Nikon, Sony and Canon Fight AI Fakes With New Camera Tech (nikkei.com) 109
Nikon, Sony Group and Canon are developing camera technology that embeds digital signatures in images so that they can be distinguished from increasingly sophisticated fakes. From a report: Nikon will offer mirrorless cameras with authentication technology for photojournalists and other professionals. The tamper-resistant digital signatures will include such information as date, time, location and photographer. Such efforts come as ever-more-realistic fakes appear, testing the judgment of content producers and users alike.
An alliance of global news organizations, technology companies and camera makers has launched a web-based tool called Verify for checking images free of charge. If an image has a digital signature, the site displays date, location and other credentials. The digital signatures now share a global standard used by Nikon, Sony and Canon. Japanese companies control around 90% of the global camera market. If an image has been created with artificial intelligence or tampered with, the Verify tool flags it as having "No Content Credentials."
An alliance of global news organizations, technology companies and camera makers has launched a web-based tool called Verify for checking images free of charge. If an image has a digital signature, the site displays date, location and other credentials. The digital signatures now share a global standard used by Nikon, Sony and Canon. Japanese companies control around 90% of the global camera market. If an image has been created with artificial intelligence or tampered with, the Verify tool flags it as having "No Content Credentials."
Just Take A Picture Of Your AI With Said Camera. (Score:2)
Problem solved.
Re: Just Take A Picture Of Your AI With Said Camer (Score:2)
If you arenâ(TM)t at the location and time of the photo that would be evident in the metadata, presumably
Re: Just Take A Picture Of Your AI With Said Camer (Score:2)
The timestamp and location data â" assuming theyâ(TM)re doing authentication on the fly â" wouldnâ(TM)t match whatever event your AI image is supposed to be of.
Re: (Score:2)
Re: Just Take A Picture Of Your AI With Said Came (Score:2)
Timestamp doesnâ(TM)t match if the signing is done by remote server, which at least some of these services have been doing. Not clear from article how the timestamp is being served⦠is it just an onboard clock? Or does the image get sent somewhere for signing?
If worked that way, war photogs die at first snap (Score:2)
Timestamp doesn't match if the signing is done by remote server, which at least some of these services have been doing.
A camera that has to be connected to the internet and a remote timeserver/signature generator to record and sign a picture? JUST what I DON'T want to press "take picture" on in a war zone.
Can't you just imagine an automatic "hear the camara talk to the net, identify its location, and hand that to the weapons aiming system" device, and how deploying that would affect war reporting?
Re: (Score:2)
Oops. Not even an attack on the crypto, just utterly low tech "use it as designed". I like it! Unless the camera has GPS, that is.
Re: (Score:2)
Re: (Score:2)
GPS is cryptographically signed, but not the calculated position, just the signals from the satellites. So, yes, valid attack vector although more effort. The other one is using a camera without GPS or that lets you set things manually if GPS is down. Use aluminum foil, for example, to still do this no-tech attack.
Re: (Score:2)
Re: (Score:2)
Ah, no? Maybe read my posting again?
Re: (Score:2)
Ah, no? Maybe read my posting again?
I did. Did you?
The other one is using a camera without GPS
Re: (Score:3)
Obligatory XKCD https://xkcd.com/1814/ [xkcd.com]
Comment removed (Score:3, Informative)
Re:AI (Score:5, Informative)
Until someone will use AI to figure out how the signature is embedded, replicate it.
Are you suggesting AI can now magically guess cryptographic signatures? That would be a real feat for a system that can't count to 5 ;-)
Honestly if that works then we have far bigger concerns than just images.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
The whole point of good cryptography is that the algorithm can be widely known without the system being compromised. I'd have to look at their implementation, but this is probably a fairly standard digital signature system. Basically, the camera takes a hash of the image and encrypts it with a private key. Anyone can decrypt the hash with the published public key and compare it to a hash of the file they received. If the two are identical, it's evidence the image hasn't been tampered with.
Public key c
Re: (Score:2)
Well the signing key must be embedded in the camera, so someone will reverse engineer this and create a tool to sign arbitrary images.
Re: (Score:2)
Like what happened to Nikon Image Authentication, a system that Nikon introduced in 2005 to do precisely this, and which was broken in 2011 by extracting the keys from the camera.
Re: AI (Score:2)
"Create a tool", wait, so this tool uses a hard coded private key you extracted? Ok, so they blacklist that key, because they see it has created over 99% of pictures in existence.
