ECOM 6031

Fundamentals of e-Commerce Security

(Dr KP Chow, Dr Lucas Hui)

Content
Case of PKI business Review of Cryptography Review of Steganography Comparing Cryptography and Steganography Cases of Watermarking Visible watermarking Fragile watermarking Robust watermarking (DCT) Content Copyright protection (next batch of note) CSS Case Review of Broadcast encryption HDCP Case Software Copyright Protection
1 2

Lecture 3: Protecting Documents and Content

Dr Lucas Hui (CYC307, 28592190, hui@cs.hku.hk)

Discussion Question
Given the known hacking techniques in Lecture 1 and 2 (buffer overflow, CSRF, etc) What kind of company data you can allow your employee to access the company Intranet through ____ ?
1. 2. 3. 4. at office at home using a fixed PC at home using a laptop at an oversea cyber-caf using a laptop

Case of PKI business

Certification Authorities (CA) are big organizations E.g. Verisign (the first CA in the world) CA earns money by selling: Private key and Public Key Key-pairs Private key may be sold in special hardware Public key are stored In the form of a Public Key Certificate Informally, some people say a CA sells Public Key Certificates What kinds of PKC (Public Key Certificate) are popular?

Can you suggest some protection strategy that can make you feel safe?
Is SSL / VPN (Virtual Private Network) enough?
3

What kinds of PKC are popular?

SSL Certificates (a company wants to provide https services to potential customers, they need to buy a PKC (and private key in hardware) Digital Signature signing keys (and PKC) Can be used for Java applet to be downloaded to customers machine Can be used for providing electronic documents digital signatures (provide non-repudiation protection to (normal) customers) E.g. Signing engineering drawings (for electronic tendering documents)

Short Review of SSL

CA provides its root certificate to the browsers The XYZ company wants to provide https services to customers
XYZ will buy a Public Key Certificate (and of course the corresponding private key) from the CA

When a customer of XYZ, say John, wants to connect to the https server of XYZ
XYZ will send its PKC to Johns browser Using CAs root cert, and Johns PKC, Johns browser will find XYZ public key value, say v1. Johns browser will encrypt one SSL protocol message with v1, and send to XYZ If XYZ is the authentic company, it can decrypt this message and successfully complete the SSL protocol. Successful completion will also establish a session key, say sk1, to be known by both Johns browser and XYZs server.
6

Short Review of SSL (2)

After that, all communications between Johns browser and XYZs server, will be encrypted by sk1. (The SSL record protocol) No external parties can listen to plaintext of those communications This encryption is done by Symmetic Cryptography

Review of Cryptography
Three popular classes of modern cryptosystems Symmetric Key System (e.g. block cipher) Hash values (or Hash functions) Public Key Cryptography Advanced usage: Combining the above 3 classes Digital signatures Secure protocols (e.g. SSL/TLS, SET) Other schemes (e.g. broadcast encryption for DVD copyright protection) More complicated Math Blind signature, group signature, Secret sharing Zero-knowledge proof
8

Symmetric Encryption
Thomas:
This is a letter

Hash Value
X%*e1kI 4

Encrypt

K (enc/dec key) Peter:

X%*e1kI 4 This is a letter

Decrypt K

Authenticity: Peter knows the cipher is come from Thomas (Thomas has K) Confidentiality: Peter knows the cipher cannot be seen by others (Only Peter and Thomas have K) No non-repudiation property
9

A.k.a. Integrity check value, message digest (MD) An integrity check-value (of a message) is a fixed size data item where its content is depending on ALL bits of that message An specific algorithm is used to produce this check-value from a message. This algorithm can be keyless (D=H(M)) Same message gives the same check-value When some bits in message is modified/added/deleted, the check-value would be different. Thus able to check integrity Mathematically: Given D, it is extremely difficult to find M1 such that H(M1)=D. Given M and D, it is extremely difficult to find M1, such that M1 and M differs by a few bits and H(M1) = D It is extremely difficult to find M1 and M2 such that H(M1) = H(M2)
10

Hash functions
Fixed size (e.g. 160 bits)

Message 1

Hash Fcn

Hash Value 1

Message 2

Hash Fcn

Hash Value 2

Integrity check process A wants to send M to B A computes D=H(M), and sends M,D to B B receives M, D, and computes D=H(M) If D = D, then M and D are not tampered M can also be transmitted in encrypted mode H( ) is known as hash function, or one-way function Popular hash functions are : MD5 (128 bits) SHA-1 (160 bits)

11

12

Hash function Usage 1

Sender: Message 1
Hash Fcn

Hash fcn Usage 1: More popular version

Sender: Hash Value 1 Hash Value 1 Same ? Encrypted Msg 1a Msg 1a Message 1b
Hash Fcn

Hash Value 1

Receiver:

Message 1

Receiver:

Message 1b

Hash Value 1 Same ?

