Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

Slides:

Advertisements

Similar presentations

1 An Asymmetric Fingerprinting Scheme based on Tardos Codes Ana Charpentier INRIA Rennes Caroline Fontaine CNRS Télécom Bretagne Teddy Furon INRIA Rennes.

Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Optionally Identifiable Private Handshakes Yanjiang Yang.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Encryption Public-Key, Identity-Based, Attribute-Based.

Digital Signatures and Hash Functions. Digital Signatures.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

Pretty Good Privacy (PGP). How PGP works PGP uses both public-key cryptography and symmetric key cryptography, and includes a system which binds the public.

Anonymous Fingerprinting Paper by: Birgit Pfitzmann, and Michael Waidner Presentation by: James Campbell.

1 A Buyer-Seller Watermarking Protocol IEEE Trans. On Image Processing, Vol.10,No.4, pp , April 2001 Multimedia Security.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

ICWS 2003 Implementing Watermark Token in WS-Security for Digital Contents Distribution Presenter: Patrick Hung Co-authors:

1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

An Efficient and Anonymous Buyer- Seller Watermarking Protocol C. L. Lei, P. L. Yu, P. L. Tsai and M. H. Chan, IEEE Transactions on Image Processing, VOL.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker ： LIN, KENG-CHU.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

Birthday Attack on Efficient and Anonymous Buyer-Seller Watermarking Protocol BY Qurat-ul-Ain M. Mahboob Yasin COMSATS Institute of Information Technology,

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Public Key Distribution and X.509 Wade Trappe. Distribution of Public Keys There are several techniques proposed for the distribution of public keys:

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人：陳昱升.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

HICSS 36 A Watermarking Infrastructure for Enterprise Document Management Presenter S.C. Cheung Department of Computer Science.

ICEC 2002 A Watermarking Infrastructure for Digital Rights Protection Presenter S.C. Cheung Department of Computer Science.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Computer Science Public Key Management Lecture 5.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

Chapter 4: Intermediate Protocols

1 A Secure System Based on Fingerprint Authentication Scheme Author ： Zhe Wu,Jie Tian,Liang Li, Cai-ping Jiang,Xin Yang Prestented by Chia Jui Hsu.

Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.

Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.

P1. Public-Key Cryptography and RSA 5351: Introduction to Cryptography Spring 2013.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

A novel DRM framework for peer-to- per music content delivery Authors: Jung-Shian Li, Che-Jen Hsieh, Cheng-Fu Hung Source: 2010, Journal of Systems and.

DIGITAL SIGNATURE.

A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.

Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.

Network Security Celia Li Computer Science and Engineering York University.

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

Fall 2006CS 395: Computer Security1 Key Management.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

1 Digital Water Marks. 2 History The Italians where the 1 st to use watermarks in the manufacture of paper in the 1270's. A watermark was used in banknote.

Security Outline Encryption Algorithms Authentication Protocols

Author:YongBin Zhou, ZhenFeng Zhang, and DengGuo Feng Presenter:戴士桀

Presentation transcript:

Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006

2 Outline Introduction  Motivation  Development of BSW  Goals, Methodology and Assumptions Protocols  Memon-Wong Protocol (MW)  Lei et al. Protocol (Lei)  Zhang et al. Protocol (Zhang) Analysis of Zhang et al. Protocol Summary

3 Motivation How can the seller identifies buyers that illegally distributed songs, movies etc.?  The seller can embeds unique watermarks… songs, movies etc. £££££ Seller Buyer Distributes copies

4 Motivation BUT… The seller is the entity that generates and embeds the watermark into a digital work If illegal copies are found and a buyer is identified through the embedded watermark, the buyer can claim that he/she is framed by the seller since the seller can embed the buyer’s watermark into any digital work. SO… Buyer-Seller Watermarking Protocol

5 Development of BSW MW Choi Attack I Goi Attack I Choi II Goi Attack II Lei Zhang IWDW ACNS IEEE EUC IEEE IEE Ju 2003ICISC

