Schneier on Security
A blog covering security and security technology.
« Xbox Security |
| UK Border Security »
August 11, 2005
The MD5 Defense
This is interesting:
A team of Chinese maths enthusiasts have thrown NSW's speed cameras system into disarray by cracking the technology used to store data about errant motorists.
The NRMA has called for a full audit of the way the state's 110 enforcement cameras are used after a motorist escaped a conviction by claiming that data was vulnerable to hackers.
A Sydney magistrate, Laurence Lawson, threw out the case because the Roads and Traffic Authority failed to find an expert to testify that its speed camera images were secure.
The motorist's defence lawyer, Denis Mirabilis, argued successfully that an algorithm known as MD5, which is used to store the time, date, place, numberplate and speed of cars caught on camera, was a discredited piece of technology.
It's true that MD5 is broken. On the other hand, it's almost certainly true that the speed cameras were correct. If there's any lesson here, it's that theoretical security is important in legal proceedings.
I think that's a good thing.
Posted on August 11, 2005 at 7:52 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"On the other hand, it's almost certainly true that the speed cameras were correct. If there's any lesson here, it's that theoretical security is important in legal proceedings."
This is very much the case. I'm not aware of what the standard of proof is in US criminal cases but here in the UK proof must be "beyond reasonable doubt". And this means exactly what it says - the very slightest evidence that casts doubt on the proof that the accused person is guilty will almost always lead to a verdict of innocence.
Information security of any kind is of paramount importance in any legal proceedings.
It's the same standard in the US, but slightest doubt is different from reasonable doubt.
We used to have a system like that in the US, too. That whole "it's better for ten guilty men to go free than to deprive one innocent man of his freedom" bit seemed a tad too old-fashioned, though.
I remember that when the original 'SHA-1 is broken' discussion came up on here, there was confusion, and Bruce had to explain 'broken' in the mathematical context. It's likely that nobody in that courtroom will really understand the actual implications of 'MD5 broken'. Let's just hope they get some quality expert witnesses.
Not very many people really understand the details of DNA testing. They understand a person with lots of letters after their name saying 'one chance in ten billion'.
if YOU were that one innocent man, I'll bet you won't think it too old-fashioned THEN.
Above post was to Stephen, NOT Darkfire.
Sorry to be dim here, but has the weakness demonstrated in MD5 given an attacker the ability to construct a file that hashes to the same hash as a target? There are many implementations where the attacker chooses the two files, so the weakness can be exploited to make two apparently different files have the same hash ( a collision ) - but surely the issue here is that the speeding camera produces a picture, which has a hash, and the challenge is to produce a picture that looks almost identical, but shows the car travelling under the speed limit - and has the same hash as the first. Trivial, if you can produce both pictures, but still difficult if you cannot choose the bitstream that makes up the first picture - or have I got it wrong here?
re the meaning of a hash collision inthe photo
They could show that it is possible to produce a picture with a different license plate number than the accused's vehicle, or a different speed, or just add enough pixellation to make it look like the plate number was edited
The real meaning here isn't that theoretical security is important - it's that if you rely on technical security measures, you must expect to defend them. RTA had no expert to testify, so the defense won.
I wonder what would have happened if the cameras had been built without using any checksums at all.
I think the burden on the defence would suddenly shift from having to demonstrate that it would be possible (and likely, or at least likely enough) for someone to successfully tamper with the chain of evidence, rather than just proving that it is possible to fake a single checksum somewhere along the process.
Maybe sometimes you're better off with no security measures at all rather than a half-hearted attempt.
The degree of proof for traffic court in the US, I believe, is preponderance of the evidence. You only need to show something is more likely to be true than not. I imagine that the Australian system is similiar. Beyond a reasonable doubt is usually reserved for criminal cases.
Things like this show that it really is time to design court systems where dockets are assigned by bailiwick, and judges make an effort to educate themselves on the forensic sciences. How long before some judge is hoodwinked into letting a defendant off the hook because evidence was contaminated by tachions?
That's brilliant. Good Point.
