · #4 |
Originally posted by FireBird:
I doubt the DPS Site Council every used this technique to validate Canon images. SC uses it's own method of verifying images. |
The issue is not that the SC used this technique, but that a user could edit a photo in a manner that leaves the EXIF data untouched, and therefore, nobody would be able to tell it had been manipulated. |
|
|
|
11/30/2010 03:32:12 PM · #5 |
Originally posted by jeger:
...but that a user could edit a photo in a manner that leaves the EXIF data untouched, and therefore, nobody would be able to tell it had been manipulated. |
The Canon data verification scheme does not rely on EXIF. Frankly, I'm not surprised that someone cracked it. It represented too attractive a target *not* to try to crack. The fact that it was cracked will only lead Canon to plug the hole, creating an even more secure system. |
|
|
|
11/30/2010 03:54:18 PM · #6 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Problem is, to digitally sign something, you need a private key. With the private key, you can sign anything. Canon tried to hide the key, but someone (Dmitry Sklyarov) easily found it.
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkz1Y0UACgkQk4kRMlh9OuCoRgCfZ/ApXt5iw8HgTmgNgxkF8OaP
9JsAnj8eQ1b5I2Vj+9ewf69dK+kUHZVs
=HbK+
-----END PGP SIGNATURE-----
BTW, all that extra stuff around the above comment, that's a digital signature. If you had my public key, you could verify it was written by me.
Basically, if you had my private key, you could play man in the middle and change my comment, then re-sign it to look like it came from me. |
|
|
|
11/30/2010 04:08:08 PM · #7 |
| The way SC verify files/dates was sussed a long time ago. |
|
|
|
11/30/2010 04:32:33 PM · #8 |
Originally posted by jeger:
Originally posted by FireBird:
I doubt the DPS Site Council every used this technique to validate Canon images. SC uses it's own method of verifying images. |
The issue is not that the SC used this technique, but that a user could edit a photo in a manner that leaves the EXIF data untouched, and therefore, nobody would be able to tell it had been manipulated. |
 Art Roflmao will be the first to use this, insert a Godzilla into a photo, and cause mass panic all over the world when his photos are authenticated as being real. Meanwhile, all of us at DPC will just sit back and think "Oh Art... up to his usual hijinx again" |
|
|
|
01/24/2011 06:48:47 AM · #9 |
Heh i found it interesting to come across this thread. It just reminds me of a time when threads that talked about editing exif and image verification where locked and either hidden or deleted. They always seemed like they wanted to hide this one fact, while most exif editors don't do a complete or proper job doesn't mean it couldn't be done easily.
The actual issue with the image signing being broken is the set back it has on things like legal matters. Courts have always been icky about digital images from sources other than law enforcement as evidence and being able to verify an image was such a nice thing when it came around. I dunno how it is now but I remember with accidents they always wanted film, anyone remember what happens to film at high temperatures for long periods of time. Even in the glovebox many climates get hot enough to make leaving a disposable in the glove useless if for too long a time.
What a wonderful digital world we live in. Suprised i didn't read this elsewhere in the news.
|
|
|
|
01/24/2011 01:07:14 PM · #10 |
Originally posted by Nullix:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am a lumber jack and I'm okay. I sleep all night and I work all day.
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkz1Y0UACgkQk4kRMlh9OuCoRgCfZ/ApXt5iw8HgTmgNgxkF8OaP
9JsAnj8eQ1b5I2Vj+9ewf69dK+kUHZVs
=HbK+
-----END PGP SIGNATURE-----
BTW, all that extra stuff around the above comment, that's a digital signature. If you had my public key, you could verify it was written by me.
Basically, if you had my private key, you could play man in the middle and change my comment, then re-sign it to look like it came from me. |
|
|
|
|
01/24/2011 02:05:19 PM · #11 |
Originally posted by Nullix:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am a lumber jack and I'm okay. I sleep all night and I work all day.
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkz1Y0UACgkQk4kRMlh9OuCoRgCfZ/ApXt5iw8HgTmgNgxkF8OaP
9JsAnj8eQ1b5I2Vj+9ewf69dK+kUHZVs
=HbK+
-----END PGP SIGNATURE-----
BTW, all that extra stuff around the above comment, that's a digital signature. If you had my public key, you could verify it was written by me.
Basically, if you had my private key, you could play man in the middle and change my comment, then re-sign it to look like it came from me. |
You need to know the passphrase for the private key to use it. |
|
|
|
01/24/2011 02:06:13 PM · #12 |
Originally posted by kirbic:
The fact that it was cracked will only lead Canon to plug the hole, creating an even more secure system. |
How can we have 'mo lasses when we ain't had no lasses yet? - Anybody remember watergate? |
|
|
|
01/24/2011 03:24:18 PM · #13 |
Me: It's valid, I promise!
SC: Cross your heart and hope to die? |
|
|
|
01/24/2011 03:25:35 PM · #14 |
Originally posted by posthumous:
Originally posted by Nullix:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am a lumber jack and I'm okay. I sleep all night and I work all day.
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkz1Y0UACgkQk4kRMlh9OuCoRgCfZ/ApXt5iw8HgTmgNgxkF8OaP
9JsAnj8eQ1b5I2Vj+9ewf69dK+kUHZVs
=HbK+
-----END PGP SIGNATURE-----
BTW, all that extra stuff around the above comment, that's a digital signature. If you had my public key, you could verify it was written by me.
Basically, if you had my private key, you could play man in the middle and change my comment, then re-sign it to look like it came from me. |
|
Bloody poofter!
|
|
|
|
01/24/2011 06:41:37 PM · #15 |
|
Home -
Challenges -
Community -
League -
Photos -
Cameras -
Lenses -
Learn -
Help -
Terms of Use -
Privacy -
Top ^
DPChallenge, and website content and design, Copyright © 2001-2025 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 08/06/2025 07:01:01 AM EDT.
