Professional Documents
Culture Documents
Content
Case of PKI business Review of Cryptography Review of Steganography Comparing Cryptography and Steganography Cases of Watermarking Visible watermarking Fragile watermarking Robust watermarking (DCT) Content Copyright protection (next batch of note) CSS Case Review of Broadcast encryption HDCP Case Software Copyright Protection
1 2
Discussion Question
Given the known hacking techniques in Lecture 1 and 2 (buffer overflow, CSRF, etc) What kind of company data you can allow your employee to access the company Intranet through ____ ?
1. 2. 3. 4. at office at home using a fixed PC at home using a laptop at an oversea cyber-caf using a laptop
Can you suggest some protection strategy that can make you feel safe?
Is SSL / VPN (Virtual Private Network) enough?
3
When a customer of XYZ, say John, wants to connect to the https server of XYZ
XYZ will send its PKC to Johns browser Using CAs root cert, and Johns PKC, Johns browser will find XYZ public key value, say v1. Johns browser will encrypt one SSL protocol message with v1, and send to XYZ If XYZ is the authentic company, it can decrypt this message and successfully complete the SSL protocol. Successful completion will also establish a session key, say sk1, to be known by both Johns browser and XYZs server.
6
Review of Cryptography
Three popular classes of modern cryptosystems Symmetric Key System (e.g. block cipher) Hash values (or Hash functions) Public Key Cryptography Advanced usage: Combining the above 3 classes Digital signatures Secure protocols (e.g. SSL/TLS, SET) Other schemes (e.g. broadcast encryption for DVD copyright protection) More complicated Math Blind signature, group signature, Secret sharing Zero-knowledge proof
8
Symmetric Encryption
Thomas:
This is a letter
Hash Value
X%*e1kI 4
Encrypt
Decrypt K
Authenticity: Peter knows the cipher is come from Thomas (Thomas has K) Confidentiality: Peter knows the cipher cannot be seen by others (Only Peter and Thomas have K) No non-repudiation property
9
A.k.a. Integrity check value, message digest (MD) An integrity check-value (of a message) is a fixed size data item where its content is depending on ALL bits of that message An specific algorithm is used to produce this check-value from a message. This algorithm can be keyless (D=H(M)) Same message gives the same check-value When some bits in message is modified/added/deleted, the check-value would be different. Thus able to check integrity Mathematically: Given D, it is extremely difficult to find M1 such that H(M1)=D. Given M and D, it is extremely difficult to find M1, such that M1 and M differs by a few bits and H(M1) = D It is extremely difficult to find M1 and M2 such that H(M1) = H(M2)
10
Hash functions
Fixed size (e.g. 160 bits)
Message 1
Hash Fcn
Hash Value 1
Message 2
Hash Fcn
Hash Value 2
Integrity check process A wants to send M to B A computes D=H(M), and sends M,D to B B receives M, D, and computes D=H(M) If D = D, then M and D are not tampered M can also be transmitted in encrypted mode H( ) is known as hash function, or one-way function Popular hash functions are : MD5 (128 bits) SHA-1 (160 bits)
11
12
Hash Value 1
Receiver:
Message 1
Receiver:
Message 1b
Hash Fcn
Hash Value 2
13
Hash Fcn
Hash Value 2
14
Hash Value 2
15
Relationship with CA
17
18
20
When a customer of XYZ, say John, gets a signed applet (call it J1) from web server of XYZ
XYZ will send its PKC to Johns browser Using CAs root cert, and Johns PKC, Johns browser will find XYZ public key value, say v1. Johns browser will use v1 to verify the correctness of the digital signature of J1 If J1 is properly signed by XYZ private key, Johns browser will execute J1.
21
Signed Applet
PKC of S1 B1
Browser
22
Discussion Questions
Can a company, which stores a lot of electronic documents, files, web pages, etc, be able to get rid of all PKI technology? Any advantages of doing so? Any disadvantages of doing so? How can a company prove to a third-party that an electronic document is really created 30 years ago?
When a customer of XYZ, say John, gets a signed eDoc (call it D1) from XYZ
XYZ will send its PKC to Johns computer Using CAs root cert, and Johns PKC, Johns browser will find XYZ public key value, say v1. Johns computer will use v1 to verify the correctness of the digital signature of D1 If D1 is properly signed by XYZ private key, Johns computer will accept D1 is a properly signed e-Doc from XYZ.