Aren't traffic offenses criminal? You can be brought to jail for speeding, running red lights and stop signs. Even parking, I believe if you don't pay the tickets can land you a warrant for arrest. Is the criminal charge just failure to pay the fines in that case, or the original parking violation?
This in an Australian incident, therefor nothing to do with US law.
There will be no more witnesses, as the 3rd paragraph quoted says, the case has already been thrown out.
Traffic offenses are generally infractions, which are closer to rule breaking than law-breaking is commonly perceived. There is no right to trial by jury in the case of infractions, because you cannot be sent to jail for them (at least in California). You can be arrested for not paying the fine, but that's contempt of court, which *is* a criminal matter. There are driving matters such as reckless driving and driving while intoxicated which are criminal matters, but these depend on additional circumstances and the degree of danger to other drivers.
As I read it, this case isn't about the security of a hash function, or how gullable the court was -- this is a case where one party failed to present any evidence, and so lost by default!
It is often true that not having a security measure is better than having it half-hearted because the half-hearted approach gives the deceiving feeling that you're more secure.
I concurr with your conclusion. I remember a particular case where, during the normal procedings at the start of trial, a traffic-court defendant was asked if he was an "expert" witness. The defendant said no. During the trial, the defendant tried to explain in VERY simple terms how the properties of radar are significantly impacted by weather and environmental interference. The prosecution responded by accusing the defendant of being an "expert" and unfairly citing information they were not prepared to answer. I am not a legal expert, and I'm not sure if I am representing this fairly, but I will never forget the judge immediately dismissing all the technical, yet relevant, evidence of the defendant and ruling against him. One man's "reasonable" level of knowledge was said to be another man's "exceptional" talent.
Often the practice of law can seem so embroiled in details of the process itself (and fallability of the judges), that the subject of the dispute is never actually addressed. So the real lesson from many legal decisions is to make certain you know the rules of engagement if you expect to actually debate the facts, and to ensure you know the history/leanings of the judge if you want to understand what they consider "reasonable".
Or, as the first cited article put it:
"a lawyer acting on [RTA's] behalf indicated he'd only been briefed the day before and he wasn't in a position to proceed".
This really does not mean a thing in court to the validity of MD5 or other hashing, nor does it say what the judge would have thought of testimony about MD5, although we might already have formed our own opinions. It does not look good for the RTA to be so unprepared, but that does not mean that it is impossible to demonstrate the accuracy of surveillance data.
Of course the opposing side will say all sorts of fire-brand in-your-face victory stuff like "it appears that the RTA is unable to prove any contested speed camera matter because of a lack of admissible evidence".
That's true in this case and it is the nature of lawyers trying to build credibility for their side by doing anything they can to paint a very specific version of "certainty". But I can't help but wonder about this statement:
"RTA lawyers yesterday told Hornsby Local Court they could not find an expert and the case was thrown out"
Is there a shortage down-under? This is good news for security professionals as they might now actually get to be involved in some of the relevant technology in their area of expertise. Shame on the RTA for not having an expert involved from the beginning, since any number of mitigating controls could have also demonstrated validity of the evidence.
Bruce, what would you have said if they called you to testify? Can you back up the statement that "it's almost certainly true that the speed cameras were correct"?
"the half-hearted approach gives the deceiving feeling that you're more secure"
And this false hope, also known as "snake oil", can be very costly, often to the point of prohibiting later changes that would be more useful or perhaps even required for survival.
@ Darkfire, Bill, Stephen
Re: Reasonable Doubt
The term itself has lost meaning here in the U.S. "Reasonable Doubt" is taken by many people to mean "beyond the shadow of a doubt", which is not what the standard is at all.
One such debate, currently being played out in courts, legislatures, and legal journals, concerns the definition of "proof beyond a reasonable doubt" for American juries. The definition matters because jury instructions must correctly convey legal concepts to lay jurors in language they readily understand so that they can properly and consistently apply the correct rule of law. And whether or not juries appropriately apply the law is nothing less than the question of whether justice is served, for inappropriate readings of the reasonable doubt standard may result in the conviction of innocent defendants or the acquittal of guilty persons. Further, the social value that underwrites this burden of proof, often summed up in the claim that "it is better to let ten guilty men go free than to convict an innocent man," will be corrupted if jurors systematically apply a standard lower than proof beyond a reasonable doubt.