Re: (Score:1)
At least until laws are passed that says all AI images must contain some sort of DRM that if the camera sees it will refuse to take a picture
Nobody has ever written software that breaks a law. Why would someone do such a thing?
What about edited photos (Score:1)
Re:What about edited photos (Score:5, Informative)
Re: (Score:2)
Presumably editing it would break the cryptographic signature just like any other signed file. Also anyone wanting to verify it would probably ask for the verification to be done against the RAW file.
The security you get from a cryptographic signature is based upon the receiver looking at the message and seeing it as comprehensible. This is a simple thing with text as any additions or deletions to match the hashed value would show up as nonsense. With an image, you can subtly change a few pixels to cause a hash collision with the original image and have it be reported as cryptographically the same but the eye will not notice the 'noise'.
TL;DR,Using cryptography to sign images is a LOT more tricky than i
Re: (Score:2)
What's to prevent someone from editing a photo, not just snapping a photo and saying it is real.
That's. ... well. ... umm... the whole point. Digital signatures verify something hasn't changed. Photoshopping obviously invalidates the signature.
Re: (Score:2)
>> Photoshopping obviously invalidates the signature.
As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it. So tell me again how this is useful?
Re: (Score:3)
You have to think of it as proof they shot it, not "the finished pic I sell". It's a chain-of-evidence type thing: "I have the original photo and can prove it was a real photo I shot and then made this other thing from."
Re: (Score:2)
>> Photoshopping obviously invalidates the signature.
As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it. So tell me again how this is useful?
Indeed if you edit it in any way its entire provenance is gone. That is actually the whole point. You can cryptographically sign edited images too. Other people not so much.
Re: (Score:2)
Re: (Score:2)
As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it.
Actually no it doesn't. Yeah advanced edits break the signature, but the ones you list as fundamental in the process of creating and displaying an image and are stored as metadata with RAW files, and can be included as part of the signature. This is how Nikon's previous software worked. You could use either the camera or Nikon's software to make the very edits you're talking about without breaking the cryptographic signature, and the software told you that the image properties changed but the content remain
Re: (Score:2)
Re: (Score:2)
>> Photoshopping obviously invalidates the signature.
As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it. So tell me again how this is useful?
Is genuinely useful: if the authenticity of your edited photo is questioned, you can provide the original raw and prove it. I maintain the website for a photography contest, the rules say the jury has the right to request the raws in case they want to clear authenticity.
There is a famous case [extremetech.com] where image forensics had to inspect the raw source and the photographer was finally cleared.
Re: (Score:2)
Re: (Score:2)
Any edit will invalidate the signature.
How does it works? (Score:2)
How long until someone reverse engineers this? (Score:3)
Root problem is that the camera is signing it. Hence, all the crypto is stored in the camera. So, reverse engineering is rather easy.
Re: (Score:3)
Sony got burnt with the steal of PlayStation5 encryption keys https://arstechnica.com/gaming... [arstechnica.com] so they could have made progresses in protecting the crypto chips.
Re: (Score:1)
Re: How long until someone reverse engineers this? (Score:2)
A bit different than DeCSS. They could put a different private key in each device. And tie it to your financial transcation when you purchased it. That way, if they see your private key floating around in the wild, they know who to prosecute. (Assuming they have a contract or terms saying don't reverse engineer.)
Re: (Score:2)
Re: (Score:2)
When those owners have control of the physical hardware that is doing the signing, that's a tall order.
This doesn't make sense. PKI is made to be used by people who have access to the hardware. All you need is a unique cert for each camera which is signed by whatever cert. Somebody hacking a single camera would only get the cert specific to that camera which can easily be revoked.
Re: How long until someone reverse engineers this? (Score:2)
Re: (Score:2)
In this case, you also would have to find a way to protect the key from the owners of the camera as well.
No you don't, with properly done PKI you don't need to protect that, the key would be unique for each camera and if the camera gets its own specific cert revoked, so does the cert private key and it becomes useless and won't pass validation as properly signed. Again all they need to implement is a specific unique cert for each camera which is signed by whatever cert and the camera obviously doesn't have the private key of the cert used to sign the camera cert. Nobody needs to have to private key of the sign
Re: (Score:2)
Re: (Score:1)
I don't think this is a huge problem as long as you make the keys specific to each camera. The camera owner can then fake pictures by extracting the key from their camera and using it to sign fakes, but the images are still traceable to their camera. They could also create a signed fake by printing it at sufficiently high resolution and photographing it, which you can never stop. It's not a perfect system, but it substantially raises the bar for creating fakes. The important point is to make fakes trace
Re: (Score:2)
I don't think this is a huge problem as long as you make the keys specific to each camera. The camera owner can then fake pictures by extracting the key from their camera and using it to sign fakes, but the images are still traceable to their camera.