23
24
Review of Steganography
Hiding info (small message) in a bigger message (e.g. microdot technology, invisible ink, pin punctures) The smaller the ratio of size of hidden info / size of the big message, the more difficult for the hidden message to be detected by outsiders without knowledge of the steganographic process. Not exactly encryption, but modern steganographic tools can also include encryption as a component One application: watermarking for copyright protection
Steganography (2)
One Drawback : needs a lot of bits to encode a small message But now, the storage are there!! E.g. Kodak Photo CD
max. resolution 2048x3072 pixel (only 6M pixels) each pixel 24 bits RGB color info use least significant bit of each color to encode info hide 2.25 megabyte in one digital snapshot
25
26
Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. Simple All Entry Forms and Fees Forms should be Steganography ready e.g. for final despatch to the syndicate by Friday 20th or at the very latest, Im told, by the 21st. Admin has improved here, though theres room for improvement still; just give us all two or three (Source : The Silent more years and well really show you! Please World of Nicholas dont let these wretched 16+ proposals destroy Quinn, by Colin Dexter) your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos, Sincerely yours,
27
A Chinese Example
What is the secret message?
28
A
(1) A hides please bring machine gun in a photo
29
B
(4) B hides the reply to the 2nd photo
30
Internet
The secret key is 14234
Plenty of opportunities
Due to the extensive use of computer (diversity in software used) Unavoidably : more favorable to subjects performing secret communication
31 32
Steganography Vs Cryptography
Steganography The science of Covered Writing Cryptography The science of Secret Writing
Steg:
Steganography Vs Cryptography
Writing process
secret Big Message Hiding method Big Message with secret
33
34
Strength of cryptography
The encryption method can be known by others The key should not be known by others The key length should be long enough to stand against exhaustive search
35
36
Writing process
Big Message
Reading process
Hiding method
cipher
cipher
Decryption method
38
Spread out the information: One bit of information is diffused into several bits first, before the hiding process. In elaborated term: the split information can be transmitted into several different messages (say, any 5 of the 7 transmitted messages can reconstruct the secret) [Secret sharing]
40
Goals of steganography
Escaping inspection of human users
Store in photos, or the previous simple examples
Hiding the source of a message (to achieve anonymity, so as to avoid the suspicion of having hidden messages)
http://paul.luminos.nl/documents/show_document.php?d=3 16
42
Usage of steganography
Secret communication Commercial reason Political reason Personal privacy reason Criminal offense Downward compatibility of data structures. E.g.: A data structure for photos is used in many applications Some new applications require an extra feature to be transmitted If this new feature is transmitted via steganography, all old software/system need not be changed 43
Visible watermark
The information embedded as a watermark can be almost anything. It can be a bit string representing copyright message, serial number, plain text, etc. Sometimes it can be more useful to embed a visual watermark (e.g. corporate logo) instead of a bit string as a watermark.
46
47
48
Fragile watermarking
A fragile technique often has to possess two features:
it should be vulnerable to even very slight modifications of the watermarked asset; and it should be capable of locating, or even identifying the endured attacks.
RGB
A picture with 20 pixels (in RGB form)
Modern watermarking system framework Let T be the steganographic tool that uses pictures as storage media Assume
Lsb used to store secret message
The hidden message is H The picture used to store H is PIC T uses a pseudo random number generator (a program that can generate a sequence of numbers that looked like random, when supplied with a number called a seed)
53
54
Properties
There is small change of picture quality Design principle: only modify the color of a pixel slightly A larger picture has more choices of pixel positions to store the secret (and the secret can be longer) Modification of the picture might destroy the secret (watermark) To store a longer secret message, you may need to modify bits other than lsb. Picture may be distorted Many picture formats are not storing the RGB values directly. So variations of the mentioned technique are needed.
