Scalable Authentication of MPEG-4 Streams Yongdong Wu & Robert H. Deng present: Yu-Song Syu

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

Motivation MPEG-4: a state-of-the-art technology DMIF – generic platform FGS – flexible multimedia distribution IPMP – secure delivery framework Authentication isn ’ t provided in IPMP 3 authentication schemes are presented

Related Works Layer-based Priority best possible quality for each video object Object-based Priority Different importance => different quality A straightforward authentication Append a digital signature to each packet High computation Large communication overhead

Related Works SAIDA reduces space overhead and increase tolerance of packet loss Improved to reduce the packet overhead by Pannetrat in 2003 A watermark based stream authentication scheme rejects malicious tempering

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

Preliminaries One-way Hash Function Digital Signature The Merkle Hash Tree Erasure Correction Coding Syntactic Structure of MPEG-4

One-Way Hash Function Converting a variable-length string to a fixed-length output string Hash value: H(m) m: pre-image Hard to find the pre-image from a known hash value

Digital Signature Authenticating the integrity of a signed message as well as its origin pubisherclient σ KeKe m: message to send K s : private key σ = Sign(K s, m) publishreceive Verify received words by: σ = Veri(m, σ, K e )

The Merkle Hash Tree A client requests for n 3 and needs the authentication Source also sends d 4, h A, and h F Client computes d 3 and H(H(h A ||H(d 3 ||d 4 ))||h F )

Erasure Correction Coding U=mG m=m 1, m 2, …, m k U=u 1, u 2, …, u n n-k bits of parity Error correction ability: d min -1 Ref. Digital: Communications, Bernard Sklar

Syntactic Structure of MPEG-4 Each object layer has a priority to represent its importance The base layer has the highest priority Other layers (enhancement layers) have progressively lower priorities

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

Content distribution framework

Problem Definition Packet loss comes from: A proxy discards unimportant content intentionally so as to meet the network a& client device requirements A router discards packets due to network limitation A receiver discards packets failing checksum verifications

Problem Definition A stream authentication scheme should: Reduce the computational & communication cost? Increase the probability of successful authentication in case of packet loss Manage data removal at proxies so as to allow successful authentication

Overview of the Proposed Schemes Objects EncodePackSign Down-scale DecodeUnPackVerify Trusted Objects Proxies

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

Packaging an Object Group Visual objects are encapsulated into n packets Each row stands for one Visual Object Layer : parity unit

Generating Signature on an Object Group h i = HLi 1 ⊕ HLi 2 ⊕ … ⊕ HLi l HLi j = H(Pi j ||j), j=1, 2, … l Packet hash of Pi: g i = H(h i ||i) Hash value of group G: h G = H(g 1 ||g 2 || … ||g n ||G ID ||S ID ) G ID : group ID S ID : stream ID σ = Sign(K s, h G )

Encoding & Encapsulating

X = (h 1,h 2, …,h n,x 1, … x n-k ) = Enc 2n-k,k (h 1,h 2, … h n ) Divide X into k symbols y i ∈ GF(2 w2 ) C r = Enc n,k (y 1,y 2, … y k ) = r 1, …,r k Integrity units C s = Enc n,k ( σ 1, σ 2, …σ n ) = σ 1, …, σ n signature units Append r i & s i to the original packet P i

Appending

Down-Scaling Objects Layer t+1 ~ layer l are discarded by proxies, a patch e would be inserted e i = HLi t+1 ⊕ HLi t+2 ⊕ … ⊕ HLi l

Verifying Packets Only k packets are rcv’d y i, … y k =Dec n,k (r 1, … r k ) h 1, … h n =HLi 1 ⊕ … HLi k ⊕ e i i = 1, 2, …, k g i = H(h i ||i) h G =H(g 1 ||g 2 ||…g n ||G ID ||S ID ) σ= Dec(s 1,…,s k ) Veri(h G,σ,K e )

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

PAS Securer than FAS Discuss later Assuming that layer i has higher priority than layer i+1,i = 1, 2, …, l Almost the same as FAS

Differences Generating signature g i =H(H(Pi 1 ||H(Pi 2 ||H( … ||H(Pi l ))))||i) g i =H(H(Pi 1 ||1) ⊕ H(Pi 2 ||2) ⊕ … ⊕ H(Pi l ||l) || i) Down-Scaling Objects e i =H(Pi t+1 ||H(Pi t+2 ||H( … ||H(Pi l )))) e i = HLi t+1 ⊕ HLi t+2 ⊕ … ⊕ HLi l Verifying Packets g i =H(H(Pi 1 ||H(Pi 2 ||…)||e i ) || i) g i =H( (HLi 1 ⊕ … HLi k ⊕ e i ) || i)

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

HAS

Generating Signature Compute hash value D of leaf nodes: D=HLi j =H(Pi j ||j), j=1,2, …,l For nonleaf nodes hash value N i = H(D 1 || D 2 || … || D c ) For example, B j is a node in Fig.10

Generating Signature (cont ’ ) Finally, the object group hash is: h G =H(g 1 || g 2 || … || g n || G ID || S ID ) σ =Sign(K s,h G ) The rest part is the same as FAS

Down-Scaling

Verifying Packets Hash value g i is computed by client according to All the same as FAS

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

Authentication Probability

Security & Computational Cost Security HAS > PAS > FAS Computational cost of the producer is the highest For example, in RSA scheme, the verification time is only 4% of the signature generation time when K e =17

outline Introduction Preliminaries Framework of Proposed Schemes Flat Authentication Scheme Progressive Authentication Scheme Hierarchical Authentication Scheme Security & Performance Conclusion

conclusion 3 schemes of authentication FAS provided the max flexibility PAS has stronger security strength but requires that data is totally ordered HAS is secure against active attacks and has low authentication overhead Sign once, verify many ways Future work: To minimize buffer space in client devices