It is better to let ten guilty people go free than to convict an innocent man. However, it's probably not a good idea to let 999,999 guilty people go free rather than convict an innocent man.
(fwiw, this is why the death penalty should be a no-no, because you can't reverse it should you find out that the one guy out of 999,999 was innocent.)
People hear one (perhaps admittedly compelling) argument against a single piece of evidence in a complex case, and regard that as "reasonable doubt". This is not what the standard is supposed to be in any wise.
When you serve on a jury, the judge tells you what the definition of "reasonable doubt" is -> it's supposed to be the same level of doubt that you would have about any ordinary interaction that you might have any day, not a fantastical "well, aliens *could* have been controlling his mind!" level of doubt :)
My father tells a story about a co-worker who got out of a speeding ticket by claiming that the radar gun couldn't have possibly worked. It was back in the seventies when radar guns were still new, and the co-worker in question was a physicist. He basically argued that the conditions on the road were so variable that they would have had to recalibrate every day for changes in lighting, landscaping, and so on; the judge bought it and acquitted him.
This sort of strikes me as a modern version of that...
Well, any case that diminishes the automatic presumption of guilt because of automated enforcement is a good thing.
In the US, I've always wondered what constitutes a "single act" of speeding and if they could put unmarked speeding ticket cameras every block and get you multiple times for the same trip.
Chaps, I'm still confused - can anyone please answer the below?
I hand you a picture (say .jpg, or .png. or tiff or whatever) that hashes (MD5) to a particular value.
Can you, *in reasonable time* - say a couple of days - produce for me a picture that is substantially similar - that *also* has the *same* hash?
That, to me, is the crux - not whether I can produce two pictures hashing to a value I choose - which is what can be done now.
I.e. can I, in reasonable time, produce a collision with *any* given hash value (and, more to the point, do it with a file that isn't random garbage?)?
@ Brent Dax
Exactly. Although some judges believe radar (and especially laser) to be infallible, others seriously question the technology...which is why you not only need to know the facts, but you need to know who you are dealing with in order to convince them that your interepretation of the facts is correct.
Radar was debatable in its early days, but after enough cases regarding the limits and advances in technology (ad nauseum) everyone was able to argue on more common ground. Encryption is far away from that day in the sun, it seems.
On the other hand, if you're extremely motivated (e.g. an extremist) you might just try to stack the deck in your favor by virulently attacking and or replacing current judges/sherrifs/legislators:
Are there judges who have a record of ruling against the use of weak hasing algorithms yet? Recent regulations/laws such as Visa CISP and SB1386 will most certainly put encryption defense to the test in the courts...
Look at it this way, say your brother just got shot by someone and a security camera recorded the whole thing. The suspect argues in similar manner in court that the system uses MD5 and gets off the hook. You think the justice happened? The US law system is famous for letting proven (beyond reasonable doubt) criminals get off the hook because of some irrelevant nitpicking.
I don't think anybody has accomplished that for e.g. jpg images. The most "satisfying" proof of concept I've seen discussed was a postscript file, but which took advantage of specific features of that format.
On the other hand, document formats like TIFF have a lot of wiggle room. I know there are comment fields that the user may not notice, and I'm pretty sure it's possible to simply insert arbitrary data that won't affect the appearance of the image at all (but which can be used to change the hash value).
One post I saw on slashdot mentioned that the problem could be that you could just create a new picture and add a new MD5 hash. There wasn't any digital signature that traced the pictures back to the camera.
Violations of traffic laws are not considered crimes. And as such, you do not get the same level of protection as in criminal cases. You are presumed guilty until proven innocent. If you get a speeding ticket then you have to pay unless you can convince a judge that you weren't speeding.
"... will almost always lead to a verdict of innocence."