Hash Fcn

Hash Value 2
13

Note: Encryption & Decryption are needed to process Msg 1a

Hash Fcn

Hash Value 2
14

Hash function Usage 2

File System: File 1
Hash Fcn

Public Key Cryptography

Hash Value 1 Each user has a private key, and a public key The private key and public key form a key pair The public key is managed by Certification Authority (CA) Authentication in SSL style
Secure Socket Layer, or the new name TLS: Transport Layer Security: authenticating a web site to the user User gets the public key of the web site (verified by the pre-set root certificates in the browser) User uses the public key to encrypt an SSL protocol message, and sends to the web site If the web site is real, it can decrypt the message (using the private key) and continue the protocol. Otherwise the connection fails. Authenticated via the user has the power of decryption

Same ? File Integrity Check Program:

Hash Fcn

Hash Value 2
15

Data Encryption (similar to Above)

16

Relationship with CA

Use of Data Encryption

(Confidentiality, but no authenticity)

17

18

Use of Digital Signature

Authentication using digital signature Usually comes with challenge-response protocol A wants to prove its identity to B B sends A a message (usually with some random content, some timing content) A uses its private key to sign on the message, creating a digital signature A sends the digital signature to B (usually as a signed message) B verifies the digital signature, and authenticates A Non-repudiation property: B can keep the digital signature as evidence that A had been talking to B.
More accurate: the owner of As private key had been talking to B
19

(authenticity, non-repudiation, but no confidentiality)

20

Short Review of Signed Applet

CA provides its root certificate to the browsers The XYZ company wants to provide signed applets to customers
XYZ will buy a Public Key Certificate (and of course the corresponding private key) from the CA

Business of PKC (signed Applet case)

S1 has a private key, set up by CA Server (S1) S1 has a Cert of S1, issued by Big Brother B1

When a customer of XYZ, say John, gets a signed applet (call it J1) from web server of XYZ
XYZ will send its PKC to Johns browser Using CAs root cert, and Johns PKC, Johns browser will find XYZ public key value, say v1. Johns browser will use v1 to verify the correctness of the digital signature of J1 If J1 is properly signed by XYZ private key, Johns browser will execute J1.
21

Root Cert cert. of Big Brother (CA)

Signed Applet

PKC of S1 B1

B1 is my customer, Trust him!

Browser

22

Short Review of Signed e-Doc

CA provides its root certificate to the browsers The XYZ company wants to provide signed e-Doc to customers
XYZ will buy a Public Key Certificate (and of course the corresponding private key) from the CA

Discussion Questions
Can a company, which stores a lot of electronic documents, files, web pages, etc, be able to get rid of all PKI technology? Any advantages of doing so? Any disadvantages of doing so? How can a company prove to a third-party that an electronic document is really created 30 years ago?

When a customer of XYZ, say John, gets a signed eDoc (call it D1) from XYZ
XYZ will send its PKC to Johns computer Using CAs root cert, and Johns PKC, Johns browser will find XYZ public key value, say v1. Johns computer will use v1 to verify the correctness of the digital signature of D1 If D1 is properly signed by XYZ private key, Johns computer will accept D1 is a properly signed e-Doc from XYZ.
23

24

Review of Steganography
Hiding info (small message) in a bigger message (e.g. microdot technology, invisible ink, pin punctures) The smaller the ratio of size of hidden info / size of the big message, the more difficult for the hidden message to be detected by outsiders without knowledge of the steganographic process. Not exactly encryption, but modern steganographic tools can also include encryption as a component One application: watermarking for copyright protection

Steganography (2)
One Drawback : needs a lot of bits to encode a small message But now, the storage are there!! E.g. Kodak Photo CD
max. resolution 2048x3072 pixel (only 6M pixels) each pixel 24 bits RGB color info use least significant bit of each color to encode info hide 2.25 megabyte in one digital snapshot

