Hacker News new | ask | show | jobs
by EPWN3D 3 days ago
"Crack the hash"? Does this mean you were employing some novel hashing algorithm and relying on its secrecy? If so your employer were never serious about security in the first place. Hardware attestation is more or less a solved problem, and that solution does not involve secret algorithms.
1 comments
ChrisMarshallNY 3 days ago
Eh. It was some kind of hash of the image. I was not involved in that project, so can't tell you exactly how it worked, but the images were "signed," and someone figured out how to "re-sign" an altered image.

I think it was a fairly well-known technique.

link
XorNot 3 days ago
Which still sounds like your employer was simply incompetent because why was any type of perceptual hashing scheme even involved?

Signing digital data with hardware secure tokens is a commodity capability in the iPhone many of HNs users are reading this site with.

link
ChrisMarshallNY 2 days ago
> your employer was simply incompetent

You’re probably right. This is easy, basic stuff that any recent college grad can do with their eyes closed.

link
dzhiurgis 3 days ago
I think this has been around for not so long

https://en.wikipedia.org/wiki/Content_Authenticity_Initiativ...

link
XorNot 3 days ago
Sure but conceptually no one should've been able to crack any hashing scheme anyone half-way decent at their job could come up. SHA256 is the default and it's unbroken. Even SHA1 has scant few known collisions. So like...what the heck were they hashing and how that anyone was able to crack it?
link
phreeza 2 days ago
Maybe its more like the hash was a well known secure hash but someone managed to extract the salt/private key/signing certificate from the camera?
link
SAI_Peregrinus 1 day ago
Most likely is either extracting the private key from the camera or getting the camera to sign arbitrary data. If the signing isn't part of the sensor die itself there's a bus where the image data gets transferred from sensor to signer, so an attacker can inject arbitrary data onto that bus to get it signed, even though they never actually extract the signing key.
link
ChrisMarshallNY 2 days ago
This was quite a while, before that.
link