Feng Bao
Information Security Group
Kent Ridge Digital Labs
21 Heng Mui Keng Terrace
Singapore 119613
baofeng@krdl.org.sg
ABSTRACT
With the rapid growth of broadband network, distribution of multimedia via Internet is a must way to go. Content protection has become one of the most significant and challenging problems of this field. In this paper, we propose a general scheme that combines public key cryptography and watermarking technology together, to achieve wonderful content protection. The scheme is reliable, flexible and efficient.
Keywords
Multimedia content protection, public key cryptography, watermarking
technology, tamper-resistant hardware.
1. INTRODUCTION
It is predicted that within five years a consumer will be able to purchase a computer with a 2 GHz microprocessor, 1 GB of memory, and a 50 GB hard disk for several hundred dollars. The computer will be to connect to the Internet via a 1 Gb connection or a 10 Mb wireless network. At home, users will be able to surf the Web using a 1 Mb+ telephone or television network. With these amazing microprocessors, memories, hard disks, and bandwidths, many things that are barely imaginable today will become possible. Internet multimedia time is definitely coming. On-line video, on-line audio, on-line games, on-lines e-books etc will greatly enrich people's entertainment.
With the speed, storage and networking getting ready, the concentration is more focused on the security technologies for multimedia content protection. It is well known that the copyright of digital objects is very easy to be infringed. A multimedia content provider needs protection not only by legislation, but also by reliable and convincing technologies.
A huge amount of research work has been done in this area and various technologies have appeared. Watermarking is one of the most studied technologies toward copyright protection of multimedia files, such as digital pictures, digital music, digital video etc.
On-line multimedia distribution is interested not only by the research community, but also by industry, due to its huge potential market. It is pointed out in [8] that in some areas, say VoD(video on demand), the industry even goes in front of research.
In this paper, we study the multimedia content protection by exploiting public key cryptosystem within tamper-resistant hardware devices. We propose a scheme that can be applied to video, audio and any other multimedia digital objects. The design presented in this paper is in a very general frame. More detailed studies must be done if the design is being developed into any real system for practical use.
The new system of content protection proposed in this paper has many
good features. The most important and prominent one is that it meets the
discipline that component-compromising must not cause the whole system
crashing. Most of the available systems unfortunately do not fulfill this
requirement. We believe that the frame presented in this paper is the only
correct direction to go.
There are two sorts of watermarking. The first one is for ownership. The second one is for tracing illegal users. The technique of the second sort is also called fingerprinting in some references.
The first sort of watermarking is to embed an identical watermark into every copy of the digital object. Hence, it cannot be used to distinguish who is the user who has distributed the illegal copy. The technology can only deter the large-scale resale. There are a lot of research publications on this technology.
The second sort is to embed different watermarks into different copies. Hence it can be used to trace the illegal users. But this sort of watermarking has two drawbacks. The first one is that it is quite expensive to resist colluding attack. The other one is, as pointed out in [12], that there is actually no lawful basis for the content provider to sue the illegal user. This is because the provider himself possesses the watermarked digital object. Hence there is no way, from technology aspect, to distinguish who actually disclosed the copy. Asymmetric fingerprinting was proposed to solve this problem, see [13] and the references therein. However, it seems that the technique is not ready for practical use, perhaps due to its interactive implementation.
In our scheme, we require each customer have a unique tamper-resistant
hardware that conducts both decryption and watermark embedding. The watermark
embedded by a hardware device indicates the serial number of the hardware,
which is also associated with the unique public/private key pair of the
hardware. Hence in our scheme, the watermarking is done not by the content
provider, but by the tamper-resistant hardware. In this case, the illegal
user can be traced, while the content provider is released from the heavy
burden of generating different watermarked copies.
Tamper-resistant hardware has been studied for many years. This technology has already been used in many real applications. In this paper, we take tamper-resistant hardware as our basic point for content protection. The tamper-resistant hardware in our system contains a private key of a public key cryptosystem, which is used to decrypt the ciphertext of the secret key that is used to encrypt a multimedia file, either a video or an audio etc. Although there are some attacks on tamper-resistant hardware from algorithm aspect, such as fault-injection attack [2, 4], timing attack and power attack [9] etc, it seems that none of them has caused serious threats in reality. Those attacks are especially not threatening to our system since the decrypted message is not the output, but used to decrypt the encrypted multimedia file.
From hardware aspect, EEPROM modification attack in [1] is more threatening. But it needs special equipment that is expensive. There is no absolute security in the world. A security level is good enough as long as the cost to break this security is much larger than the price of the protected object. This is especially true for commercial purposes.