55
Gifshuffle (www.darkside.com.au/gifshuffle/) Also play with the palette structure of GIF images (Key point 1) Gifshuffle recognized a special order of the colors. Given a picture, it sort the palette according to that order Assume there are n different colors in the palette The n! different permutation of the colors can be used to represent a number from 1 to n!. (Key point 2) Thus, a secret with at most log2(n!) bits can be stored as a special permutation of the palette colors. This scheme will not change the quality of the image!!! (same set of colors are used, the only difference is the order in the palette)
57 58
n = size of an array of balls Put balls b0, b1, b2, bn-1 into the array A[0], A[1], A[n-1] such that the permutation encodes the number m Idea ( 1 ) : Put in the order of bn-1, bn-2, b2, b1, b0 bn-1 is placed in A[0] bn-2 is placed in A[0] or A[1] bn-3 is placed in A[0], or A[1], or A[2] bn-4 is placed in A[ j ], where j is an integer from 0, 1, 2, 3 ... bn-i is placed in A[ j ], where j is an integer from 0, 1, i-1 ... b2 is placed in A[ j ], where j is an integer from 0, 1, n-3 b1 is placed in A[ j ], where j is an integer from 0, 1, n-2 b0 is placed in A[ j ], where j is an integer from 0, 1, n-1 59
div n-2 mn-2 div n-1 mn-1 div n mn = 0 ( must be 0, why? ) div 2 m2
m1
div 3 m3
mod n rn
( encode rn-1 by putting b1 ) r1, r2 r3, rn-2, rn-1, rn are three we want to encode
( encode rn by putting b0 )
The algorithm int m ( m = m0 at the beginning ) for i = 1, 2, 3, n { Calculate ri = m mod i ; Calculate m = m div i ; Encode ri by putting bn-i } Procedure to Encode ri ( a number from 0 to i-1 ) by putting bn-i ( Note : ( 1 ) (2) (3) bn-1 is supposed to be placed in the entry A[ri] the array entry A[0], A[1], A[i-2] are occupied A[i-1] is empty )
To get back the value of m from the permutation array Find rn from the position of b0 Find where is b0 b0 must be in A[rn] so we can know rn Now, remove b0, and reverse the operation of inserting b0 ( i.e. move A[rn+1] to A[rn] A[r ] to A[rn+1] . n+2 . . A[n-1] to A[n-2] ) Find rn-1 from b1 similarly Find rn-2 from b2 similarly . . .
If ri = i-1, { put bn-1 in A[ri] } else { move the ball in A[i-2] to A[i-1] ; move the ball in A[i-3] to A[i-2] ; . . . move the ball in A[ri] to A[ri+1] ; put bn-i in A[ri] } 61
After finding rn, rn-1, rn-2, r2, r1, r0, compute m accordingly 62
( Case 2 ) to A[1]
bn-2
JPHS (http://linux01.gwdg.de/~alatham/stego.html)
JPHIDE & JPSEEK A relatively new tool Use the BlowFish symmetric cipher as the pseudo random number generator Able to hide message in jpeg files (with paraphrase control) Claimed that with a low insertion rate (say <5%) it is impossible to prove the existence of a hidden message Run on Windows and Linux, encourage testing & reporting of results
63 64
bn-1
bn-1
bn-1
. . .
. . .
. . .
bn-2
bn-2
bn-3
bn-1
bn-3
bn-2
bn-3 . . .
bn-1 . . .
bn-1 . . .
processing
Figure :
embedding
extracting
embedded data
stego key
65
66
67
68
70
Structure of elements
At some situations, two elements can contain another. Using this characteristic, we can embed secret data in XML documents. Take an example, if we have two elements which are <fruit> and <favorite> that can contain each other, we use <fruit> containing <favorite> to represent a bit 0 while use <favorite> containing <fruit> to represent a bit 1. We can embed 10 in a XML document by changing its format to : <favorite> <fruit>Orange</fruit> </favorite> <fruit> <favorite>Apple</favorite> </fruit>
Robust watermarking
A robust technique should at least be able to resist the attacks that cause distortions smaller than a certain threshold beyond which the watermarked digital content is greatly degraded. Resists both intentional and inadvertent transformations Capacity degrades as a smooth function of the degradation of the marked content
71 72
An Over-Simplified Idea
Red Vs Blue to encode a bit (1/0)
A red picture is a 1 A blue picture is a 0 All other pictures are having no secret message
Improved version
Cut the picture into 25 grids If the top-left grid is redder than others: a 1 If the top-left grid is bluer than others: a 0 All other situations means no secret message
73
74
A picture with a distorted H is still readable So, the H region is a good place to hide
numbers
75 76
Examples of DCT
data: 0: 153 153 153 153 153 153 153 153 1: 153 153 153 153 153 153 153 153 2: 153 153 153 153 153 153 153 153 3: 153 153 153 153 153 153 153 153 4: 153 153 153 153 153 153 153 153 5: 153 153 153 153 153 153 153 153 6: 153 153 153 153 153 153 153 153 7: 153 153 153 153 153 153 153 153 DCT: 0: 200 0 0 0 0 0 0 0 1: 0 0 0 0 0 0 0 0 2: 0 0 0 0 0 0 0 0 3: 0 0 0 0 0 0 0 0 4: 0 0 0 0 0 0 0 0 5: 0 0 0 0 0 0 0 0 6: 0 0 0 0 0 0 0 0 7: 0 0 0 0 0 0 0 0
Image
80
79
data: 0: 135 135 135 135 135 135 135 135 1: 108 108 108 108 108 108 108 108 2: 157 157 157 157 157 157 157 157 3: 93 93 93 93 93 93 93 93 4: 163 163 163 163 163 163 163 163 5: 99 99 99 99 99 99 99 99 6: 148 148 148 148 148 148 148 148 7: 121 121 121 121 121 121 121 121 DCT: 0: 0 0 0 0 0 0 0 0 1: 0 0 0 0 0 0 0 0 2: 0 0 0 0 0 0 0 0 3: 0 0 0 0 0 0 0 0 4: 0 0 0 0 0 0 0 0 5: 0 0 0 0 0 0 0 0 6: 0 0 0 0 0 0 0 0 7: 200 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 200 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Image
81
82
Watermark embedding
Cox et al asserted that in order for a watermark to be robust, it need to be placed in the most significant part of the image. the watermark will be composed of random numbers drawn from a Gaussian distribution N(0,1) distribution
83
Watermark embedding
General procedure 1. Applying frequency transformation to the data. 2. Computing perceptual mask to highlight the most significant regions in the spectrum that can support the watermark without affecting the image fidelity (V). 3. Inserting the watermark to the image. 4. Inverse DCT
84
Watermark embedding
Watermark Structure
A watermark consists of a sequence of real numbers W= 12K where each value i is chosen independently according to the Gaussian distribution N(0,1).
