Scalable Authentication of MPEG-4 Streams Yongdong Wu & Robert H. Deng present: Yu-Song Syu.

Scalable Authentication of MPEG-4 Streams

Yongdong Wu & Robert H. Deng

present: Yu-Song Syu

outline

Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

Motivation

MPEG-4: a state-of-the-art technology DMIF – generic platform FGS – flexible multimedia distribution IPMP – secure delivery framework

Authentication isn’t provided in IPMP

3 authentication schemes are presented

Related Works Layer-based Priority

best possible quality for each video object Object-based Priority

Different importance => different quality A straightforward authentication

Append a digital signature to each packet High computation Large communication overhead

Related Works

SAIDA reduces space overhead and increase tolerance of packet loss Improved to reduce the packet

overhead by Pannetrat in 2003 A watermark based stream

authentication scheme rejects malicious tempering

outline


Preliminaries

One-way Hash Function Digital Signature The Merkle Hash Tree Erasure Correction Coding Syntactic Structure of MPEG-4

One-Way Hash Function

Converting a variable-length string to a fixed-length output string

Hash value: H(m) m: pre-image

Hard to find the pre-image from a known hash value

Digital Signature

Authenticating the integrity of a signed message as well as its origin

pubisher client

σ

Ke

m: message to sendKs: private key

σ = Sign(Ks, m)publish receive Verify received words by:

σ = Veri(m, σ, Ke )

The Merkle Hash Tree

A client requests for n3 and needs the authentication

Source also sends d4, hA, and hF

Client computes d3 and H(H(hA||H(d3||d4))||hF)

Erasure Correction Coding

U=mG m=m1, m2, … , mk

U=u1, u2, …, un

n-k bits of parity Error correction

ability: dmin-1

Ref. Digital: Communications, Bernard Sklar

Syntactic Structure of MPEG-4

Each object layer has a priority to represent its importance

The base layer has the highest priority

Other layers (enhancement layers) have progressively lower priorities

outline


Content distribution framework

Problem Definition

Packet loss comes from: A proxy discards unimportant content

intentionally so as to meet the network a& client device requirements

A router discards packets due to network limitation

A receiver discards packets failing checksum verifications

Problem Definition A stream authentication scheme should:

Reduce the computational & communication cost?

Increase the probability of successful authentication in case of packet loss

Manage data removal at proxies so as to allow successful authentication

Overview of the Proposed Schemes

Objects Encode Pack Sign

Down-scale

Down-scale

Decode UnPack VerifyTrustedObjects

Proxies

outline


Packaging an Object Group Visual objects are

encapsulated into n packets

Each row stands for one Visual Object Layer

: parity unit

Generating Signature on an Object Group

hi = HLi1⊕ HLi2⊕ … ⊕ HLil HLij = H(Pij||j), j=1, 2, … l Packet hash of Pi:

gi = H(hi||i)

Hash value of group G: hG = H(g1||g2||…||gn||GID||SID) GID: group ID SID: stream ID

σ = Sign(Ks, hG)

Encoding & Encapsulating

X = (h1,h2,…,hn,x1,…xn-k)

= Enc2n-k,k(h1,h2,…hn) Divide X into k symbols yi∈GF(2w2) Cr = Encn,k(y1,y2,…yk) = r1,…,rk

Integrity units Cs = Encn,k(σ1, σ2,…σn) = σ1,…,σn

signature units Append ri & si to the original packet Pi

Appending

Down-Scaling Objects Layer t+1 ~ layer l are

discarded by proxies, a patch e would be inserted

ei= HLit+1⊕HLit+2⊕…

⊕HLil

Verifying Packets

Only k packets are rcv’d yi,…yk=Decn,k(r1,…rk) h1,…hn=HLi1⊕…HLik⊕ei

i = 1, 2, …, k gi = H(hi||i) hG=H(g1||g2||…gn||GID||SID) σ= Dec(s1,…,sk) Veri(hG,σ,Ke)

outline


PAS

Securer than FAS Discuss later

Assuming that layer i has higher priority than layer i+1 ,i = 1, 2, …, l

Almost the same as FAS

Differences Generating signature

gi=H(H(Pi1||H(Pi2||H(…||H(Pil))))||i) gi=H(H(Pi1||1)⊕H(Pi2||2) ⊕…⊕H(Pil||l) || i)

Down-Scaling Objects ei=H(Pit+1||H(Pit+2||H(…||H(Pil)))) ei= HLit+1⊕HLit+2⊕…⊕HLil

Verifying Packets gi=H(H(Pi1||H(Pi2||…)||ei) || i) gi=H( (HLi1⊕…HLik⊕ei) || i)

outline


HAS

Generating Signature Compute hash value D of leaf

nodes: D=HLij=H(Pij||j), j=1,2,…,l

For nonleaf nodes hash value Ni= H(D1 || D2 || … || Dc)

For example, Bj is a node in Fig.10

Generating Signature (cont’)

Finally, the object group hash is: hG=H(g1 || g2 || … || gn || GID || SID)

σ=Sign(Ks,hG) The rest part is the same as FAS

Down-Scaling

Verifying Packets

Hash value gi is computed by client according to

All the same as FAS

outline


Authentication Probability

Security & Computational Cost

Security HAS > PAS > FAS

Computational cost of the producer is the highest

For example, in RSA scheme, the verification time is only 4% of the signature generation time when Ke=17

outline


conclusion 3 schemes of authentication

FAS provided the max flexibility PAS has stronger security strength but

requires that data is totally ordered HAS is secure against active attacks

and has low authentication overhead Sign once, verify many ways Future work:

To minimize buffer space in client devices

Scalable Authentication of MPEG-4 Streams Yongdong Wu & Robert H. Deng present: Yu-Song Syu.

Documents

authentication schemes

stream authentication

straightforward authentication

authentication source

h f slide

known hash value slide

malicious tempering

lower priorities slide