We use both public key encryption and symmetric key encryption in our
scheme. The latter is used to encrypt the multimedia files. There have
been research works on how to speed up encryption of multimedia files by
exploiting their structures, [11, 14, 16]. What we want to emphasize here
is that the encryption mode for multimedia files must meet the specific
properties for the file displaying. For example, it is better not using
stream cipher to encrypt video files, since stream cipher is very sensitive
to synchronization errors.
A tamper-resistant hardware includes a serial number sn, a private key SK_sn, and a watermark embedding process WE_sn. The corresponding public key of SK_sn is PK_sn. The private key SK_sn should never be disclosed by the manufacturer of the hardware. The manufacturer issues a certificate to prove the validity of PK_sn and bind PK_sn and sn together. PK_sn and sn and the certificate go together with the hardware. There can also be a public directory to list all the valid public keys and their corresponding serial numbers.
WE_sn is a watermarking process to embed sn into the multimedia files. There exists a valid process to retrieve sn from the watermarked files. Here we suppose that WE_sn is a satisfactory watermarking scheme, although there are still debates on whether there exists a satisfactory one.
The function of the hardware is pictured as follows.
Here K is the symmetric key to encrypt the multimedia file M. K(M) is the ciphertext of M with the secret key K. PK_sn(K) denotes the encryption of K with public key PK_sn.
In our system each customer has one tamper-resistant hardware device. On the content provider side, different files should be encrypted by different key K. More formally, M1, M2, M3, …, Mn are n multimedia files and K1, K2, K3, …, Kn are n different secret keys to encrypt the files. Ki(Mi) denotes the ciphertext of Mi. The advantage of using different keys is that even if some Ki is compromised, other multimedia files are still safe. The encrypted multimedia files are free for download and encouraged to circulate among customers.
To enjoy a multimedia file M, a customer may pay and send his PK_sn,
sn and the certificate to the content provider. The content provider must
verify whether PK_sn is a legal public key before encrypting K by PK_sn
and sending the ciphertext to the customer. The following picture shows
the situation.
Flexibility
There could be many content providers in the system. But each customer
needs only one device. The tamper-resistant hardware devices are independent
of content providers and can be used by every content provider.
The manufacturer of the hardware must be trusted. It is suggested that
the manufacturer run a PKI to manage the certificates for the hardware
devices.
Efficiency
Each multimedia file is encrypted once and the ciphertext can be given
freely to anybody.
The encryption is done by symmetric key cryptographic algorithm that
is fast and cheap. Public key cryptosystem is used only for hiding the
secret keys, i.e., to deal with small messages.
Low Cost
The operations in the tamper-resistant hardware include public key
cryptosystem decryption, symmetric key cryptosystem decryption and watermark
embedding. The decrypting operations can be done with low cost chips. The
watermark embedding op3eration depends on what multimedia is processed.
Audio watermarking can be done with small programs and implemented with
8-bit CPU smart cards. For video watermarking, the method of odd-even frame
coding is also very easy and can be conducted by a cheap processor.
In general, the cost of the hardware implementing decryption and watermarking
is low. To embed such a hardware device into a VCD or DVD player, the cost
is just additional 10-20 dollars.
If we want to achieve only this level of protection, we can just replace the watermarking process with a digital-analog converting process within the tamper-resistant hardware. The structure of the hardware is then as follows.
Protection of Private Keys
The private key SK_sn installed in each tamper-resistant hardware device
is the central point for the security of the system. Therefore the manufacturer
of the hardware must be very careful on these private keys. A suggestion
is to destroy the key once it is installed into a hardware device. Also
a revocation list is suggested to be maintained by the manufacturer or
a trusted authority. Once a device is found to be broken, its serial number
should be put into the list to prevent its any more use.
Tamper-resistant
In this paper we do not discuss how to build up tamper-resistant hardware
devices. There has been research about this technique. What we want to
emphasize here is that for our system, the tamper-resistant technique can
be focused on the private key. It is a key clue. Once the private key is
destroyed, the device is completely useless. So the principle to build
tamper-resistant property is that once the device is tampered or opened,
the private key is automatically erased or changed.
Importance of Checking Certificate
As described in Section 4, to obtain a multimedia file, a customer
needs to send his PK_sn, sn and the certificate to a content provider.
It does not matter if the customer actually sends other people's PK_sn,
sn. But it does matter if the customer sends a public key not belonging
to any tamper-resistant hardware, say, a public key generated by the customer
himself. In that case, the customer can get the secret key. Hence, it is
very important for the content provider to check the certificate that guarantees
the authentication of a received public key.
Payment Issue
In this paper we did not discuss payment issue. But payment is a very
practical issue that may effect security. So far our protection is based
on pay-per-file. It is also possible to have pay-for-membership, or pay-per-view/listen.
Pay-for-membership can be done by adding some authentication process. Pay-per-view
needs additional control information padded to the secret key K before
encrypted by the public key PK_sn. But the hardware device must have atamper-resistant
counter to remember these control information messages.