6 Goals No Framing  An honest buyer should not be falsely accused by a malicious seller or other buyers No Repudiation  The buyer accused of reselling an unauthorised copy should not be able to claim that the copy was created by the seller or a security breach of the seller’s system Traceability  A buyer who has illegally distributed digital works can be traced Collusion Tolerance  An attacker should not be able to find, generate, or delete the fingerprint by comparing the marked copies, even if they have access to a large number of copies Anonymity  A buyer should be able to buy anonymously Unlinkability  Given two marked digital works, no one can decide whether or not they were bought by the same buyer B. M. Goi, R. C.-W. Phan, Y. Yang, F. Bao, R. H. Deng and M. U. Siddiqi, Cryptanalysis of Two Anonymous Buyer-Seller Watermarking Protocols and an Improvement for True Anonymity, ACNS 2004, LNCS 3089, pp , 2004

7 Methodology Interactive Protocol  Registration  Buy and Sell  Identification and Arbitration Seller does not know the watermark Buyer does not know the embedded watermark

8 Principals Involved Buyer (B) Seller (S) Certificate Authority (CA)  Fully trusted  Issues certificates to WCA, A, B, and S Watermark Certificate Authority (WCA)  Fully trusted  Issues and certifies buyer’s watermark Arbiter (A)  Fully trusted  Resolves dispute between B and S

9 Assumptions Each of the principals involved (e.g. buyer and seller) has a CA certified public and private key pair, (PK i, SK i ) for i the identity of the principal The public-key encryption algorithm is homomorphic

10 Homomorphic Encryption E(x) + E(y) = E(x + y) E(x)  E(y) = E(x  y) Example: RSA Paillier homomorphic encryption (in Zhang Protocol): E(x)  E(y) = E(x + y) If the public key is: n,e then: E(x 1 )  E(x 2 ) = x 1 e x 2 e mod n = (x 1 x 2 ) e mod n = E(x 1  x 2 )

11 MW Protocol WCA SB O’ = O * W S σ(E PKB (W B )) = E PKB (σ(W B )) E PKB (O’) * E PKB (σ(W B )) = E PKB (O’ * σ(W B )) Request watermark E PKB (W B ), Sign WCA (E PKB (W B )) B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’ = Marked Work W k = k’s Watermark E PKB (W B ), Sign WCA (E PKB (W B )) σ = Random permutation of degree n * = Embedding algorithm E k (.) = Encrypt with k’s public key Sign k (.) = Sign with k’s private key E PKB (O’ * σ(W B )) D SKB (E PKB (O’ * σ(W B ))) = O’ * σ(W B ) Generate W B Registration, Buy and Sell S does not know the watermark B does not know the embedded watermark

12 MW Protocol A SB Request private key Private key σ, E PKB (W B ), Sign WCA (E PKB (W B )), Y B = Buyer S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal copy W k = k’s Watermark σ = Random permutation of degree n * = Embedding algorithm E k (.) = Encrypt with k’s public key Sign k (.) = Sign with k’s private key On discovering an illegal copy of O’, say Y, S can determine B by detecting σ(W B ) embedded using a watermark detection algorithm and search the buyer details from his database. Identification and Arbitration

13 Issue with MW MW Protocol achieved:  No Framing  No repudiation  Traceability But…  No anonymity,  No unlinkability for the buyers

14 Lei Protocol CAB pk B Cert CA (pk B ) Generate (sk B,pk B ) Generate cert CA (pk B ) B = Buyer S = Seller O = Original Work O’, O” = Marked Work W k = k’s Watermark ARG = An agreement between the buyer and the seller * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Registration Anonymous key pair

15 Lei Protocol WCA SB Generate (sk ’,pk ’ ) for this transaction s = Sign sk’ (ARG) Generate Cert pkB (pk’) B = Buyer S = Seller WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work W k = k’s Watermark ARG = An agreement between the buyer and the seller * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Cert CA (pk B ), Cert pkB (pk’), ARG, s O’ = O * W S E pk’ (O’ * W B ) E pk’ (O’) * E pk’ (W B ) = E pk’ (O’ * W B ) Cert pkB (pk’), ARG, s, O’ E pk’ (W B ), E WCA (W B ), S WCA, pk’, s Generate W B S WCA = Sign WCA (W B ) D sk’ (E pk’ (O’ * σ(W B ))) = O’ * σ(W B ) Buy and Sell Unlinkable key pair S & B do not know the watermark