Just a slight correction. The verdict would be 'not guilty'. Not quite the same thing as 'innocent'. I'm sure an innocence verdict would be more satisfying unfortunately it's not attainable.
Yes I ment "not guilty" I was just using job speak.
Continuing the subject of "beyond reasonable doubt", I've seen murderers be aquitted because the only witness was a vagrant heroin addict. I've seen rapists be aquitted because the victim was an ex-call girl....
Credibility is all important. And hence we have the role of expert witnesses. This can and does lead to difficulties. For example, (without being too condescending) how may people on an average jury would understant the nuances of argument & counter-argument regarding the quality of a given encryption algorythm? Not many I would wager.
Defence lawyers... I often wonder how they sleep at night...
This is NOT an MD5 issue! If you can change the image why not just replace it and generate an entirely new hash? Who cares if MD5 is broken or not? It's to do with chain of custody and the box being tamper proof. If we trust the police did not change the photo and we trust the box has not been tampered with then its all good. The purpose of the hash is to make sure nothing is modified "accidently" or by computer error.
Thanks for the reply. I think I have seen the same Postscipt demo - but again, the attacker was able to create *both* documents. As far as I can tell, and nobody has contradicted me, it is still difficult to generate a document that hashes to a given hash value.
To talk hypothetically: if the speeding camera keeps an independent log of the MD5 hashes of the pictures it has taken, then comparing the hash of the picture shown in court to the hash logged by the camera 'demonstrates' it is the same picture. Unless you can produce a differing picture with the same hash value as logged by the camera, you are out of luck. So the problem is to generate a picture that shows your 'innocence', as it has the same hash value as shown on the independent log - you don't get to choose what the hash value is.
Note, I am speaking hypothetically here, and have no knowledge of how the Australian speeding cameras record pictures; whether they keep an independent log; or whether thet have some other 'chain of evidence preservation' mechanism.
I hope i've made the problem clear.
Hmm... You make an interesting & to my mind valid point. I'm not sure of what the situation is in Australia. In this country speed cameras issue automated penalty tickets that are sent in the post to the offenders. The offender then has 3 options:
1) Do nothing. Not very smart as the charge increases after 28 days.
2) Pay the fine & get the driving license endorsed with the penalty points.
3) Challenge the fine. In this case the offender will then be issued with a court date and has access to all the relevant legal benefits.
The vast majority of people will just pay the fine and be done with it. If however they elect to have their day in the Magistrates Court, *then* the issue of evidential integrity becomes important.
Darkfire is incorrect... In the UK there are three possible verdicts. Guilty, Not Guilty and Not Proven. Of course you can only be "Not Proven" in Scotland so that's probably why he is confused.
Not Proven simply means that neither side managed to prove their case sufficiently well. It is usually considered to be "Guilty but they didn't have enough evidence" but it really does mean that their are doubts either way.
"On the other hand, it's almost certainly true that the speed cameras were correct."
Actually, it isn't certain at all. A little background for those reading this out of context. Speed cameras in New South Wales (and in Victoria) are currently a matter of significant public controversy, due to poor maintenance leading to poor reliability. Every few weeks there is a news story about someone receiving a fine for an impossible infraction, and the RTA (which operates them) refusing to yield to common sense. One camera recently was found to be photographing ~every~ vehicle that passed it, ~none~ of which were speeding. In another case, a certain fleet owner simultaneously received fines for every vehicle in his fleet, all of which were supposedly over the speed limit by ~exactly~ the same amount, and at least one of which was physically impossible. Another camera clocked a truck at nearly 100 km/hr, but the photograph showed the truck stopped in grid-locked traffic with its brake lights on; that fine was eventually dropped, but only after expensive appeals. Only a couple of percent of appeals are successful.
Additionally, the RTA recently admitted that in several "fixed camera" locations (as it happens, some of the few that are genuine accident "black spots") the cameras have been permanently turned off because their error rates have become unmanageable and there is no budget for repairing them.
