JPSEC: Security for Digital Imagery in JPEG 2000
Post on 27-Apr-2022
0 Views
Preview:
Transcript
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006
International Telecommunication UnionInternational Multimedia Telecommunications Consortium
ITU-T
JPSEC: Security for Digital JPSEC: Security for Digital Imagery in JPEG 2000Imagery in JPEG 2000
Susie Wee* & John Apostolopoulos* Director, Mobile & Media Systems Lab
HP Labs
* Co-Editor of JPSEC
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 2
ITU-T
Introduction
o Digital imagery is an important areao Emerging applications require adding
security• Commerce of digital imagery• Secure web browsing• Secure media adaptation for diverse clients &
networks
o JPEG 2000 is now creating the JPEG-2000 Security Standard • This is JPSEC!
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 3
ITU-T
JPEG 2000 family of standards
o Part 1: Core coding systemo Part 2: Extensions (adds more features to the core)
o Part 3: Motion JPEG 2000 o Part 4: Conformance o Part 5: Reference softwareo Part 6: Compound image file format (documents)
o Part 8: JPSEC on securityo Part 9: JPIP on interactive protocols and APIo Part 10: JP3D on volumetric imagingo Part 11: JPWL on wireless applicationso Part 12: ISO Base Media File Format (=MPEG-4)
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 4
ITU-T
JPEG 2000 Application Paradigm
Encode Decode
Decode Choices• Image resolution• SNR fidelity• Visual fidelity• Target file size• Lossless/lossy• Region-of-interest• Tiles
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 5
ITU-T
JPEG-2000 image coding
o Image structures• Tiles, Resolutions,
Layers, Color components, Precincts
o Codestream structures• Header
— SIZ, COD, QCD, etc.
• Data—JPEG-2000 Packets:
contain TRLCP unitso Packet headerso Packet bodies
Header
Data
JPEG-2000Packets
TRLCPunits
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 6
ITU-T
Media delivery to diverse clients over diverse networks
User
User
User
User
UserUser
User
UserUser
User
Overlay
Node
Overlay
Node
Edge
Node Edge
Node
Edge
Node
Sender
High Resolution
Low Resolution
Transcode
Mid-network transcoding at overlay nodes
User
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 7
ITU-T
Mid-Network Transcodingwith End-to-End Security
User
User
User
User
UserUser
User
UserUser
User
Overlay
Node
Overlay
Node
Edge
Node Edge
Node
Edge
Node
Sender
Transcode
How do you transcode
encrypted streams?
Secure
Transcoder
Secure transcoding enables transcoding w/o decryption!
User
[ICASSP, ICIP 2001]
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 8
ITU-T
Data vs. Media Security
o Question: How do we secure digital images?o Conventional approach: Apply traditional data
security to media• Problem: Lose all media attributes, e.g., the
ability to access a portion of the media
o Our solution: Jointly design security, compression, & delivery to preserve media features
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 9
ITU-T
JPSEC Basic Design Principle
o JPSEC goes beyond simple end-point operationsCreate ConsumeDeliver
o Leads to deeper & richer design goalso Impacts all security services & overall design
Enc JPSECImage JPSEC Dec Image
o JPSEC is designed for intermediate operations
ProcessJPSEC Adapted JPSEC
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 10
ITU-T
JPEG-2000 to JPSEC
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 11
ITU-T
JPSEC creation & consumptionSEC Marker Segment
SECMarker
Codestreamparameters Tool 1
Tool 2
Tool n
…
JPSECCreator
Imageor
JPEG-2000JPSEC JPSEC
Consumer
Imageor
JPEG-2000
Security is achieved withJPSEC Protection Tools signaled in the codestream.
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 12
ITU-T
JPSEC tool types
o JPSEC Template Tool• Syntax defined by JPSEC standard
(normative)• Protection method templates specify
parameter syntaxo JPSEC Registration Authority Tool
• Syntax defined by registration authority (non-normative)
o JPSEC Private Tool• Syntax defined by private application (non-
normative)
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 13
ITU-T
JPSEC Architecture & Syntax
o What security service is applied?• Protection tool type
o Where is the security service applied?• Zone of influence (ZOI)
o How is the security tool applied? • Tool parameters
o Designed to be simple, efficient, highly flexible & extensible to support rich sets of capabilities & applications
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 14
ITU-T
What?JPSEC Template Tools
o Protection method templates• Decryption template
—Block cipher—Stream cipher—Asymmetric cipher
• Authentication template—Hash-based authentication—Cipher-based authentication—Digital signature
• Integrity template
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 15
ITU-T
Where?Zone of Influence (ZOI)
o ZOI specifies tool’s area of influenceo Image-Related Descriptions
• Region, tile, resolution, component, quality level, etc.