25

26

Dear George, Greetings to all at Oxford. Many thanks for your letter and for the summer examination package. Simple All Entry Forms and Fees Forms should be Steganography ready e.g. for final despatch to the syndicate by Friday 20th or at the very latest, Im told, by the 21st. Admin has improved here, though theres room for improvement still; just give us all two or three (Source : The Silent more years and well really show you! Please World of Nicholas dont let these wretched 16+ proposals destroy Quinn, by Colin Dexter) your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos, Sincerely yours,
27

A Chinese Example
What is the secret message?

28

Ancient Spartan Method

What is the secret message?

Two terrorists (A & B) using a newsgroup

newsgroup (2) A posts the photo to the newsgroup (3) B extracts the message

Secret Communication example case

(5) B posts the 2nd photo to newsgroup

A
(1) A hides please bring machine gun in a photo
29

B
(4) B hides the reply to the 2nd photo

30

Modern Simple Idea

Question: what is hidden inside this diagram?

Other simple ideas

Comments in HTML documents Flipping of [,] and [;] in a document White Space characters File name of a temporary file (e.g tmp14357.txt) File protection status of a special file
E.g. in Unix: -r-xrwx-w- is an unusual setting

Internet
The secret key is 14234

Plenty of opportunities
Due to the extensive use of computer (diversity in software used) Unavoidably : more favorable to subjects performing secret communication
31 32

Steganography Vs Cryptography
Steganography The science of Covered Writing Cryptography The science of Secret Writing
Steg:

Steganography Vs Cryptography
Writing process
secret Big Message Hiding method Big Message with secret

Cryp: secret Encryption key Encryption method cipher

33

34

Steganography Vs Cryptography (2)

Reading process
Steg: secret Extracting method Big Message with secret

Steganography Vs Cryptography (3)

Strength of steganography
the hiding method is not known by others

Strength of cryptography
The encryption method can be known by others The key should not be known by others The key length should be long enough to stand against exhaustive search

Cryp: secret Decryption key Decryption method cipher

35

36

Writing process
Big Message

Combining Steganography & Cryptography

Big Message with cipher

Reading process

Combining Steganography & Cryptography (2)

Big Message with cipher

Hiding method

Extracting method secret

cipher

cipher

secret Encryption key

Encryption method Decryption key

37

Decryption method

38

Abstract list of related techniques

Hide the information as Some noise in another object (e.g. color variation in photos, sound files, video clips) The order of a list of randomly-ordered items (e.g. supermarket receipts) Random numbers that appear naturally in an object (e.g. the random scars on the skin of a monster in a computer game picture)
39

Abstract list of related techniques (2)

Spread out the information: One bit of information is diffused into several bits first, before the hiding process. In elaborated term: the split information can be transmitted into several different messages (say, any 5 of the 7 transmitted messages can reconstruct the secret) [Secret sharing]

40

Abstract list of related techniques (3)

Adopt a statistical profile (e.g. generating random English words that preserve the letter count statistic) Not so important in modern Internet world (there are too many data that are random in nature, e.g. message id, a piece of cloud in a diagram) Adopt a structural profile (e.g. reconstructing the sentence grammar structure, and replacing a verb/noun with similar meaning).
can Vs be able to copy Vs make a copy of

Goals of steganography
Escaping inspection of human users
Store in photos, or the previous simple examples

Reinforcing the concept of copyright protection

Discourage e-doc users to perform illegal copying

(Variant forms) Escaping inspection of automatic computing filters

To ensure human being (in web registration process) In SPAM email subjects, to avoid filtering Ref:
http://captchas.net/

Hiding the source of a message (to achieve anonymity, so as to avoid the suspicion of having hidden messages)

http://paul.luminos.nl/documents/show_document.php?d=3 16

Just carrier of extra messages

41

Extra data fields without changing older systems

42

Usage of steganography
Secret communication Commercial reason Political reason Personal privacy reason Criminal offense Downward compatibility of data structures. E.g.: A data structure for photos is used in many applications Some new applications require an extra feature to be transmitted If this new feature is transmitted via steganography, all old software/system need not be changed 43

Usage of steganography (2)

