JPSEC: Security for Digital Imagery in JPEG 2000 Susie Wee & John Apostolopoulos
advertisement
International Telecommunication Union International Multimedia Telecommunications Consortium ITU-T JPSEC: Security for Digital Imagery in JPEG 2000 Susie Wee* & John Apostolopoulos * Director, Mobile & Media Systems Lab HP Labs * Co-Editor of JPSEC Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 Introduction ITU-T o Digital imagery is an important area o Emerging applications require adding security • Commerce of digital imagery • Secure web browsing • Secure media adaptation for diverse clients & networks o JPEG 2000 is now creating the JPEG-2000 Security Standard • This is JPSEC! Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 2 JPEG 2000 family of standards ITU-T o o o o o o o o o o o Part 1: Core coding system Part 2: Extensions (adds more features to the core) Part 3: Motion JPEG 2000 Part 4: Conformance Part 5: Reference software Part 6: Compound image file format (documents) Part 8: JPSEC on security Part 9: JPIP on interactive protocols and API Part 10: JP3D on volumetric imaging Part 11: JPWL on wireless applications Part 12: ISO Base Media File Format (=MPEG-4) Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 3 JPEG 2000 Application Paradigm ITU-T Encode Decode Decode Choices • Image resolution • SNR fidelity • Visual fidelity • Target file size • Lossless/lossy • Region-of-interest • Tiles Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 4 JPEG-2000 image coding ITU-T o Image structures JPEG-2000 Packets • Tiles, Resolutions, Layers, Color components, Precincts o Codestream structures Header • Header — SIZ, COD, QCD, etc. • Data —JPEG-2000 Packets: Data contain TRLCP units o o Packet headers Packet bodies TRLCP units Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 5 Media delivery to diverse clients over diverse networks ITU-T Mid-network transcoding at overlay nodes User User User User Edge Overlay Node Node Edge User Node Sender User Overlay Transcode Node High Resolution Low Resolution Edge Node User User User User Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 6 Mid-Network Transcoding with End-to-End Security ITU-T Secure transcoding enables transcoding w/o decryption! User User Edge Node How do you transcode encrypted streams? [ICASSP, ICIP 2001] User User Overlay Node Edge User Node Sender User Overlay Secure Transcode Transcoder Node Edge Node User User User User Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 7 Data vs. Media Security ITU-T o Question: How do we secure digital images? o Conventional approach: Apply traditional data security to media • Problem: Lose all media attributes, e.g., the ability to access a portion of the media o Our solution: Jointly design security, compression, & delivery to preserve media features Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 8 JPSEC Basic Design Principle ITU-T o JPSEC goes beyond simple end-point operations Create Image Deliver Consume JPSEC Dec Enc JPSEC Image o JPSEC is designed for intermediate operations JPSEC Process Adapted JPSEC o Leads to deeper & richer design goals o Impacts all security services & overall design Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 9 JPEG-2000 to JPSEC ITU-T Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 10 JPSEC creation & consumption SEC Marker Segment ITU-T Image or JPEG-2000 JPSEC Creator JPSEC Image JPSEC or Consumer JPEG-2000 Security is achieved with JPSEC Protection Tools signaled in the codestream. SEC Codestream Marker parameters Tool 1 Tool 2 … Tool n Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 11 JPSEC tool types ITU-T o JPSEC Template Tool • Syntax defined by JPSEC standard (normative) • Protection method templates specify parameter syntax o JPSEC Registration Authority Tool • Syntax defined by registration authority (nonnormative) o JPSEC Private Tool • Syntax defined by private application (nonnormative) Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 12 JPSEC Architecture & Syntax ITU-T o What security service is applied? • Protection tool type o Where is the security service applied? • Zone of influence (ZOI) o How is the security tool applied? • Tool parameters o Designed to be simple, efficient, highly flexible & extensible to support rich sets of capabilities & applications Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 13 ITU-T What? JPSEC Template Tools o Protection method templates • Decryption template —Block cipher —Stream cipher —Asymmetric cipher • Authentication template —Hash-based authentication —Cipher-based authentication —Digital signature • Integrity template Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 14 ITU-T Where? Zone of Influence (ZOI) o ZOI specifies tool’s area of influence Zone B o Image-Related Descriptions • Region, tile, resolution, component, quality