Although the image manipulation was widely used in the analog age, the digital technology made it much more convenient. To enhance the credibility of photographic evidence, many Canon DSLR cameras have the originality verification function:

Original image verification data becomes embedded in every image shot with a compatible camera. Original Data Security Utility quickly verifies the originality of an image by isolating the image from the verification data and comparing the two with utmost accuracy.

Today (2010-11-30) Dmitry Sklyarov explained how the Canon’s Original Decision Data feature works and how it can be broken. That is how he have created edited photos that successfully pass the authenticity verification.

As usual in such cases, it turned out that cryptography was used incorrectly: the original decision data (ODD, there are several different versions) is calculated by an obscure sequence of hash and HMAC operations with a secret key, which depends on the camera model and public data (e.g., BodyID stored in EXIF). Since the camera firmware can be dumped and an attacker can even run his own code on the camera processor, it is easy for the attacker to forge the ODD.

Software obfuscation and security thru obscurity can hinder an attacker for a while, but without a cryptoprocessor that can protect the secret key, there is nothing Cannon can do. Of course, it would be even better to use the public-key cryptography, so that breaking a single camera would not allow an attacker to forge images of all the cameras of the same model.

By the way, if the name of the authors seems familiar it is most likely because he is the Russian cryptanalyst who was arrested on 2001-07-16, after giving a presentation called “eBook’s Security — Theory and Practice” at the DEF CON convention in Las Vegas.