I agree it raises the bar, but that is a double edge sword since the signed photos would carry more weight as authentic. If the evil owner was careful in how they made the fakes and what they put out (so no bigfoot but realistic, very infrequent, plausable images that are hard to refute without other photos/video of the same event that conflict with them), being signed would lend a lot of credibility to the fake images.
My big concern here is we end up going in a circle. Today we (general public "we") tend
Re: (Score:2)
Re: (Score:2)
Well, they can put in a TPM to make it harder, but unless they have the TPM do the signatures, that does not help either. And even TPMs have been broken by now. But TPMs cost money, so my guess would be the signature key is just right there in the firmware, probably obfuscated in some way.
Re: (Score:2)
No. The root problem is that Sony and Nikon don't make all the cameras. Are you going to claim that every photo taken with, say, your cell phone, is fake?
Re: (Score:2)
No. The root problem is that Sony and Nikon don't make all the cameras. Are you going to claim that every photo taken with, say, your cell phone, is fake?
Are you going to claim they're not?
The proof will fall on you.
Other people will doubt your cell photo, you can't just expect them to "trust me bro".
Previous attempt at this lasted 6 years (Score:5, Informative)
This is not new. Nikon introduced image authentication with the Nikon D2X back in 2005 that used a digitals signature tied to the camera's sensor to verify the image. The market for this at the time was digital cameras for forensic analysis with the thought at the time that courts needed some proof that an image hadn't been tampered with. Nikon charged an extortionate 200EUR for the software to verify the signature.
Anyway it was cracked in 2011 at which point a few images were published clearly photoshopped which none the less showed as "authentic" when the digital signature was verified.
This sounds like very much the same thing except that it appears to be cross platform. Given the original was cracked due to a bug in a camera firmware, the addition of several more companies makes it all the likely that this won't last long either.
Re: (Score:3)
Probably only took 6 years because nobody competent was interested. "Secure hardware" is basically a myth these days and a non-secured signature done with a key in firmware should take a competent hardware hacker less than a weekend to get.
Re: (Score:2)
"Secure hardware" is basically a myth these days and a non-secured signature done with a key in firmware should take a competent hardware hacker less than a weekend to get.
Except that is quite easily disproven given how there's virtually no attacks demonstrated on TPM or Secure Enclave, and how the vast majority of exploits involving hardware based security involve finding some bugs in implementation of official software to work around. Hardware security is in fact incredibly resilient, even in popular devices with a large number of "competent hackers" looking at it.
Not only hardware, but software too. You can see that in popular AAA titles with Denuvo taking a really long ti
Re: (Score:1)
Re: Previous attempt at this lasted 6 years (Score:2)
You're assuming the TPM/secure enclave isn't part of the same silicon as which takes the picture.
Re: (Score:2)
You're making a lot of assumptions for something which you haven't seen nor could possibly know how it works. The point is that hardware authentication is a very real thing that is actually quite hard to crack and most exploits historically do not attack it directly.
Re: (Score:2)
Except that is quite easily disproven given how there's virtually no attacks demonstrated on TPM
That took me 5 seconds to find with a search on Yahoo! [arstechnica.com] That one took 3 seconds. [wired.com]
INB4 "Those are side-channel attacks!1!": TPM and the Secure Enclave are designed for remote attestation. Compromising even one of them risks the entire world that depends on them regardless of how that compromise came about. To say nothing about local data that depends on the TPM in the system it's stored on.
how the vast majority of exploits involving hardware based security involve finding some bugs in implementation of official software to work around.
Congrats. You just described every hack ever made. Or do you think that every exploit in active use was intentionally
Re: (Score:2)
That took me 5 seconds to find with a search on Yahoo!
What part of my post are you having problems with? The word virtually? Or the fact that TPM had held up for 12 years by this point?
My point remains unchanged. Hardware attacks are insanely difficult to achieve even in the face of competent people who give a shit about this stuff.
Re: (Score:2)
Except that is quite easily disproven given how there's virtually no attacks demonstrated on TPM or Secure Enclave,
Well, if that were true, sure. It is not true, but due to you, as usual, being badly informed and mouthing off.
Re: (Score:2)
Oh thank god, you should go tell the NSA and CIA who have been desperate to break into iPhones for decades now. You solved it!
