Software Competence Center Hagenberg
A-4232 Hagenberg
+43 7236 3343 - 837
edgar.weippl@scch.at
The table of contents will be marked up as an un-ordered list.
Multimedia is today's buzzword when talking about Web content. The newest desktop computers now offer a performance unmatched even by workstations a couple of years ago. As a consequence both individuals and companies invest a lot of time and money into the development of multimedia content. Graphics, animation sequences and music are widely used on homepages of companies but also to convey information effectively e.g. in multimedia encyclopedias.
Due to the high cost of creating, distributing and updating Web-based multimedia content, security is a major issue. There are two aspects of security that we have focused on in this paper: confidentiality and some aspects of integrity. Confidentiality means that data objects are only accessible by authorized users, whereas integrity ensures that only authorized users modify content. A third aspect of security, we do not deal with, is availability, e.g. preventing denial-of-service attacks.
Access Control for file systems and databases is probably one of the best-researched areas in computer science. In the 70s and 80s various security models have been developed to guarantee confidentiality and availability. The Bell - La Padula model [1] [2] is the most famous security model. It considers the flow of information when a subject, e.g. user, observes or modifies an object, i.e. data. Basically, it prohibits users reading data that is classified at a higher security level ('clearance' in military terms) than they are and prevents them from writing data to security levels lower than those read from. These properties are also referred to as 'no read-up' and 'no write-down'. The Bell - La Padula model is based on discretionary access control (DAC). This means that access control is at the discretion of the object's owner. On the contrary, mandatory access control (MAC) implies that access rights are assigned centrally [4]. The Biba model [3] can - at least to some extent - be considered to be the inverse of the Bell - La Padula model. It is mainly focused on guaranteeing integrity, i.e. to prohibit unauthorized modification of data. Apart from using general computer security models restricting access and distribution of multimedia content, digital watermarking is an important approach to protect this kind of data. Yeung [11] gives an overview over existing techniques. However, even if perfect watermarking techniques existed, content could still be copied illegally causing considerable losses. MP3 copies of music distributed via Napster or Gnutella are a good example. In most cases, there is no doubt who holds the copyright of the songs but still thousands of copies are being distributed illegally. Landwehr [5] present a comprehensive taxonomy of computer security issues. It provides a good introduction to the characteristics of security flaws and how they can arise.
Coimbra was originally developed to allow university professors to securely distribute multimedia content for Web-based training courses. However, we soon realized that our technology could also be used in various other fields of application, e.g. multimedia encyclopedias or distributed authoring systems.
Figure 1: Coimbra_admin is used to manage files on the Coimbra Server. The upper pane contains a directory listing with meta information on the files, the lower left pane shows a structured table of content and on the right a preview window displays the file.
Figure 2. This Figure shows the client browser displaying the main menu (an image map) of a WBT course.
The content is stored on a Web server that supports both the HTTP and the FTP protocol. We strongly agree with Wilkinson [10]: "If sensitive information is to be included in a shared web, access controls will be required. However, the complex software needed to provide a web service is prone to failure. To provide access control without relying on such software, encryption can be used."
Blowfish is a symmetric block cipher that can be used as a replacement for DES (Data Encryption Standard). It was invented by Bruce Schneier [7],[8] in 1993 and is a freely available encryption algorithm. Since then it has been analyzed considerably, and it is slowly gaining acceptance as a strong encryption algorithm. The Blowfish algorithm is has not been patented and can be used without license fees.
As the client software uses an open multilevel architecture, the files can be encrypted using a different algorithm instead of Blowfish, too. A promising approach is to use PGP as an additional layer. PGP implements asymmetric public key cryptography and is freely available at www.pgpi.com. Still, we need to add some additional logic to transparently manage the public and group keys required for public key cryptography.
Figure 3. The modified Web browser at the client side decrypts documents and optionally reroutes HTTP request to a CD ROM-based 'server'.
If the user has read access to a file, she can view it. Depending on what the owner of the file specified, she might also be permitted to print it, save it or copy its content to the clipboard. We implemented a discretionary access control because managing access rights for every file by its owner is more efficient in distributed computing environments than a rigid mandatory access schema.
Let us now look at an example (see Figure 4). If a user creates a new file, e.g. a HTML page that includes references to graphics and movie files, she normally saves it to her local disk first. When she wants to publish it, our client software (Coimbra_admin) encrypts the file, uploads it via FTP and updates various index files. Optionally, the referenced graphic and movie files are also encrypted and stored on the server (or updated if they already exist).
Later on, other people want to view the newly created HTML page. They use their Coimbra clients to connect to the Web server and access this page. The page is downloaded via HTTP and stored locally in the cache. All files, i.e. HTML files, graphics, movies, etc. are only decrypted for viewing. As the viewer is a slightly modified standard Web browser, the content cannot be saved (as plaintext) unless the authors allowed doing so. Therefore it is very difficult to illegally copy the content of a Coimbra server.
Figure 4. Coimbra admin is used to administer the files on a Web and FTP server. The clients can connect to this server and download encrypted files that are only decrypted for viewing.
One of the major weaknesses of the current system is the fact that users need a special client to access Web pages published with Coimbra. This may be unacceptable for many e-commerce applications. However, for Web applications that are used on a regular basis and that provide a lot of information that should not be copied, Coimbra is ideal.
We currently use the system to offer Web-based training courses and the German version of Teach/Me [7] is also based on this technology. Coimbra implements a security policy that is based on the Bell - La Padula model. Classified information cannot be 'written down', i.e. copied to a disk or to the clipboard without explicit permission. Obviously, information cannot be read without authorization (no read-up), either.
Our approach to secure multimedia content is orthogonal to watermarking techniques in the sense that it will protect all kinds of documents (whether watermarked or not) as long as the owner does not allow users to save them decrypted. In comparison to watermarking, Coimbra also prohibits illegally copying the content.
As mentioned before the most important weakness of Coimbra is that a modified browser is necessary. We currently explore options to integrate the Coimbra access layer in a Java Applet or an ActiveX control so that it can be executed within a standard Web browser environment.
Our thanks to Hans Lohninger, professor at the Institute of Analytical Chemistry at the Vienna University of Technology, who manages the project and implemented core layers of Coimbra.