cryptographic signature

2 Articles

A PCR machine with its side cover taken off exposing its guts, and the tray extended out

Making A PCR Machine Crypto Sign Its Results

March 1, 2025 by 20 Comments

Money, status, or even survival – there’s no shortage of incentives for faking results in the scientific community. What can we do to prevent it, or at least make it noticeable? One possible solution is cryptographic signing of measurement results.

Here’s a proof-of-concept from [Clement Heyd] and [Arbion Halili]. They took a ThermoFisher Scientific 7500 Fast PCR (Polymerase Chain Reaction) machine, isolated its daughter-software, and confined it into a pipeline that automatically signs each result with help of a HSM (Hardware Security Module).

A many machines do, this one has to be paired to a PC, running bespoke software. This one’s running Windows XP, at least! The software got shoved into a heavily isolated virtual machine running XP, protected by TEE (Trusted Execution Environment). The software’s output is now piped into a data diode virtual serial port out of the VM, immediately signed with the HSM, and signed data is accessible through a read-only interface. Want to verify the results’ authenticity? Check them against the system’s public key, and you’re golden – in theory.

This design is just a part of the puzzle, given a typical chain of custody for samples in medical research, but it’s a solid start – and it happens to help make the Windows XP setup more resilient, too.

Wondering what PCR testing is good for? Tons of things all over the medical field, for instance, we’ve talked about PCR in a fair bit of detail in this article about COVID-19 testing. We’ve also covered a number of hacker-built PCR and PCR-enabling machines, from deceivingly simple to reasonably complex!

A Camera That Signs Off Your Pictures

November 20, 2023 by 38 Comments

We’ll admit we’ve kicked around the idea of a camera that digitally signs a picture so you could prove it hasn’t been altered and things like the time and place the photo was taken for years. Apparently, products are starting to hit the market, and Spectrum reports on a Leica that, though it will set you back nearly $10,000, can produce pictures with cryptographic signatures.

This isn’t something Leica made up. In 2019, a consortium known as the Content Authenticity Initiative set out to establish a standard for this sort of thing. The founders are no surprise: The New York Times, Adobe, and Twitter. There are 200 companies involved now, although Twitter — now X — has left.

The problem, the post notes, is that software support is limited. There are only a few programs that recognize and process digital signatures. That’ll change, of course, and — we imagine — if you needed to prove the provenance of a photo in court, you’d just buy the right software you needed.

We haven’t dug into the technology, but presumably keeping the private key secure will be very important. The consortium is clear that the technology is not about managing rights, and it is possible to label a picture anonymously. The signature can identify if an image was taken with a camera or generated by AI and details about how it was taken. It also can detect any attempt to tamper with the image. Compliant programs can make modifications, but they will be traceable through the cryptographic record.

Will it work? Probably. Can it be broken? We don’t know, but we wouldn’t bet that it couldn’t without a lot more reading. PDF signatures can be hacked. Our experience is that not much is truly unhackable.