Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

JPSEC: Security for Digital Imagery in JPEG 2000 Susie Wee & John Apostolopoulos

advertisement 
International Telecommunication Union
International Multimedia Telecommunications Consortium
ITU-T
JPSEC: Security for Digital
Imagery in JPEG 2000
Susie Wee* & John Apostolopoulos
* Director, Mobile & Media Systems Lab
HP Labs
* Co-Editor of JPSEC
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
Introduction
ITU-T
o Digital imagery is an important area
o Emerging applications require adding
security
• Commerce of digital imagery
• Secure web browsing
• Secure media adaptation for diverse clients &
networks
o JPEG 2000 is now creating the JPEG-2000
Security Standard
• This is JPSEC!
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
2
JPEG 2000 family of standards
ITU-T
o
o
o
o
o
o
o
o
o
o
o
Part 1: Core coding system
Part 2: Extensions (adds more features to the core)
Part 3: Motion JPEG 2000
Part 4: Conformance
Part 5: Reference software
Part 6: Compound image file format (documents)
Part 8: JPSEC on security
Part 9: JPIP on interactive protocols and API
Part 10: JP3D on volumetric imaging
Part 11: JPWL on wireless applications
Part 12: ISO Base Media File Format (=MPEG-4)
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
3
JPEG 2000 Application Paradigm
ITU-T
Encode
Decode
Decode Choices
• Image resolution
• SNR fidelity
• Visual fidelity
• Target file size
• Lossless/lossy
• Region-of-interest
• Tiles
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
4
JPEG-2000 image coding
ITU-T
o Image structures
JPEG-2000
Packets
• Tiles, Resolutions,
Layers, Color
components, Precincts
o Codestream structures Header
• Header
— SIZ, COD, QCD, etc.
• Data
—JPEG-2000 Packets: Data
contain TRLCP units
o
o
Packet headers
Packet bodies
TRLCP
units
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
5
Media delivery to diverse clients
over diverse networks
ITU-T
Mid-network transcoding at overlay nodes
User
User
User
User
Edge
Overlay
Node
Node
Edge
User
Node
Sender
User
Overlay
Transcode
Node
High Resolution
Low Resolution
Edge
Node
User
User
User
User
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
6
Mid-Network Transcoding
with End-to-End Security
ITU-T
Secure transcoding enables transcoding w/o decryption!
User
User
Edge
Node
How do you
transcode
encrypted streams?
[ICASSP, ICIP 2001]
User
User
Overlay
Node
Edge
User
Node
Sender
User
Overlay
Secure
Transcode
Transcoder
Node
Edge
Node
User
User
User
User
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
7
Data vs. Media Security
ITU-T
o Question: How do we secure digital images?
o Conventional approach: Apply traditional data
security to media
• Problem: Lose all media attributes, e.g., the
ability to access a portion of the media
o Our solution: Jointly design security,
compression, & delivery to preserve media
features
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
8
JPSEC Basic Design Principle
ITU-T
o JPSEC goes beyond simple end-point operations
Create
Image
Deliver
Consume
JPSEC Dec
Enc JPSEC
Image
o JPSEC is designed for intermediate operations
JPSEC
Process
Adapted JPSEC
o Leads to deeper & richer design goals
o Impacts all security services & overall design
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
9
JPEG-2000 to JPSEC
ITU-T
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
10
JPSEC creation & consumption
SEC Marker Segment
ITU-T
Image
or
JPEG-2000
JPSEC
Creator
JPSEC
Image
JPSEC
or
Consumer
JPEG-2000
Security is achieved with
JPSEC Protection Tools signaled in the codestream.
SEC Codestream
Marker parameters
Tool 1
Tool 2
…
Tool n
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
11
JPSEC tool types
ITU-T
o JPSEC Template Tool
• Syntax defined by JPSEC standard
(normative)
• Protection method templates specify
parameter syntax
o JPSEC Registration Authority Tool
• Syntax defined by registration authority (nonnormative)
o JPSEC Private Tool
• Syntax defined by private application (nonnormative)
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
12
JPSEC Architecture & Syntax
ITU-T
o What security service is applied?
• Protection tool type
o Where is the security service applied?
• Zone of influence (ZOI)
o How is the security tool applied?
• Tool parameters
o Designed to be simple, efficient, highly
flexible & extensible to support rich sets of
capabilities & applications
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
13
ITU-T
What?
JPSEC Template Tools
o Protection method templates
• Decryption template
—Block cipher
—Stream cipher
—Asymmetric cipher
• Authentication template
—Hash-based authentication
—Cipher-based authentication
—Digital signature
• Integrity template
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
14
ITU-T
Where?
Zone of Influence (ZOI)
o ZOI specifies tool’s area of influence
Zone B
o Image-Related Descriptions
• Region, tile, resolution, component,
quality level, etc.
o Bitstream-Related Descriptions
Zone A
• Byte range, packet, Distortion, TRLCP tag
o Used together to describe correspondence
ZOI is a powerful tool that enables lowcomplexity & highly flexible media security by
providing metadata for the protected data
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
15
How?
