Multimedia Content Protection by Cryptography and
Watermarking in Tamper-resistant Hardware

Feng Bao
Information Security Group
Kent Ridge Digital Labs
21 Heng Mui Keng Terrace
Singapore 119613
baofeng@krdl.org.sg


ABSTRACT

With the rapid growth of broadband network, distribution of multimedia via Internet is a must way to go. Content protection has become one of the most significant and challenging problems of this field. In this paper, we propose a general scheme that combines public key cryptography and watermarking technology together, to achieve wonderful content protection. The scheme is reliable, flexible and efficient.

Keywords

Multimedia content protection, public key cryptography, watermarking technology, tamper-resistant hardware.
 

1.  INTRODUCTION

It is predicted that within five years a consumer will be able to purchase a computer with a 2 GHz microprocessor, 1 GB of memory, and a 50 GB hard disk for several hundred dollars. The computer will be to connect to the Internet via a 1 Gb connection or a 10 Mb wireless network. At home, users will be able to surf the Web using a 1 Mb+ telephone or television network. With these amazing microprocessors, memories, hard disks, and bandwidths, many things that are barely imaginable today will become possible. Internet multimedia time is definitely coming. On-line video, on-line audio, on-line games, on-lines e-books etc will greatly enrich people's entertainment.

With the speed, storage and networking getting ready, the concentration is more focused on the security technologies for multimedia content protection. It is well known that the copyright of digital objects is very easy to be infringed. A multimedia content provider needs protection not only by legislation, but also by reliable and convincing technologies.

A huge amount of research work has been done in this area and various technologies have appeared. Watermarking is one of the most studied technologies toward copyright protection of multimedia files, such as digital pictures, digital music, digital video etc.

On-line multimedia distribution is interested not only by the research community, but also by industry, due to its huge potential market. It is pointed out in [8] that in some areas, say VoD(video on demand), the industry even goes in front of research.

In this paper, we study the multimedia content protection by exploiting public key cryptosystem within tamper-resistant hardware devices. We propose a scheme that can be applied to video, audio and any other multimedia digital objects. The design presented in this paper is in a very general frame. More detailed studies must be done if the design is being developed into any real system for practical use.

The new system of content protection proposed in this paper has many good features. The most important and prominent one is that it meets the discipline that component-compromising must not cause the whole system crashing. Most of the available systems unfortunately do not fulfill this requirement. We believe that the frame presented in this paper is the only correct direction to go.
 

2.  WATERMARKING

Content protection is the key security issue for e-commerce of digital goods, no matter the transacted content is a picture, a video, an audio or a piece of news. It is a common sense that no digital content provider can survive without certain means of protection. SDMI, for example, is an effort toward the protection of online music. Watermarking technology has been considered to be a key technology for multimedia content protection. There have been so many research papers addressing watermarking technology in the past several years. Readers are referred to [3, 5, 6, 17] and the references therein.

There are two sorts of watermarking. The first one is for ownership. The second one is for tracing illegal users. The technique of the second sort is also called fingerprinting in some references.

The first sort of watermarking is to embed an identical watermark into every copy of the digital object. Hence, it cannot be used to distinguish who is the user who has distributed the illegal copy. The technology can only deter the large-scale resale. There are a lot of research publications on this technology.

The second sort is to embed different watermarks into different copies. Hence it can be used to trace the illegal users. But this sort of watermarking has two drawbacks. The first one is that it is quite expensive to resist colluding attack. The other one is, as pointed out in [12], that there is actually no lawful basis for the content provider to sue the illegal user. This is because the provider himself possesses the watermarked digital object. Hence there is no way, from technology aspect, to distinguish who actually disclosed the copy. Asymmetric fingerprinting was proposed to solve this problem, see [13] and the references therein. However, it seems that the technique is not ready for practical use, perhaps due to its interactive implementation.