level, etc. o Bitstream-Related Descriptions Zone A • Byte range, packet, Distortion, TRLCP tag o Used together to describe correspondence ZOI is a powerful tool that enables lowcomplexity & highly flexible media security by providing metadata for the protected data Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 15 How? Protection Template Options ITU-T Decryption Template Authentication Template Block cipher Hash-based authentication Cipher DES, 3DES, AES Block cipher mode ECB, CBC, CFB, OFB, CTR Padding mode Ciphertext stealing, PKCS#7 Block size Cipher dependent Key template Application dependent Initialization vector Variable Stream Cipher Method HMAC Hash function SHA-1,RIPEMD 160,SHA256 Key template Application dependent Size of MAC Variable MAC value Signal dependent Cipher-based Authentication Method CBC-MAC Block cipher Cipher ID Key template Application dependent Cipher RC4 Size of MAC Variable Key template Application dependent MAC value Signal dependent Initialization vector Variable Asymmetric Cipher Digital Signature Method RSA, Rabin, DSA, ECDSA Hash function Hash ID Application dependent Cipher RSA Key template Key template Application dependent Digital Signal dependent Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ signature San Diego, 9-11 May 2006 16 ITU-T Example: Transcode, Decrypt & Authenticate 1. Transcode 2. Decrypt 3. Authenticate 4. Decode JPSEC Data Decrypt Decode MAC Value 1 Verify True/False MAC Value 2 Verify True/False Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 17 What, Where, How: JPSEC Protection Templates ITU-T o Example: Securely access & authenticate 3 resolution layers Decryption Template Zone of Influence Decryption Template Processing Domain Res 0 Byte range 58-502 Cipher ID Block cipher Codestream Domain Layer Granularity Granularity Res 1 Cipher Type AES Byte range 502-1104 Cipher Mode CBC Res 2 Paddin gMode CTS Byte range 1104 -1900 Block Size 128 Packet Header & Bodies IV Size IV Value 1 Authentication Template ptr Zone of Influence Res 0 Hashbased Auth Auth Method HMAC Processing Domain IV Value 2 IV Value n Res 1 Res 2 Hash Function SHA -1 Codestream Domain Resolution Granularity Granularity ptr Packet Bodies MAC Size Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 MAC Value 1 MAC Value 2 MAC Value 3 18 JPSEC with Secure Transcoding ITU-T JPEG-2000 Encode JPSEC Protect JPEG-2000 JPSEC Protect -1 Decode Protect -1 Decode Secure Transcode Transcoded JPSEC Transcoded JPEG-2000 Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 19 ITU-T Results: JPSEC transcoded images Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 20 ITU-T JPSEC Security Service Requirements 1. Confidentiality Media aware 2. Integrity verification Media aware 3. Authentication Media aware Media aware 4. Access control 5. Registered content identification 6. Secure scalable streaming & secure transcoding New (non-conventional) security service Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 21 Use Case 1: ITU-T Multi-level Access Control o Access resolution, quality, spatial region o Multiple independent or structured keys o One copy of encrypted media provides multiple levels of access control --- access depends on user’s key Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 22 Use Case 2: ITU-T Selective & Partial Encryption Marked Image Spatial Pattern of Marking Decoding without key o Marked image sufficient for understanding image content & deciding whether to purchase key to unmark the image Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 23 Use Case 3: ITU-T Selective Encryption Selectively encrypted JPEG-2000 Image (decoding w/o key) Decrypted Image (with key) o Selected portions hidden with encryption o End-user w/o key can still see image contents and decide whether to purchase o Encrypted JPEG-2000 bitstreams decoded by JPEG-2000 decoder without key Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 24 Use Case 4: ITU-T Secure Storage & Transcoding Image JPSEC Storage o Encrypt, store, securely adapt for different devices • Server stores encrypted content • Server adapts/transcodes without decryption o Secure Scalable Streaming technology Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 25 JPSEC Status ITU-T o JPEG-2000 security standard (JPSEC) o New requirement: Secure scalable streaming and secure transcoding o Status: Final Draft International Standard o Likely to reach International Standard in Summer 2006 Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 26 Acknowledgements ITU-T o The authors would like to thank the members of the JPSEC Ad-Hoc Group and the JPEG working group for their continual support. Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“ San Diego, 9-11 May 2006 27
0
advertisement
Related documents
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users