Security in Multimedia Systems - AviresLabLeast Significant Bit steganography 10 • Hide a message in the least significant bits of a digital image • Max site of the hidden message

Security in multimedia systems

Security in Multimedia SystemsPh.D. Program in Multimedia Communication

Claudio Piciarelli


Why should we bother about security?

2

• Digital communication of multimedia data leads to a whole

set of new problems to be faced

• Some examples…

– Video and music piracy: you can copy and distribute digital contents at negligible cost

– Data streaming could be intercepted by unauthorized users

– Stealing digital photos published on the Internet

– Protection of bank transactions

• Protection of…

– Data

– Digital Rights


Data / DR protection

3

• Need for information hiding and obfuscation techniques

Steganography Cryptography


Steganography

4

• Aim: hide a secret message within a public, cover message

• Fails when an attacker realizes there is an hidden message (even without knowing it)

Beware: nothing in common with

stenography !


An example from ancient times

5

• The Greek historian Herodotus writes about

Histiaeus, tyrant of Miletus, encouraging his son-in-

law Aristagoras to rise against Darius I, king of

Persia.

• He wrote a secret message on

the head skin of a slave, then

waited for the hair to grow…


A more recent example

6

• A message from a German spy during WW II

• Reading only the second letter of each word…

Apparently neutral's protest is thoroughly discounted and ignored. Isman hard hit. Blockade issue affects pretext for embargo on by products, ejecting suets and vegetable oils.

Pershing sails from NY (r) June 1


Modern steganography – an example

7

• The pixels of a digital photography are typically

affected by noise

• Noise can be substituted by an hidden message


Least Significant Bit steganography

8

• Pixels are stored in RGB format (8 bits for each channel)

• The Least Significant Bits are affected by noise. Changing

the LSB leads to minimal color changes (hardly visible by

human eye)

• Modification of LSB -> byte value changes by ±1

• Modification of MSB -> byte value changes by ± 128

1 0 0 1 1 0 1 0 1 0 1 1 0 0 0 1 0 0 1 1 0 1 1 1

1 0 0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 0 1 1 0 1 1 0

=

=


Original image


9

MSB information LSB information



10

• Hide a message in the least significant bits of a

digital image

• Max site of the hidden message (using 1 bit per

channel):

For a 640x480 image…

640 x 480 x 3 channels = 921.600 bits

921.600 / 8 = 115.200 bytes

Maximum hidden message size is ~100 KB

Using more bits per channel leads to larger hidden message sizes, but the image changes could be more visible

ImageHide: http://www.dancemammal.com/imagehide.htm


Watermarking

11

• Watermark: information hidden in a digital document, identifying the legitimate owner of the document

• Aim of a watermak is to mark a digital document with an unremovable«signature» identifying the owner, e.g. for copyright claims

• Similarities with standard steganography: the watermark must be invisible and must not alter the container in a visible way

• Differences: extra requirement: watermark removal should be impossible

• Common applications: apply copyright notes to digital photos, banknote anti-counterfeit systems


Banknotes watermarking

12

• Trying to open this image with Photoshop…

• Will give you this pop-up:


Fingerprinting

13

• Conceptually similar to a watermark, but each copy of the

marked document has a different fingerprint. The aim is to

identify the end-user, rather than the original author.

• E.g. a fingerprint could be inserted in an MP3 file

downloaded from an online store, in order to identify the

buyer. If illegal copies are made, the buyer can be identified.


Cryptography

14

• The process of transforming a message in order to make it

unreadable for everyone, except for the legitimate receiver

• The aim is not to hide the message (as in steganography),

but to make it unreadable

• Codes vs. ciphers

• Two main approaches:

– Simmetric ciphers

– Asimmetric (public-key) ciphers


Simmetric ciphers

15

X: plaintext, Y: ciphertext, K: key.X’, K’: attacker’s guesses of X and K

sender receiver

attacker

encryption decryption

Key source

Secure channel

Kerckhoffs’ principle:The cipher must be secure even if the

attacker knows the

encryption/decryption algorithms

(«security through obscurity» is bad!)


Example: monoalphabetic ciphers

16

• Each letter of the original alphabet is substituted by

the corresponding letter in the ciphering alphabet:

a b c d e f g h i j k l m n o p q r s t u v w x y z

C N T K L B S I V M A W G H U Y R J E O D Z X Q F P

orig:

ciphering:

venividivici

ZLHVZVKVZVTV

(monoalphabetic ciphers belong to the wider class of substitution ciphers, where each

letter of the plaintext is substituted by a different one)


Monoalphabetic cipher cryptoanalysis

17

• The key is the ciphering alphabet (a permutation of

the original alphabet)

• How many permutations of 26 letters exist?

• Answer: 26! = ~ 4 x 1026

• The number of keys is quite high, a brute force

attack is hardly feasible



18

• Suppose we can test 106 permutations each second…

• 3.6x109 keys/hour

• 8.64x1010 keys/day

• 3.15x1013 keys/year…

• We need 1013 years to test all the possible keys (the age of

the universe is 1.3x1010 years)

• Does this mean monoalphabetic cipher is secure?