In our scheme, we require each customer have a unique tamper-resistant hardware that conducts both decryption and watermark embedding. The watermark embedded by a hardware device indicates the serial number of the hardware, which is also associated with the unique public/private key pair of the hardware. Hence in our scheme, the watermarking is done not by the content provider, but by the tamper-resistant hardware. In this case, the illegal user can be traced, while the content provider is released from the heavy burden of generating different watermarked copies.
 

3.  CRYPTOGRAPHY

Cryptography is a very useful tool for multimedia content protection. Multimedia files are encrypted before the content provider distributes them via Internet. The encrypted files are meaningless to the persons who have no access to the keys. On the other hand, the keys should not be disclosed to anyone else other than the content provider. Therefore we require the key be encrypted with a public key. The corresponding private key is kept in a tamper-resistant hardware. To enjoy a multimedia file, a customer needs to input the encrypted file and the encrypted key into the tamper-resistant hardware, in which the key is decrypted and used to decrypt the file. The file is watermarked before outputting from the hardware.

Tamper-resistant hardware has been studied for many years. This technology has already been used in many real applications. In this paper, we take tamper-resistant hardware as our basic point for content protection. The tamper-resistant hardware in our system contains a private key of a public key cryptosystem, which is used to decrypt the ciphertext of the secret key that is used to encrypt a multimedia file, either a video or an audio etc. Although there are some attacks on tamper-resistant hardware from algorithm aspect, such as fault-injection attack [2, 4], timing attack and power attack [9] etc, it seems that none of them has caused serious threats in reality. Those attacks are especially not threatening to our system since the decrypted message is not the output, but used to decrypt the encrypted multimedia file.

From hardware aspect, EEPROM modification attack in [1] is more threatening. But it needs special equipment that is expensive. There is no absolute security in the world. A security level is good enough as long as the cost to break this security is much larger than the price of the protected object. This is especially true for commercial purposes.

We use both public key encryption and symmetric key encryption in our scheme. The latter is used to encrypt the multimedia files. There have been research works on how to speed up encryption of multimedia files by exploiting their structures, [11, 14, 16]. What we want to emphasize here is that the encryption mode for multimedia files must meet the specific properties for the file displaying. For example, it is better not using stream cipher to encrypt video files, since stream cipher is very sensitive to synchronization errors.
 

4.  SYSTEM DESCRIPTION

In this paper we do not present new watermarking scheme, new public key cryptographic algorithms or new symmetric key encryption algorithms. What we do is to integrate them into a reliable, secure, flexible and efficient multimedia distribution system. We just exploit the available techniques.

A tamper-resistant hardware includes a serial number sn, a private key SK_sn, and a watermark embedding process WE_sn. The corresponding public key of SK_sn is PK_sn. The private key SK_sn should never be disclosed by the manufacturer of the hardware. The manufacturer issues a certificate to prove the validity of PK_sn and bind PK_sn and sn together. PK_sn and sn and the certificate go together with the hardware. There can also be a public directory to list all the valid public keys and their corresponding serial numbers.

WE_sn is a watermarking process to embed sn into the multimedia files. There exists a valid process to retrieve sn from the watermarked files. Here we suppose that WE_sn is a satisfactory watermarking scheme, although there are still debates on whether there exists a satisfactory one.

The function of the hardware is pictured as follows.

Here K is the symmetric key to encrypt the multimedia file M. K(M) is the ciphertext of M with the secret key K. PK_sn(K) denotes the encryption of K with public key PK_sn.

In our system each customer has one tamper-resistant hardware device. On the content provider side, different files should be encrypted by different key K. More formally, M1, M2, M3, …, Mn are n multimedia files and K1, K2, K3, …, Kn are n different secret keys to encrypt the files. Ki(Mi) denotes the ciphertext of Mi. The advantage of using different keys is that even if some Ki is compromised, other multimedia files are still safe. The encrypted multimedia files are free for download and encouraged to circulate among customers.