Storing watermarks for copyright protection of digital contents
The secret message is the serial number, of some ID of the buyers Strong watermarks : those that are not easily destroyed. Mainly for tracking the e-document flow Weak watermarks: those that can be destroyed easily (say by photocopying). E-document authentication (e.g. storing the digital signature of the authors)
44

Cases of Digital Watermarking

Visible watermark Not a steganographic technique. Just a way to put a mark in a picture Fragile watermark It is not detectable after the slightest modification Commonly used for tamper detection (integrity proof) Called semi-fragile if it resists benign transformation, but fails detection after malignant transformation Robust watermark Resists a lot of transformation
45

Visible watermark
The information embedded as a watermark can be almost anything. It can be a bit string representing copyright message, serial number, plain text, etc. Sometimes it can be more useful to embed a visual watermark (e.g. corporate logo) instead of a bit string as a watermark.

46

Example of 8*8 visual watermark

Eg. Of Visible Watermark

Source:
Web site of the uMark Software http://www.uconomix.com/Products/uMark/Def ault.aspx

47

48

Fragile watermarking
A fragile technique often has to possess two features:
it should be vulnerable to even very slight modifications of the watermarked asset; and it should be capable of locating, or even identifying the endured attacks.

Using Pictures to store secret

Modern Digital pictures has a lot of pixels. Each pixel are represented by some bits (e.g. a pixel is represented as three 8-bit numbers, denoting the level of Red, Green, Blue color) The lsb (least significant bit) of each 8-bit number has minimal effect on the color of that pixel Concept: use the lsb of each color to store the secret Example secret is 101100 (a 6-bit secret) Use some scheme to select 2 pixels in a picture For the first pixel, set the lsb of Red color to 1, lsb of Green color to 0, lsb of Blue color to 1. For the second pixel, set the lsb of Red color to 1, lsb of Green color to 0, lsb of Blue color to 0.
49 50

RGB
A picture with 20 pixels (in RGB form)

Modern watermarking system framework Let T be the steganographic tool that uses pictures as storage media Assume
Lsb used to store secret message

10110011 01101010 00110101

The hidden message is H The picture used to store H is PIC T uses a pseudo random number generator (a program that can generate a sequence of numbers that looked like random, when supplied with a number called a seed)

Blue color value Green color value Red color value

51 52

To store hidden message using T

User chooses a paraphrase, say I love you T transforms I love you to a seed, and use the pseudo random number generator to generate a set of random positions in PIC (call this set S) Construct an error-correction code representation of H (called it H*) Put the bits of H* as least significant bit in positions of PIC (determined by S)

To get hidden message using T

User (the one who want to read H) provides the same paraphrase, (I love you). T transforms I love you to a seed, and use the pseudo random number generator to generate a set of random positions in PIC (call this set S) Extract H* from the l.s.b. positions determined by S Extract H from H* (this works even if some errors exist)

53

54

Properties
There is small change of picture quality Design principle: only modify the color of a pixel slightly A larger picture has more choices of pixel positions to store the secret (and the secret can be longer) Modification of the picture might destroy the secret (watermark) To store a longer secret message, you may need to modify bits other than lsb. Picture may be distorted Many picture formats are not storing the RGB values directly. So variations of the mentioned technique are needed.
55

E.g. on Steganographic Tools (1)

Stego (www.stego.com) Storing the secret at the lsb of pixels (in a GIF image) GIF using a palette, with each entry stores the RGB values Each pixel stores an index to a palette entry. The color of the pixel is the color of that entry Use the lsb of the index in a pixel to store the secret Key step: Sort the palette, according to an order of colors such that neighboring palette entries store very similar colors (details of this order is not discussed). After the above step, changing the lsb of each pixels index will not change the color a lot.
56

GIF image (20 pixels) with palette

index 00000000 00000001

E.g. on Steganographic Tools (2)

palette

01101100 01101101 01101101

index value (lsb is used to store secret in stego)

10110011 01101010 00110101

Gifshuffle (www.darkside.com.au/gifshuffle/) Also play with the palette structure of GIF images (Key point 1) Gifshuffle recognized a special order of the colors. Given a picture, it sort the palette according to that order Assume there are n different colors in the palette The n! different permutation of the colors can be used to represent a number from 1 to n!. (Key point 2) Thus, a secret with at most log2(n!) bits can be stored as a special permutation of the palette colors. This scheme will not change the quality of the image!!! (same set of colors are used, the only difference is the order in the palette)
57 58