No less a "radical activist" than the Rt. Hon. John Anderson, Deputy Prime Minister and Federal Minister for Transport, has criticised state government speed camera policies as being purely revenue raisers which have had no effect on public safety, while breeding distrust and cynicism. (Source: "The Sunday Age", 30th May 2004)
In this environment, a number of anti-camera activists have arisen, and the lawyer presenting the MD5 case is one of the better known among these.
As an unrelated additional point, I am rather skeptical about MD5 being involved at all; the main newspaper article covering the story included a copy of the infringement photograph (in the off-line version only, sorry), with the alleged MD5 hash highlighted. It was 48 hex characters, with the top 8 set to zeroes. That leaves 160 active bits in a 192 bit field. Maybe DSA, but more likely SHA-1 (perhaps as an HMAC, who knows) with room for expansion to SHA-192. But at any rate, too many bits for MD5.
I wonder if the lawyers and judge(s) involved in this case had as much sense as the reporters who wrote the linked article.
So far my understanding is that the entire MD5 "algorithm" is published on each picture (but they don't say if it was a C/C++ implementation or just pseudo-code!). The RTA had to prove that "the MD5 algorithm was accurate and could not be tampered with".
No doubt if lawyers start spewing crap like this in the courtroom it'll be down to a smooth-talker competition to see which side pursuaded the even less clued-in judge.
Now, back to reality. MD5 has a very specific vulnerability which, in my understanding, has no relevance here. Clearly this recently discovered vulnerability immediately invalidates every single speeding photograph taken over a decade before the vulnerability was discovered.
Hang on a second... was MD5 even invented, letalone adopted by the RTA, fifteen years ago? It would be a most amusing demonstration of incompetence if it wasn't even MD5 that was used, as Roger pointed out.
More importantly than all of this, if we stop nitpicking and assume the article meant an MD5 *hash* is published on each photo (as opposed to the algorithm itself) that raises the interesting question of *WTF*?
1. You can't hash an image an include the hash in the image without changing the hash.
2. Including the hash alongside the image, outside of the hashed area (maybe in a header or footer area?) is virtually useless because if someone can tamper with the photo then they can even more easily replace the hash with a correct hash of the edited photo.
I wish the media and legal system would get a clue. This reminds me of the Microsoft Anti-Trust lawsuit and that clueless Jackson.
This is similar to someone defending if a bank can be robbed.
Yes, I can rent a crane with a wrecking ball and smash my way in... and take money out.
The truth is that millions and millions of people could get tickets and maybe one would be in error.
should we waste our time on such a trivial thing?
Two points I would raise here:
1) There have been plenty of doubts raised over the accuracy of fixed digital speed cameras in NSW. Most of these appear are realted to the piezo technology employed. In Melbourne, Victoria, they turned off all the speed cameras when it was discovered that the devices were claimin impossible speeds for passing motorists!
2) The burden of proof in NSW for fixed speed camera offences is on the motorist, i.e. guilty until proven innocent.
I am recently involved in some discussions the MD5 issue in terms of reviewing the design of a camera used for capturing licence plate number and scene image of a vehicle. The image is captured to produce evidence for the infringement processing people to fine a motorist who has failed to pay a toll. With incresaing number of electronic toll roads in NSW this is going to be a interesting story in the years to come. Can someone throw light how the MD% encryption on the cmaera image i sone and whether it can be tampered?
Re Speed Cameras. As an exchange of money takes place, these devices fall under the National Measurement Act.
IE Theyre used for Trade Measurement.
The trade measurement act in effect says: All devices must be tested to the Trade Measurement act standards. Federal laws override state laws BING0.
Now there is also the position that "notoriously accurate devices" under common law can have their evidence admitted to courts. This is overcome by alternative evidence, which allows testing of the devices accuracy.EG Electrical interference from cellular phones police transmitters, Cellular towers, microwave ovens, but an "expert witness" in these fields is expensive. State test do not even come close to scientific
testing, and since these devices are old technology, even a mobile phone can set these off and create wrong readings. Try pointing a camera at a microwave oven...
Its time to re invent a proper camera which can have legal evidence tendered these one have been challenged by Jerry Simotas in the Goulburn court an he won. They withdrew their charge..
Happy motoring but drive safely.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.