Tamper resistant? More like "tamper easy"... (Score:2)
All it takes is to reverse engineer one camera that makes these signatures and really it only requires to extract the signature key. Say, 1 day max for an experiences hardware hacker.
Re: (Score:2)
Re: Tamper resistant? More like "tamper easy"... (Score:2)
What do you achieve if you hack one camera and post the results online? They'd just blacklist your key...
Digimarc? (Score:2)
Most photos are edited (Score:2)
Re: Most photos are edited (Score:2)
legacy camera firmware (Score:2)
Re: (Score:2)
Would be nice if Nikon and Canon released firmware for previous generations of camera to add this functionality.
The camera needs a secure chip or the ability to sign is easy to reverse engineer. That's not something that can be added with just a firmware update.
Re: (Score:3)
Actually, it can be added and such functionality has been added in the past in other contexts. It is, of course, entirely insecure doing that in software. Firmware is far too often crap anyways and the manufacturers do not care. So that is not a hurdle. What is a hurdle is that they will expect you to pay extra.
Didn't Canon try this in the past? (Score:2)
I recall that Canon did add a proprietary system for signing pictures, around 10-15 years ago. However, it needed special parts to verify everything.
These days, whatever the camera makers do, they need to make a common system. It will take some engineering, and it will take more than just GPG signing the picture info. What would be nice is if there were a way to put picture deltas into the image and sign those, so a picture could start with its initial signature on the RAW data (or PNG/JPEG if image qual
Re: (Score:2)
Re: (Score:2)
Exactly. This is why having signing as part of the EXIF standard, so anything, regardless of camera can validate the signature. Downside is who validates that the key on Bob's camera is an actual genuine key from Canon, and not just something used to tack a signature from an AI generated photo or a deepfake? This requires root certificates, a CA system, and a ton of security all the way down (as in root certs in a HSM, etc.) Maybe even a facility for CRLs, so if Charlie's camera is hacked and signatures
Re: (Score:3)
I recall that Canon did add a proprietary system for signing pictures, around 10-15 years ago.
You're thinking of Nikon and it didn't need special parts, those were part of every camera of the time introduced with the D2X. You did need special software and Nikon did try and fuck you over with the $200+ price tag for it.
What would be nice is if there were a way to put picture deltas into the image and sign those
This is how Nikon's system worked. Any option for adjusting the RAW post processing which was capable via the camera was signed independently. The verification software was able to say if the image content changed or just the image properties like contrast, white balance, saturation, e
Re: (Score:2)
You're thinking of Nikon and it didn't need special parts, those were part of every camera of the time introduced with the D2X. You did need special software and Nikon did try and fuck you over with the $200+ price tag for it.
Canon did that same too, all the way back. It was a bit of metadata and could be verified using Canon Data Verification Kit. (Three versions, DVK-E1, DVK-E2, OSK-E3). I think it was also phased out because it was based on a key shared across all cameras. I couldn't really find info on
i seen lots of top notch AI images (Score:2)
Excellent concept until it's not (Score:1)
Analog hole (Score:2)
Just make fake image, display it on your laptop and photo laptop screen with this "fake-resistant" camera.
You can also use GPS jamming technology to fake location, but in most cases it is enough to place your laptop couple of blocks from the place of event you fake.
Re: (Score:2)
Just make fake image, display it on your laptop and photo laptop screen with this "fake-resistant" camera.
Obligatory XKCD for you https://xkcd.com/1814/ [xkcd.com]
It's clear you've never taken a photo of a screen before.
Re: (Score:2)
Fundamentally no way to win this one (Score:3)
What will happen if I display an AI-generated image on a large TV screen, then take a carefully-framed photo of that screen?
What about GPS? GPS simulators (with time/date/trajectory replay) are a bit pricey (it's a somewhat niche market) but they definitely exist.
As for the date/time... unless the camera sets the date/time via GPS, *and* that signal is somehow authenticated (which it isn't, in the civilian world), *and* the camera implements some kind of anti-rollback protection for the RTC, this is going to be a tough one at best (and it's arguably the least interesting piece of metadata to protect).
And even then, what are the digital signatures really proving? That the given scene was captured by the camera? So what? I could project a mural onto a white wall, or hire actors, etc.
Re: (Score:2)
The article clearly states this will counter edited or fake images. Much of the Facebook 'news' about the wars in Israel and Ukraine came from FPS computer games.
Your plan won't work because the date and location signature will be wrong.
Re: Fundamentally no way to win this one (Score:3)
Will the photo auth technology raise the barrier for passing off faked RAWs as genuine? Yes. Will it actually provide assurance that a photo is of what is being claimed? Absolutely not.