85
86
Watermark embedding
Insertion
Step 1 - Compute 2-D DCT of image Step 2 Locate K largest coefficients, c1, c2, , cK Step 3 - Embed watermark into the K largest DCT coefficients using:
ci = ci * (1 + i), = 0.1
1 0
TheN1blockof64quantizedcoefficients
88
Watermark embedding
Q: Why K largest coefficients are selected? A:issmall,reducedvisibility Watermarksareembeddedinmultiplefrequency componentswithspatialimpactovertheentire image Attackstendtodegradeimage
Watermark extraction
Step 1 - Compute 2-D DCT of image in question Step 2 - Extract K DCT coefficients from same positions as insertion, c1, c2, ..., cK Step 3 - Compute watermark using: i = ci - ci 1 <= i <= K Step 4 - Compute similarity () of 12K and 12K Step 5 - If is greater than a predefined threshold, the original watermark is present in the image in question
89
90
Problem
In general, watermarks are not a panacea for copyright issues and should not be the sole mechanism used. Consider the following example:
For a given watermarked image, Alice and Bob both claim to be the rightful owners.
0.5470
PrintandScan (RegularPaper)
0.4895
thewatermarkisrobusttomanyattacksand forallattacksexceptrotation
91 92
Problem (cont.)
If the true owner have signed the image with a watermark first, and also hid away the original image and only released the watermarked version to the public. In this case since Bob must have watermarked the image after her, she can prove her ownership by showing her original image that she owns and it does not have Bobs watermark embedded.
93
Problem (cont.)
If some doubt can be created about the true original image, by fabricating an original, the true owner of the image cannot be determined by watermarking alone. Inverse watermark calculation
94
References
[1] Kai Wang, etc. A Comprehensive Survey on Three-Dimensional Mesh Watermarking, IEEE TRANSACTIONS ON MULTIMEDIA, 10(8), pp: 1513-1527, 2008 [2] Abbas Cheddad, etc. Digital image steganography: Survey and analysis of current methods, Signal Processing, 90(3), pp: 727-752, 2010
95
Attacks on Steganography
Technical classification (like cryptographic attacks) File (the message with hidden secret) only attack File and original copy attack Multiple encoded file attack File + algorithm attack Destroy everything attack Random tweaking attack Adding new information to files Reformat attack Compression attack Special attacks: e.g. Mosiac attack on pictures Question: How to destroy a hidden message stored using the gifshuffle software?
96
Original mesh and four examples of attacked meshes: (a) original Rabbit mesh; (b) random noise addition; (c) smoothing; (d) cropping; (e) simplification.
97
Destroying the watermark (to avoid the trace) is easier, to extract it is more difficult
98
99
100
V (victim)
102
What U do
U uses some process monitoring command (e.g. ps in Unix) to monitor the root-privileged process in every 0.1 sec interval If after some time, U discovers a process with the strange execution timing as described in the previous slide, U can extract the 4-bit sequence It is a slow, workable, and hard to detect method Can be combined with other techniques. For example the secret is a system message box handle, so R & U can communicate further in passing memory) The secret is a key to decrypt a file in /tmp directory
104
Discussion Question
user area in O.S.
U R
forks
R*
(says 1011)
Running/runnable
Are there any use to put watermarks in company documents? By using Visible watermark By using Fragile watermark By using Robust watermark
state of R*
sleep