Putting n balls in array A [ 0, n-1 ] m = a number from 0 to n!-1

Idea ( 2 ) : Consider all the sequence of number m = m0, m1, mn

m0 = m div 1 mod 1 0 = r1 mod 2 r2 mod 3 r3

n = size of an array of balls Put balls b0, b1, b2, bn-1 into the array A[0], A[1], A[n-1] such that the permutation encodes the number m Idea ( 1 ) : Put in the order of bn-1, bn-2, b2, b1, b0 bn-1 is placed in A[0] bn-2 is placed in A[0] or A[1] bn-3 is placed in A[0], or A[1], or A[2] bn-4 is placed in A[ j ], where j is an integer from 0, 1, 2, 3 ... bn-i is placed in A[ j ], where j is an integer from 0, 1, i-1 ... b2 is placed in A[ j ], where j is an integer from 0, 1, n-3 b1 is placed in A[ j ], where j is an integer from 0, 1, n-2 b0 is placed in A[ j ], where j is an integer from 0, 1, n-1 59
div n-2 mn-2 div n-1 mn-1 div n mn = 0 ( must be 0, why? ) div 2 m2

m1

( encode r1 by putting bn-1 ) ( encode r2 by putting bn-2 )

How to use a permutation (of items) to represent a number?

mn-3

div 3 m3

( encode r3 by putting bn-3 )

mod n-2 rn-2 mod n-1 rn-1

mod n rn

( encode rn-1 by putting b1 ) r1, r2 r3, rn-2, rn-1, rn are three we want to encode

( encode rn by putting b0 )

Example [ try n = 3, m = 3!-1 =5 ] 60

The algorithm int m ( m = m0 at the beginning ) for i = 1, 2, 3, n { Calculate ri = m mod i ; Calculate m = m div i ; Encode ri by putting bn-i } Procedure to Encode ri ( a number from 0 to i-1 ) by putting bn-i ( Note : ( 1 ) (2) (3) bn-1 is supposed to be placed in the entry A[ri] the array entry A[0], A[1], A[i-2] are occupied A[i-1] is empty )

To get back the value of m from the permutation array Find rn from the position of b0 Find where is b0 b0 must be in A[rn] so we can know rn Now, remove b0, and reverse the operation of inserting b0 ( i.e. move A[rn+1] to A[rn] A[r ] to A[rn+1] . n+2 . . A[n-1] to A[n-2] ) Find rn-1 from b1 similarly Find rn-2 from b2 similarly . . .

If ri = i-1, { put bn-1 in A[ri] } else { move the ball in A[i-2] to A[i-1] ; move the ball in A[i-3] to A[i-2] ; . . . move the ball in A[ri] to A[ri+1] ; put bn-i in A[ri] } 61

After finding rn, rn-1, rn-2, r2, r1, r0, compute m accordingly 62

Some examples of inserting bn-3

( Case 1 ) to A[2]
bn-2

E.g. on Steganographic Tools (3)

( Case 3 ) to A[0]
bn-2

( Case 2 ) to A[1]
bn-2

JPHS (http://linux01.gwdg.de/~alatham/stego.html)
JPHIDE & JPSEEK A relatively new tool Use the BlowFish symmetric cipher as the pseudo random number generator Able to hide message in jpeg files (with paraphrase control) Claimed that with a low insertion rate (say <5%) it is impossible to prove the existence of a hidden message Run on Windows and Linux, encourage testing & reporting of results
63 64

A[0] A[1] A[2]

A[0] A[1] A[2]

A[0] A[1] A[2]

bn-1

bn-1

bn-1

. . .

. . .

. . .

bn-2

bn-2

bn-3

bn-1

bn-3

bn-2

bn-3 . . .

bn-1 . . .

bn-1 . . .