No…



19

• In the IX century, the Arabic philosopher and mathematician

Abu Yusuf Ibn Ishaq Al-Kindi, developed the «frequency

analysis» technique

• Main idea (for text documents): every language has its own

specific letter frequency. This frequency does not change in

the ciphertext!

• For example, the letter ‘a’ has a frequency of 11.74% in text

documents written in Italian. If the ciphertext has a

letter with that frequency, it is probably an ‘a’



20

• Frequency table for the Italian language:Letter Frequency

a 11.74%

b 0.92%

c 4.50%

d 3.73%

e 11.79%

f 0.95%

g 1.64%

h 1.54%

i 11.28%

l 6.51%

m 2.51%

n 6.88%

o 9.83%

p 3.05%

q 0.51%

r 6.37%

s 4.98%

t 5.62%

u 3.01%

v 2.10%

z 0.49%(source: http://it.wikipedia.org/wiki/Analisi_delle_frequenze)


Modern symmetric ciphers

21

• Working on digital data

• Two main approaches

– Stream ciphers

– Block ciphers

• Based on a rigorous formulation of information theory (Shannon).


Properties of modern symmetric ciphers

22

• Shannon’s properties:

– Confusion: the relationship between key and ciphertext is

as complex as possible

– Diffusion: the relationship between plaintext and

ciphertext is as complex as possible

SAC (Strict Avalanche Criterion): if a single bit of the plaintext or the key is flipped, then every bit of the ciphertext has a 50%

probability of being flipped

Intuitively, the ciphertext appears like random and does not have any statistical

relationship with the plaintext or the key.

Ciphertexts must be indistinguishable from random sequences of bits.


The XOR binary operator

23

• Exclusive-or (XOR, ⊕) is a boolean operator returning 1 if

the two x-ored bits are different, 0 otherwhise

p q p⊕⊕⊕⊕q

0 0 0

1 0 1

0 1 1

1 1 0

Example:

110101001 ⊕

010011011 =

100110010

Fundamental properties:• A ⊕ A = 0• A ⊕ 0 = A• A ⊕ ( B ⊕ C ) = ( A ⊕ B ) ⊕ C


Stream ciphers

24

• A stream cipher encrypts the plaintext input stream

bit-by-bit

• One-Time Pad (OTP) is an extremely simple yet

theoretically perfect stream cipher. It simply XORs

the input stream with a random stream of bits

• The random stream is the key

Encrypt: C = M ⊕ K

Decrypt: M = C ⊕ K

(using the XOR properties: C ⊕ K = M ⊕ K ⊕ K = M )

M: plaintext message

C: ciphertext

K: key


Stream ciphers

25

• OTP problem: the key must be truly random (no

computer-generated keys, no reusable keys).

the key has the same length of the message

• Solution: use Pseudo-Random Generators.

PRG are algorithms that create an apparently

random stream of bits starting from a short key


Block ciphers

26

• A block cipher encrypts

data in blocks of fixed size.

•

• In order to meet the

Shannon properties, block

ciphers are typically built

from several iterations of

substitution and

permutation steps

• S-P network architecture


S-Boxes

27

• A Substitution Box (S-Box) is a function substituting the input

bits with a set of output bits satisfying the avalanche criterion

(changing a single input bit -> half of the output bit change)

S-Box

i1 i2 i3 i4

o1 o2 o3 o4

S-Box Example

0001 0100

1001 1010


P-Box

28

• A Permutation Box (P-Box) is a permutation of the

input bits

1 0 0 1 0 1 0 1 1 1 0 1 0 0 1 1

0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0


SP networks

29

• The structure of SP-Networks guarantees that the Shannon properties are satisfied

• Decrypt: just apply the same steps in reverse order (S-boxes must be invertible)

• Popular examples of block ciphers based on SP-Net architecture: AES, 3-DES…


How to use block ciphers

30

• What if the plaintext is longer than the size of the

block?

• First attempt: Electronic Codebook

• Bad choice!


How to use block ciphers

31

• A better approach: Cipher Block Chaining

• Equal blocks in the plaintext are no longer

encrypted into equal blocks in the ciphertext


Asymmetric ciphers

32

• Problems with symmetric ciphers

– The key must be transmitted over a secure channel

– Each pair of sender-receiver needs a new key

• During the 70s, new mathematical techniques have

been proposed to face these problems, leading to

the definition of asymmetric ciphers


A possible solution?

33

• Unfortunately, doesn’t work with modern ciphers


An even simpler solution

34

• This is the basic idea used in asymmetric cryptography


Asymmetric ciphers

35

• Each user has two keys (the public and the private one)

• Alice uses Bob’s public key to encrypt the message

• Only Bob can decrypt it, using the corresponding private key

Public keys can be

transmitted over

unsecure channels!


Basics of modular arithmetic

36

• a mod m = remainder of the division a/m

• a ≡ b (mod m) notation for a mod m = b mod m

(read «a congruent b modulo m»)

• Modular arithmetic:

[(a mod m) + (b mod m)] mod m = (a+b) mod m

[(a mod m) - (b mod m)] mod m = (a-b) mod m

[(a mod m) · (b mod m)] mod m = (a · b) mod m


RSA

37

• RSA (from the name of the inventors Rivest, Shamir

and Adleman) is nowadays the most popular

asymmetric encryption algorithm.