To enjoy a multimedia file M, a customer may pay and send his PK_sn, sn and the certificate to the content provider. The content provider must verify whether PK_sn is a legal public key before encrypting K by PK_sn and sending the ciphertext to the customer. The following picture shows the situation.
 


 

5.  SYSTEM FEATURES

Security and Reliability
Since the watermarking process WE_sn is conducted within the hardware sn, only the customer possessing the hardware can illegally distribute the multimedia files watermarked with sn. The outcome of the watermarking here is equivalent to that of an asymmetric fingerprint scheme. The content provider has no way to frame up a user.
The multimedia files are encrypted with different keys. Compromising one of the keys does not cause other files disclosed. This is a great advantage over the scheme of DVD, which was broken due to that a same key is used for all files (within one zone).
Breaking one tamper-resistant hardware device does not destroy the whole system since different devices have different private keys. Once a device is found to be broken, content providers can just report to the manufacturer who would put the serial number of this hardware device into a revocation list. No service is provided to this hardware any more. The whole system continues working well.

Flexibility
There could be many content providers in the system. But each customer needs only one device. The tamper-resistant hardware devices are independent of content providers and can be used by every content provider.
The manufacturer of the hardware must be trusted. It is suggested that the manufacturer run a PKI to manage the certificates for the hardware devices.

Efficiency
Each multimedia file is encrypted once and the ciphertext can be given freely to anybody.
The encryption is done by symmetric key cryptographic algorithm that is fast and cheap. Public key cryptosystem is used only for hiding the secret keys, i.e., to deal with small messages.

Low Cost
The operations in the tamper-resistant hardware include public key cryptosystem decryption, symmetric key cryptosystem decryption and watermark embedding. The decrypting operations can be done with low cost chips. The watermark embedding op3eration depends on what multimedia is processed. Audio watermarking can be done with small programs and implemented with 8-bit CPU smart cards. For video watermarking, the method of odd-even frame coding is also very easy and can be conducted by a cheap processor.
In general, the cost of the hardware implementing decryption and watermarking is low. To embed such a hardware device into a VCD or DVD player, the cost is just additional 10-20 dollars.
 

6.  A VARIANT SYSTEM

Sometimes the content protection security is only aimed at digital files while the analog files are not very much concerned. This is reasonable since repeatedly recording analog files decreases the quality. In the current reality, video and music tapes are not protected from recording.

If we want to achieve only this level of protection, we can just replace the watermarking process with a digital-analog converting process within the tamper-resistant hardware. The structure of the hardware is then as follows.


 

7.  BRIEF DISCUSSION

Why Use Public Key Cryptosystem
If we only use symmetric key cryptosystems, we have two choices. The first one is that we install a master secret key into every tamper-resistant hardware device. This choice is apparently not secure since breaking one device causes the master key compromising, and therefore, the whole system is broken.
The second choice is to install a different secret key into different device, i.e., to let the SK_sn be a secret key of a symmetric key cryptosystem. But in this case the content provider must know all the SK_sn in order to do encryption. This is also dangerous since once a content provider is compromised, all other content providers are exposed beyond any protection. The whole system crashes.

Protection of Private Keys
The private key SK_sn installed in each tamper-resistant hardware device is the central point for the security of the system. Therefore the manufacturer of the hardware must be very careful on these private keys. A suggestion is to destroy the key once it is installed into a hardware device. Also a revocation list is suggested to be maintained by the manufacturer or a trusted authority. Once a device is found to be broken, its serial number should be put into the list to prevent its any more use.

Tamper-resistant
In this paper we do not discuss how to build up tamper-resistant hardware devices. There has been research about this technique. What we want to emphasize here is that for our system, the tamper-resistant technique can be focused on the private key. It is a key clue. Once the private key is destroyed, the device is completely useless. So the principle to build tamper-resistant property is that once the device is tampered or opened, the private key is automatically erased or changed.