E.g. on Steganographic Tools (4)

wbStego (http://wbstego.wbailer.com/)
Text-based steganography for XML documents The text marked up the content using tags are called XML documents, the structure of the XML documents are defined in DTD files and the style is described in XSL files.

processing

Figure :

Approach of Steganography in XML document

DTD XSLT stego data XML document

cover data XML document

embedding

transmitting stego data XML document

extracting

embedded data

embedded data stego key

stego key

65

66

Representation of empty elements

The representation of an empty element can be either a start tag immediately followed by an end tag or an empty element tag. By switching these two equivalent forms, we can embed secret data without altering the content and validity of the documents. Take an example, if we use <img></img> to represent a bit 0 while we use <img /> to represent a bit 1, the resulting document after we insert a 01 message to it should be : <img src=a.jpg></img> <img src=2.jpg />

White spaces in tags

XML parser will ignore the space adding to adjacent side of the element inside a tag. We can make use of this characteristic to embed secret message and preserve the validity of the documents. Take an example, we represent a bit 1 by adding a white space to the element while adding no spaces is used to represent a bit 0. We can represent the secret message 101100 010011 by (Can you find it?) : <user > <name>Alice</name > <id >01</id> </user> <user> <name >Bob</name> <id>02</id > </user >

67

68

Appearing order of the elements

Take an example, we represent a bit 0 by put the element <name> in front of element <id>, but we represent a bit 1 by putting the element <id> before of element <name>. There the following data is used to represent 01. <user> <name>Alice</name> <id>01</id> </user> <user> <id>02</id> <name>Bob</id> </user>
69

Appearing order of the attributes

In XML, the order of attributes of an element does not have any effect on the content and meaning of the documents. Using this characteristic, we cab embed secret data in XML documents by exchanging the order of attributes. Take an example, we have an element <event> which has two attributes day and month. If we put the day attribute in front of the month attribute, this represents a bit 0; otherwise this represents a bit 1. The following data is used to represent 10. <event month=9 day=12>My birthday</event> <event day=1 month=1>New Year</event>

70

Structure of elements
At some situations, two elements can contain another. Using this characteristic, we can embed secret data in XML documents. Take an example, if we have two elements which are <fruit> and <favorite> that can contain each other, we use <fruit> containing <favorite> to represent a bit 0 while use <favorite> containing <fruit> to represent a bit 1. We can embed 10 in a XML document by changing its format to : <favorite> <fruit>Orange</fruit> </favorite> <fruit> <favorite>Apple</favorite> </fruit>

Robust watermarking
A robust technique should at least be able to resist the attacks that cause distortions smaller than a certain threshold beyond which the watermarked digital content is greatly degraded. Resists both intentional and inadvertent transformations Capacity degrades as a smooth function of the degradation of the marked content
71 72

A generic watermarking framework in media files Media file Hidden

(big message) Some transformation Parameter extraction Parameter insertion Inverse transformation A parameter (e.g. a correlation) Parameter modification Modified parameter message

An Over-Simplified Idea
Red Vs Blue to encode a bit (1/0)
A red picture is a 1 A blue picture is a 0 All other pictures are having no secret message

Improved version
Cut the picture into 25 grids If the top-left grid is redder than others: a 1 If the top-left grid is bluer than others: a 0 All other situations means no secret message

Media file with watermark

73

74

Over-Simplified Idea (2)

Another improved version
Cut the picture into 25 grids Use Error-Correction-Code to store the secret bit in 5 (or any other number) grids

Idea: DCT Watermarking

Music has high frequency (H), median frequency (M), low frequency (L) A section of music, with distortion at H, is still recognizable by listeners Pictures also have H, M, L
Roughly, rapid change of color is H

Other improvements (which will evolve into a real steganographic systems):

Use other transformation parameters rather than Red/Blue Increase the number of grids Encode the bit into grids of different positions Encode multiple bits Add encryption

A picture with a distorted H is still readable So, the H region is a good place to hide
numbers
75 76

DCT-based robust watermarking

Discrete Cosine Transform (DCT) The 2D-DCT cannot only concentrate the main information of original image into the smallest low-frequency coefficient, but also it can cause the image blocking effect being the smallest, which can realize the good compromise between the information centralizing and the computing complication. So it obtains the wide spreading application in the compression coding.
77

Discrete Cosine Transformation (DCT)

The DCT has become the standard method for image compression Represents an image as a sum of sinusoids of varying magnitudes and frequencies typically the image is divided into 8x8 pixel blocks, where each block is transformed into 64 transform coefficients For most images, most of the visually significant information about the image is concentrated in just a few coefficients
78