Then again, that'
Re:Fundamentally no way to win this one (Score:4, Interesting)
Just look at the problem this is trying to solve: We can't even get people to validate TLS certs for website connections / software / email / etc. And you think that having a big green lock icon next to an image is somehow going to fix "deepfakes"? Hell, we had to get rid of the lock icon in web browsers. And there are plenty of ways around this proposed solution as to make it just as (un)reliable.
The problem isn't the software, firmware, or hardware. It's the wetware that refuses to look at reality with any level of objectivity or facts-based reasoning, and then getting violent towards others because of what they thought up on their own.
I'm guessing (Score:2)
I'm guessing this is steganography. So, flip each bit in the image and see if the signature changes. (Aside: One would use changing block-sizes, similar to quicksort, to avoid long byte arrays that don't contain signature data.) After mapping which bits belong to the signature, it's possible to replace all other bits in the image. Cameras having limited processing power means the map is the same (or there will be a not-encoded map number in the signature) for all cameras (with that CPU). Then, generati
CA fiascos (Score:2)
after all these years, the best we can come up with is still just trusting some server somewhere?
https://sslmate.com/resources/... [sslmate.com]
Re:This won't work. (Score:5, Informative)
Because AI can't just magically crack cryptographic signatures. If it could we'd have a very big fucking problem on our hands.
Re: (Score:2)
Indeed. Most people have no clue what "AI" can and cannot do and believe it is "magic" somehow. It is not.
Re: (Score:1)
From TFA:
In 2022, Intel developed technology to determine whether an image is authentic by analyzing skin color changes that indicate blood flow under subjects' skin.
Great, now all we have to do is use this tool to train the AI. "Randomly modify the image until the authentication tool accepts the result as an authentic photo. Find three similar photos and modify them the same way to verify the modification works on similar photos. Save the modification method for future use."
If you give everyone a tool to check for fakes, someone will find a combination of steps that bypass it.
Re: (Score:2)
>> If you give everyone a tool to check for fakes, someone will find a combination of steps that bypass it.
That's not how signatures work.
Re: This won't work. (Score:2)
True. Signatures can't be cracked if all you have is the public key to verify them. Unfortunately, the cameras themselves have the private key used to create the signatures in the first place. So it is possible to create fake signatures.
Re: This won't work. (Score:2)
You can staple it shut and at least make this a difficult task. Generate the signatures on the actual sensor's silicon. And use secure chip methods for the private key. (Such that it can't easily ever be written out.)
Re: (Score:1)
That's not how signatures work.
There have always been people who say that about something or other, especially in Computer technology. How this stuff works is irrelevant; it will eventually be cracked/circumvented/back-doored. But it buys time until the next method, perhaps a lot of time. (I'll add that Leica has this as well in the M11-P, if you're inclined to spend that amount of money on a very nice camera. Available at some value of "now".) I'll stick to my MP because I'm in to it for different reasons. Mostly to prove daily that it
Re: (Score:2)
That's not how signatures work.
Very true. However, the tool Intel created was designed to analyze the skin tones in photograph itself for inconsistencies, as opposed to the watermark signature that the camera makers are proposing.
Re: (Score:2)
Because AI can't just magically crack cryptographic signatures. If it could we'd have a very big fucking problem on our hands.
I mean, it’s possible that AI could discover a novel mathematical means for expediting the process of cracking a key. Researchers already find such methods every now and again, but you’re quite right that it can’t suddenly change how math works to intuit the answers instantly.
Re: (Score:2)
The novel mathematical means here would involve proving some of the most fundamental math problems we have in computer science. I don't have any hopes in AI here. So far AI has been used to optimise for some mathematical problems but the results have been iterative at best. I don't think we need to worry about a new algorithm breaking hashes in 7.4x10^50 years instead of 7.4x10^51 years :-)
But what about... (Score:1)
...QUANTUM AI? Bet you never thought of THAT!!!
Re:This won't work. (Score:4, Insightful)
The inability to crack cryptography.
But on the OTHER HAND, one could use such a camera to photograph an AI-generated image, and so long as they can get a clean enough shot (without reflections or other distortion), the image would be cryptographically signed to insist that yes, indeed, you did indeed photograph Elmo beheading a US soldier as a member of ISIS. ;)
Re: (Score:2)
Re: (Score:2)
If it's the scheme known as CAI, there not much to keep anyone from adding fake credentials:
https://hackaday.com/2023/11/3... [hackaday.com]