Protection Template Options
ITU-T
Decryption Template
Authentication Template
Block cipher
Hash-based authentication
Cipher
DES, 3DES, AES
Block cipher
mode
ECB, CBC, CFB, OFB, CTR
Padding mode
Ciphertext stealing,
PKCS#7
Block size
Cipher dependent
Key template
Application dependent
Initialization
vector
Variable
Stream Cipher
Method
HMAC
Hash function
SHA-1,RIPEMD 160,SHA256
Key template
Application dependent
Size of MAC
Variable
MAC value
Signal dependent
Cipher-based Authentication
Method
CBC-MAC
Block cipher
Cipher ID
Key template
Application dependent
Cipher
RC4
Size of MAC
Variable
Key template
Application dependent
MAC value
Signal dependent
Initialization
vector
Variable
Asymmetric Cipher
Digital Signature
Method
RSA, Rabin, DSA, ECDSA
Hash function
Hash ID
Application dependent
Cipher
RSA
Key template
Key template
Application dependent
Digital
Signal
dependent
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325
next?“
signature
San Diego, 9-11 May 2006
16
ITU-T
Example: Transcode, Decrypt &
Authenticate
1. Transcode
2. Decrypt
3. Authenticate
4. Decode
JPSEC
Data
Decrypt
Decode
MAC
Value
1
Verify
True/False
MAC
Value
2
Verify
True/False
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
17
What, Where, How:
JPSEC Protection Templates
ITU-T
o Example: Securely access & authenticate 3
resolution layers
Decryption Template
Zone
of
Influence
Decryption
Template
Processing
Domain
Res
0
Byte
range
58-502
Cipher
ID
Block cipher
Codestream
Domain
Layer
Granularity Granularity
Res
1
Cipher
Type
AES
Byte
range
502-1104
Cipher
Mode
CBC
Res
2
Paddin
gMode
CTS
Byte
range
1104 -1900
Block
Size
128
Packet
Header &
Bodies
IV
Size
IV
Value
1
Authentication Template
ptr
Zone
of
Influence
Res
0
Hashbased
Auth
Auth
Method
HMAC
Processing
Domain
IV
Value
2
IV
Value
n
Res
1
Res
2
Hash
Function
SHA -1
Codestream
Domain
Resolution
Granularity Granularity
ptr
Packet
Bodies
MAC
Size
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
MAC
Value
1
MAC
Value
2
MAC
Value
3
18
JPSEC with Secure Transcoding
ITU-T
JPEG-2000
Encode
JPSEC
Protect
JPEG-2000
JPSEC
Protect -1
Decode
Protect -1
Decode
Secure
Transcode
Transcoded
JPSEC
Transcoded
JPEG-2000
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
19
ITU-T
Results:
JPSEC transcoded images
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
20
ITU-T
JPSEC Security Service
Requirements
1. Confidentiality
Media aware
2. Integrity verification
Media aware
3. Authentication
Media aware
Media aware
4. Access control
5. Registered content identification
6. Secure scalable streaming & secure
transcoding
New (non-conventional) security service
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
21
Use Case 1:
ITU-T
Multi-level Access Control
o Access resolution, quality, spatial region
o Multiple independent or structured keys
o One copy of encrypted media provides
multiple levels of access control --- access
depends on user’s key
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
22
Use Case 2:
ITU-T
Selective & Partial Encryption
Marked Image
Spatial Pattern of Marking
Decoding without key
o Marked image sufficient for understanding
image content & deciding whether to
purchase key to unmark the image
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
23
Use Case 3:
ITU-T
Selective Encryption
Selectively encrypted
JPEG-2000 Image
(decoding w/o key)
Decrypted
Image
(with key)
o Selected portions hidden with encryption
o End-user w/o key can still see image
contents and decide whether to purchase
o Encrypted JPEG-2000 bitstreams decoded by
JPEG-2000 decoder without key
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
24
Use Case 4:
ITU-T
Secure Storage & Transcoding
Image
JPSEC
Storage
o Encrypt, store, securely adapt for different devices
• Server stores encrypted content
• Server adapts/transcodes without decryption
o Secure Scalable Streaming technology
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
25
JPSEC Status
ITU-T
o JPEG-2000 security standard (JPSEC)
o New requirement: Secure scalable streaming
and secure transcoding
o Status: Final Draft International Standard
o Likely to reach International Standard in
Summer 2006
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
26
Acknowledgements
ITU-T
o The authors would like to thank the
members of the JPSEC Ad-Hoc Group and the
JPEG working group for their continual
support.
Joint ITU-T Workshop and IMTC Forum 2006 “H.323, SIP: is H.325 next?“
San Diego, 9-11 May 2006
27
Related documents
SE– x October 2012 English only Original: English
SE– x October 2012 English only Original: English
Download
advertisement