Examples of DCT
data: 0: 153 153 153 153 153 153 153 153 1: 153 153 153 153 153 153 153 153 2: 153 153 153 153 153 153 153 153 3: 153 153 153 153 153 153 153 153 4: 153 153 153 153 153 153 153 153 5: 153 153 153 153 153 153 153 153 6: 153 153 153 153 153 153 153 153 7: 153 153 153 153 153 153 153 153 DCT: 0: 200 0 0 0 0 0 0 0 1: 0 0 0 0 0 0 0 0 2: 0 0 0 0 0 0 0 0 3: 0 0 0 0 0 0 0 0 4: 0 0 0 0 0 0 0 0 5: 0 0 0 0 0 0 0 0 6: 0 0 0 0 0 0 0 0 7: 0 0 0 0 0 0 0 0

Image
80

79

Examples of DCT (cont.)

data: 0: 135 108 157 93 163 99 148 121 1: 135 108 157 93 163 99 148 121 2: 135 108 157 93 163 99 148 121 3: 135 108 157 93 163 99 148 121 4: 135 108 157 93 163 99 148 121 5: 135 108 157 93 163 99 148 121 6: 135 108 157 93 163 99 148 121 7: 135 108 157 93 163 99 148 121 DCT: 0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0

data: 0: 135 135 135 135 135 135 135 135 1: 108 108 108 108 108 108 108 108 2: 157 157 157 157 157 157 157 157 3: 93 93 93 93 93 93 93 93 4: 163 163 163 163 163 163 163 163 5: 99 99 99 99 99 99 99 99 6: 148 148 148 148 148 148 148 148 7: 121 121 121 121 121 121 121 121 DCT: 0: 0 0 0 0 0 0 0 0 1: 0 0 0 0 0 0 0 0 2: 0 0 0 0 0 0 0 0 3: 0 0 0 0 0 0 0 0 4: 0 0 0 0 0 0 0 0 5: 0 0 0 0 0 0 0 0 6: 0 0 0 0 0 0 0 0 7: 200 0 0 0 0 0 0 0

Examples of DCT (cont.)

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 200 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Image
81

82

Watermark embedding
Cox et al asserted that in order for a watermark to be robust, it need to be placed in the most significant part of the image. the watermark will be composed of random numbers drawn from a Gaussian distribution N(0,1) distribution
83

Watermark embedding
General procedure 1. Applying frequency transformation to the data. 2. Computing perceptual mask to highlight the most significant regions in the spectrum that can support the watermark without affecting the image fidelity (V). 3. Inserting the watermark to the image. 4. Inverse DCT

84

Watermark embedding
Watermark Structure
A watermark consists of a sequence of real numbers W= 12K where each value i is chosen independently according to the Gaussian distribution N(0,1).

85

86

Watermark embedding
Insertion

E.g. of Watermark embedding

Step 1 - Compute 2-D DCT of image Step 2 Locate K largest coefficients, c1, c2, , cK Step 3 - Embed watermark into the K largest DCT coefficients using:
ci = ci * (1 + i), = 0.1

1 0

Step 4 - Convert the inverse DCT of the results from step 3

87

TheN1blockof64quantizedcoefficients

88

Watermark embedding
Q: Why K largest coefficients are selected? A:issmall,reducedvisibility Watermarksareembeddedinmultiplefrequency componentswithspatialimpactovertheentire image Attackstendtodegradeimage

Watermark extraction
Step 1 - Compute 2-D DCT of image in question Step 2 - Extract K DCT coefficients from same positions as insertion, c1, c2, ..., cK Step 3 - Compute watermark using: i = ci - ci 1 <= i <= K Step 4 - Compute similarity () of 12K and 12K Step 5 - If is greater than a predefined threshold, the original watermark is present in the image in question

89

90

Some values for attacks

Attack JPEGCompression Smoothing Contrast Enhancement PrintandScan (Photopaper) 0.9945 0.8390 0.5210 Noise Rotation Blurring Attack 0.8230 0.3113 0.8074

Problem
In general, watermarks are not a panacea for copyright issues and should not be the sole mechanism used. Consider the following example:
For a given watermarked image, Alice and Bob both claim to be the rightful owners.