• Two main components:

– Key generation algorithm

– Encryption / decryption algorithms


RSA – key generation

38

• Choose two prime numbers p and q

• Compute n = pq

• Choose e, coprime and smaller of (p-1)(q-1)

• Compute d such that de ≡ 1 mod (p-1)(q-1)

• The pair (n, e) is the public key

• The pair (n, d) is the private key

• It is not possible to compute d from e, since it would require

the knowledge of p and q, and computing it from n is an hard

problem (factorization problem)


RSA – encrypt and decrypt

39

• Given a message m ( 0 < m < n )

• encrypt: compute c = me mod n

• decrypt: compute m = cd mod n

(RSA Hypothesis: inverting the exponentiation is an hard

problem in modular arithmetic).

Remember: (n,e) (n,d)

are the public and

private keys of the

receiver (Bob)


Hybrid Cryptography

40

Symmetric Asymmetric

Pros: extremely fast Pros: no need for a secure

channel

Cons: key exchange

problems

Cons: slow, because of heavy

use of mathematics

Hybrid approach: - use the public key cryptography to transmit a secret key- use this secret key to encrypt the message by means of symmetric cryptography


Digital signatures

41

• The techniques described up to now aim to guarantee the

message secrecy (security against passive attacks), but

cannot guarantee the identity of the sender (vulnerability to

active attacks)

• Solution: Alice encrypts a message with her own PRIVATE

key. Bob will be able to decrypt it using Alice’s public key.

• Encrypt: c = md mod n

• Decrypt: m = ce mod n

Remember: (n,e) (n,d)

are the public and

private keys of the

receiver (Bob)


Digital signatures

42

• Secrecy is no more guaranteed, since anyone can decrypt the message using Alice’s public key. However it can guarantee…

• Authentication: Bob surely knows that the sender is Alice, because only Alice has the private key associated to the public key Bob used for decryption

• Integrity: the message has not been modified by an attacker, since this would imply the attacker knows Alice’s private key

• Non-repudiability: Alice cannot deny she wrote the message (direct consequence of authentication + integrity)


Applications of cryptography

43

• Securing internet communications…


At application level

44


At protocol level

45

(non solo per SMTP…)


At network level

46


TLS

47

• A set of cryptographic protocols to add secrecy and integrity

features to already existing protocols

• Some protocols commonly used with TLS:

– ESMTP: e-mail transmission

– POP3S, IMAPS: e-mail download

– HTTPS: world-wide web

– … (VoIP, Instant Messaging, ecc.)

• Aims:

– Guarantee data secrecy by encrypting the connection

– Guarantee server authentication


HTTPS example

48

authentication

encryption


Basics of TLS

49

• Hybrid approach:

– The server sends a certificate with its identity and its

public key (typically an RSA key)

– The client checks the server identity and creates a secret

key. The key is sent to the server using public

cryptography

– The server uses the secret key to encrypt all the

remaining data with a symmetric cipher (e.g. AES).


TLS certificates (X.509 v3)

50

• The protocol works if the client can trust the data contained

in the certificates

• Certificates are digitally signed by an external certification

authority, which guarantees for the certified data

• The certification authorities are well-known and their identity

is guaranteed by certificates pre-installed in every browser.

Whe have no choice other than trusting the root authorities


Certificates

51

• Example:

https://mail.google.com

• certificate

Server identity

Certification Authority


Certificates

52

Server’s public key


In practice…

53

• The owner of a HTTPS website must create a certificate with

its identity and public key, and ask a Certification Authority to

digitally sign it (not for free…)

• Some websites use self-signed certificates, where the site

owner acts as a “fake” Certification Authority

• Self-signed certificates don’t guarantee authentication, but

are sometimes used to guarantee at least the encryption of

the transmitted data


Self-signed certificates

54


Another application of cryptography…

55

• PEC (Posta Elettronica Certificata, certified e-mail) is an

Italian standard to give emails the same legal validity of

recorded-delivery letters with advice of receipt.

• PEC guarantees…

– Authentication of the sender

– Encryption of the data

– Integrity of the data

– A system of receipt messages to inform the sender on the delivery status of the mail

• Basic idea: the service is offered by trusted operators. The

operators guarantee for the identity of their users.


PEC mail delivery

56

Suppose Alice wants to send a PEC email to Bob…

• Alice sends the mail to her operator. The operator checks Alice’s identity (password, smart card, etc.)

• Alice’s operator checks the message validity and sends an acceptance receipt to Alice

• Alice’s operator signs and encrypts the mail and sends it to Bob’s operator

• Bob’s operator checks the message validity and acknowledges Alice’s operator using a receipt

• Bob’s operator stores the email in Bob’s mailbox and sends Alice a «message delivered» receipt

All the receipts are digitally signed by the originating

operators


PEC mail delivery

57

Security in Multimedia Systems - AviresLabLeast Significant Bit steganography 10 • Hide a message in the least significant bits of a digital image • Max site of the hidden message

Documents