16 Lei Protocol The B Identity B X 1 (sk 1, pk 1 ) Y 11 (sk 11, pk 11 ) X 2 (sk 2, pk 2 ) X n (sk n, pk n ) Y 1m (sk 1m, pk 1m ) Y 21 (sk 21, pk 21 ) Y 2k (sk 2k, pk 2k ) Y n1 (sk n1, pk n1 ) Y nt (sk nt, pk nt ) Linkable, to X 1 Unlinkable, S knows is from X 1 S knows is from X 2 S does not know X 1 links to X 2 S does not know X 1,X 2,…,X n link to B

17 Lei Protocol Identification and Arbitration S = Seller A = Arbiter WCA = Watermark Certificate Authority O = Original Work O’, O” = Marked Work Y = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller * = Embedding algorithm Det(.,.) = Detection algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair A S WCA E WCA (W B ) WBWB O’, Y, Cert CA (pk B ), Cert pkB (pk’), ARG, s, E pk’ (W B ), E WCA (W B ), S WCA W’ = Det(Y) W’ = W B ? On discovering an illegal copy of O’, say Y, S carries out the following steps:

18 Zhang Protocol Similar to Lei Protocol except that there is no WCA No need WCA to generate and certify watermark:  S generates his part of the watermark  B generates his part of the watermark  The final watermark embedded in the digital work is the combination of S and B’s watermarks

19 Zhang Protocol CAB pk B Cert CA (pk B ) Generate (sk B,pk B ) Generate cert CA (pk B ) B = Buyer CA = Certificate Authority O = Original Work O’, O” = Marked Work O f = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller SEC i = Secret string of i * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Registration

20 Zhang Protocol SB Generate (sk ’,pk ’ ) for this transaction Generate a secret SEC B e = E pk’ (SEC B ) s = Sign sk’ (E pk’ (SEC B ), ARG) Generate Cert pkB (pk’) B = Buyer S = Seller O = Original Work O’, O” = Marked Work O f = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller SEC i = Secret string of i * = Embedding algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair Cert CA (pk B ), Cert pkB (pk’), ARG, e, s O’ = O * W S E pk’ (W B ) = E pk’ (SEC S )(E pk’ (SEC B ) = E pk’ (SEC S + SEC B ) E pk’ (O’) * E pk’ (W B ) = E pk’ (O’ + W B ) E pk’ (O’ * W B ) D sk’ (E pk’ (O’ + W B )) = O’ + W B Buy and Sell

21 Zhang Protocol B = Buyer S = Seller A = Arbiter CA = Certificate Authority O = Original Work O’ = Marked Work Y = Illegal Copy W k = k’s Watermark ARG = An agreement between the buyer and the seller SEC i = Secret string of i * = Embedding algorithm Det(.,.) = Detection algorithm E k (.) = Homomorphic encrypt with k’s public key D k (.) = Homomorphic decrypt with k’s private key Sign k (.) = Sign with k’s private key (sk B,pk B ), (sk’, pk’) = Buyer generated random key pair A S CA Cert CA (pk B ), Cert pkB (pk’), e SEC B O’, Y, Cert CA (pk B ), Cert pkB (pk’), ARG, e, s, SEC S Found Y Compute W B = SEC S + SEC B W’ = Det(Y) W’ = W B ? B e = E pk’ (SEC B ) SEC B D sk’ (E pk’ (SEC B )) = SEC B Identification and Arbitration

22 Analysis of Zhang et al. Protocols Issues  Buyer can remove his part of the watermark easily since… O’ + W B = O’ + SEC S + SEC B and Buyer knows SEC B, to remove… O’ + SEC S + SEC B – SEC B

23 Summary The motivation of BSW The proposals to date  MW, Lei and Zhang The issues  No formal security model, protocols designed in ad hoc manner Current focus  To continue analyse other proposals (Ju, Choi, Goi), with issues when parties collude with each others (Seller colludes with WCA etc.)

Thank You