Importance of Checking Certificate
As described in Section 4, to obtain a multimedia file, a customer needs to send his PK_sn, sn and the certificate to a content provider. It does not matter if the customer actually sends other people's PK_sn, sn. But it does matter if the customer sends a public key not belonging to any tamper-resistant hardware, say, a public key generated by the customer himself. In that case, the customer can get the secret key. Hence, it is very important for the content provider to check the certificate that guarantees the authentication of a received public key.

Payment Issue
In this paper we did not discuss payment issue. But payment is a very practical issue that may effect security. So far our protection is based on pay-per-file. It is also possible to have pay-for-membership, or pay-per-view/listen. Pay-for-membership can be done by adding some authentication process. Pay-per-view needs additional control information padded to the secret key K before encrypted by the public key PK_sn. But the hardware device must have atamper-resistant counter to remember these control information messages.
 

8.  REFERENCES

  1. R. Anderson and M. Kuhn, "Low cost attacks on tamper resistant devices", in Security protocols: International Workshop’97, LNCS 1361, Springer-Verlag, pp.125-136, 1997.
  2. F. Bao, R. Deng, Y. Han, A. Jeng, D. Narasimhalu, T. Nagir, "Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults", The Second Workshop on Secure Protocols, Paris, April, 1997, LNCS, Springer-Verlag, 1997.
  3. F. Bao, Q. Sun, J. Hu, R.H. Deng, J. Wu, "Copyright protection through watermarking: towards tracing illegal Users", The 6th IEEE International Workshop on Intelligent Signal Processing and Communication Systems (ISPACS’98), 4.-6. November 1998, Melbourne, Australia, 1998.
  4. D. Boneh, R. DeMillo, and R. Lipton. "On the importance of checking cryptographic protocols for faults", in Proceedings of Eurocrypt ‘97, LNCS 1233, Springer-Verlag, pp. 37--51, 1997.
  5. I.J. Cox, J.P.M.G. Linnartz, "Some general methods for tampering with watermarks", in IEEE international Conference on Image Processing", 1997.
  6. S. Craver, N. Memon, B. Yeo, M. Yeung, "Can invisible watermarks resolve rightful ownership", IBM Research Report, RC 20509, July 25, 1996.
  7. C. Griwodz, O. Merkel, J. Dittmann, R. Steinmetz, "Protecting VoD the Easier Way", ACM Multimedia ’98, pp. 21-28, Bristol, UK, 1998.
  8. R. Jain, "The convergence of PCs and TV", IEEE Multimedia, October/December 1999.
  9. P. Kocher, http://www.cryptography.com/resources/
  10. B.M. Macq and J.-J. Quisquater, "Cryptology for digital TV broadcasting", Proceedings of the IEEE, Vol. 83, No, 6, pp. 944-957, 1995.
  11. T. Maples and G. Spanos, "Performance study of a selective Encryption scheme for security of networked, real-time video", Proc. of the 4th International Conference on Computer and Communications and Networks, Las Vegas, Nevada, Sept, 1995.
  12. B. Pfitzmann and M. Shunter, "Asymmetric fingerprinting", Eurocrypt’96, LNCS 1070, pp. 84-95, Springer-Verlag, 1996.
  13. B. Pfitzmann and A. Sadeghi, "Coin-based anonymous fingerprinting", Eurocrypt’99, pp. 150-164, Springer-Verlag, 1999.
  14. L. Qiao, K. Nahrstedt, and I. Tam, "Is MPEG encryption using random lists instead of Zig Zag Order", IEEE International Symposium on Consumer Electronics, Dec, 1997.
  15. R.A. Rueppel, Analysis and Design of Stream Ciphers, Springer-Verlag, 1986.
  16. L. Tang, "Methods for Encrypting and decrypting MPEG video data efficiently", Proc. of the 4th ACM Multimedia Conference, Boston, MA, November, 1996.
  17. J. Zhao and E. Koch, "Embedding robust label into images for copyright protection", Proceedings of the International Conference on Intellectual Property Rights for Specialized Information, Knowledge and New Technologies, Austria, Aug. 21-25, 1995.