o Bitstream-Related Descriptions• Byte range, packet, Distortion, TRLCP tag
o Used together to describe correspondenceZOI is a powerful tool that enables low-
complexity & highly flexible media security by providing metadata for the protected data
Zone B
Zone A
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 16
ITU-T
How?Protection Template Options
Application dependentKey template
RSACipher
Asymmetric Cipher
VariableInitialization vector
Application dependentKey template
RC4Cipher
Stream Cipher
VariableInitialization vector
Application dependentKey template
Cipher dependentBlock size
Ciphertext stealing, PKCS#7
Padding mode
ECB, CBC, CFB, OFB, CTRBlock cipher mode
DES, 3DES, AESCipher
Block cipher
Decryption Template
Signal dependentDigital signature
Application dependentKey template
Hash IDHash function
RSA, Rabin, DSA, ECDSAMethod
Digital Signature
Signal dependentMAC value
VariableSize of MAC
Application dependentKey template
Cipher IDBlock cipher
CBC-MACMethod
Cipher-based Authentication
Signal dependentMAC value
VariableSize of MAC
Application dependentKey template
SHA-1,RIPEMD 160,SHA256Hash function
HMACMethod
Hash-based authentication
Authentication Template
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 17
ITU-T
Example: Transcode, Decrypt & Authenticate
JPSECData
Decode
4. DecodeDecrypt
2. Decrypt
VerifyMACValue
1Verify
MACValue
2
True/False True/False
3. Authenticate
1. Transcode
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 18
ITU-T
What, Where, How:JPSEC Protection Templates
o Example: Securely access & authenticate 3 resolution layers
DecryptionTemplate
CipherTypeAES
IVSize
CipherID
Block cipher
ProcessingDomain
CodestreamDomain
PacketHeader &
Bodies
IVValue
1
IVValue
2
IVValue
nGranularity
LayerGranularity
CipherModeCBC
PaddingMode
CTS
Zoneof
Influence
Res0
BlockSize128
Byterange
58-502
Byterange
502-1104
Res1
Byterange
1104-1900
Res2
ptr
Hash-basedAuth
HashFunctionSHA-1
MACSize
AuthMethodHMAC
ProcessingDomain
CodestreamDomain
PacketBodies
MACValue
1
MACValue
2
MACValue
3Granularity
ResolutionGranularity
Zoneof
Influence
Res0
Res1
Res2
ptr
Decryption Template Authentication Template
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 19
ITU-T
JPSEC with Secure Transcoding
Encode Protect
DecodeProtect -1
Secure Transcode
DecodeProtect -1
JPSEC
Transcoded JPSEC
JPSEC
Transcoded JPEG-2000
JPEG-2000
JPEG-2000
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 20
ITU-T
Results:JPSEC transcoded images
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 21
ITU-T
JPSEC Security Service Requirements
1. Confidentiality2. Integrity verification3. Authentication4. Access control5. Registered content identification6. Secure scalable streaming & secure
transcoding
New (non-conventional) security service
Media awareMedia aware
Media awareMedia aware
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 22
ITU-T
Use Case 1:
Multi-level Access Control
o Access resolution, quality, spatial regiono Multiple independent or structured keyso One copy of encrypted media provides
multiple levels of access control --- access depends on user’s key
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 23
ITU-T
Use Case 2:
Selective & Partial Encryption
o Marked image sufficient for understanding image content & deciding whether to purchase key to unmark the image
Marked Image Spatial Pattern of Marking
Decoding without key
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 24
ITU-T
Use Case 3:
Selective Encryption
o Selected portions hidden with encryptiono End-user w/o key can still see image
contents and decide whether to purchaseo Encrypted JPEG-2000 bitstreams decoded by
JPEG-2000 decoder without key
Selectively encryptedJPEG-2000 Image
(decoding w/o key)
DecryptedImage
(with key)
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 25
ITU-T
Use Case 4:
Secure Storage & Transcoding
o Encrypt, store, securely adapt for different devices• Server stores encrypted content• Server adapts/transcodes without decryption
o Secure Scalable Streaming technology
Storage
JPSECImage
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 26
ITU-T
JPSEC Status
o JPEG-2000 security standard (JPSEC)o New requirement: Secure scalable streaming
and secure transcodingo Status: Final Draft International Standardo Likely to reach International Standard in
Summer 2006
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“San Diego, 9-11 May 2006 27
ITU-T
Acknowledgements
o The authors would like to thank the members of the JPSEC Ad-Hoc Group and the JPEG working group for their continual support.
top related