0.5470

PrintandScan (RegularPaper)

0.4895

thewatermarkisrobusttomanyattacksand forallattacksexceptrotation
91 92

Problem (cont.)
If the true owner have signed the image with a watermark first, and also hid away the original image and only released the watermarked version to the public. In this case since Bob must have watermarked the image after her, she can prove her ownership by showing her original image that she owns and it does not have Bobs watermark embedded.
93

Problem (cont.)
If some doubt can be created about the true original image, by fabricating an original, the true owner of the image cannot be determined by watermarking alone. Inverse watermark calculation
94

References
[1] Kai Wang, etc. A Comprehensive Survey on Three-Dimensional Mesh Watermarking, IEEE TRANSACTIONS ON MULTIMEDIA, 10(8), pp: 1513-1527, 2008 [2] Abbas Cheddad, etc. Digital image steganography: Survey and analysis of current methods, Signal Processing, 90(3), pp: 727-752, 2010
95

Attacks on Steganography
Technical classification (like cryptographic attacks) File (the message with hidden secret) only attack File and original copy attack Multiple encoded file attack File + algorithm attack Destroy everything attack Random tweaking attack Adding new information to files Reformat attack Compression attack Special attacks: e.g. Mosiac attack on pictures Question: How to destroy a hidden message stored using the gifshuffle software?
96

Example of attacks (in 3D case)

A more concept framework

3 main approaches
(the hacker) adds additional watermark to the file, to make the original watermark unrecognizable Perform transformation to file (e.g. rotation, reformatting, re-sizing to photos) to destroy the watermark Find multiple files (with different watermarks), by comparing them, find the knowledge of watermark, and remove it

Original mesh and four examples of attacked meshes: (a) original Rabbit mesh; (b) random noise addition; (c) smoothing; (d) cropping; (e) simplification.
97

Destroying the watermark (to avoid the trace) is easier, to extract it is more difficult
98

Practical attack method e.g. 1

StirMark (http://www.cl.cam.ac.uk/~mgk25/stirmark.html)
A generic tool to test robustness of image watermarking algorithms To the image, StirMark applies same kinds of errors into the image, including stretch, shift, rotate, etc., then use scanning process to reconstruct the image Many commercial watermarking algorithms failed this test

Practical attack method e.g. 2

Mosaic attack (a special purpose attack)
Given a picture P with watermark Cut P into small rectangles Write a web page, which assembles all rectangles into the original picture Check for watermark is not possible due to the small size of each rectangle Mainly used to act against web crawlers that patrols the Internet to find pictures with a certain watermark.

99

100

An extension : Covert channel

A Hacking case, we are the hackers Assume that we:
Have planted a root privilege process R in the victim system V Able to start a user process U in V as well R can still an important information, a 4-bit secret (e.g. 1011) from Vs protected memory We want R to send this 4-bit secret to U, (& later let U to send it out) We want a memory only solution!!
101

Covert channel example

Public Newsgroup

V (victim)

102

To steal the 1011 bit sequence

R creates a new root-privilege process R* (say using fork) R* repeatedly do the following forever: R* sleep for 4 seconds If the 1st bit is 1, R* runs for 0.5 sec (say repeatedly assign zero to a variable), then sleeps for 0.5 second. But if the 1st bit is 0, R* sleeps for 1 sec If the 2nd bit is 1, R* runs for 0.5 sec then sleeps for 0.5 second. But if the 2nd bit is 0, R* sleeps for 1 sec If the 3rd bit is 1, R* runs for 0.5 sec then sleeps for 0.5 second. But if the 3rd bit is 0, R* sleeps for 1 sec If the 4th bit is 1, R* runs for 0.5 sec then sleeps for 0.5 second. But if the 4th bit is 0, R* sleeps for 1 sec
103

What U do
U uses some process monitoring command (e.g. ps in Unix) to monitor the root-privileged process in every 0.1 sec interval If after some time, U discovers a process with the strange execution timing as described in the previous slide, U can extract the 4-bit sequence It is a slow, workable, and hard to detect method Can be combined with other techniques. For example the secret is a system message box handle, so R & U can communicate further in passing memory) The secret is a key to decrypt a file in /tmp directory

104

Discussion Question
user area in O.S.

U R
forks

listen to system area

protected area in O.S.

R*

(says 1011)

Running/runnable

Are there any use to put watermarks in company documents? By using Visible watermark By using Fragile watermark By using Robust watermark

state of R*
sleep

Time scale Time

105 106