Abstract
The multimedia community is moving from monolithic applications to more flexible and scalable proliferate solutions. Security issues such as access control and authentication of multimedia content have been intensively studied in the literature. In particular, stream authentication tends to be more complicated since a stream may be transcoded by intermediate proxies or composed by multiple sources. Traditional stream authentication schemes consider a stream as a group of packets and authenticate these packets over an erasure channel. However, by fixing the packets in transmission, any packet manipulation will cause authentication failure. In this chapter, we assume a more flexible model where a proxy, between a sender and a receiver, is able to make transcoding operations over a stream. We describe a flexible stream authentication framework that allows the so called packet independent stream authentication schemes to make transcoding operations on the packets and commit the changes, which are not applicable n packet-based stream authentication schemes. Such a stream authentication scheme based on the layered structure of a stream is elaborated in details w.r.t., the encoding, packing, amortizing, and verifying methods. The security and performance analysis show that the packet independent stream authentication schemes achieve higher authentication rate with less overhead per packet, as compared with that of packet based schemes.
Top1 Introduction
Multimedia data, such as image, audio and video, come fast and furious in everyone’s life, thanks to the advances in digital signal processing and inter-networking technologies. End users are experiencing innovative streaming applications (e.g., video-on-demand, IPTV) effectively and benefiting more from the widely adopted pervasive architectures. As multimedia data are being disseminated anywhere, a number of security issues are arisen as the major concerns on protecting such digital assets. One research trend is on protecting the media content from being disclosed to the unauthorized users, w.r.t., “the secure media transmission” problem, which addresses the “confidentiality” security property. All major Digital Right Management (DRM) solutions are providing this security function via hardware or software protection techniques. While this is important, another trend on authenticating the media content is even more important, as it is more dangerous to receive a tampered (or misleading) message than a scrambled (or unreadable) message in a security sense. Thus, both the security properties, media origin “authenticity” and media data “integrity”, are to be addressed in multimedia authentication. In this chapter, we concentrate on the stream authentication techniques in particular and present a generic flexible stream authentication framework.
Message authentication has been intensively studied in traditional cryptographic research field for more than twenty years. Typically, a message, no matter how long it is, is first compressed into a fixed length digital digest. The digest is then signed using some digital signature scheme that generates a signature based on the digest. In transmission, both the message itself and its signature are to be bundled together and sent to the receivers. On receiving the message, a receiver computes the digest with the same way as the originator does and uses the verification algorithm to verify the digest against the signature. An illustrative example is given in Section 2.1. It is nature to think of using the similar authentication scheme on multimedia data, as one just treats the multimedia data as an ordinary message. However, it turns out to be inconvenient, if not impossible, to authenticate multimedia data in this way. In fact, multimedia data have some unique features compared with messages, and thus deserve specially designed and dedicated authentication techniques.
Firstly, representing multimedia data requires a large amount of information and sometimes, there is no clear ending (e.g., of real-time streaming). In case of multimedia stream, instead of authenticating the whole stream at once, a stream is divided into various blocks and these blocks are to be authenticated one by one. As a result, only part of a stream is authenticated at certain time and the authentication process is a progressive procedure until the last block is verified. Secondly, the dominant requirements for bandwidth and energy consumption on stream transmission cause the significant bottlenecks. To improve the quality of a multimedia service, transcoding is required to adapt a stream with various multimedia communication conditions, which is possible to help overcome the bottlenecks. Hence, some portions of the original stream content are to be abandoned due to the limitations (e.g., narrow bandwidth). Therefore, one can not tell whether a stream is authenticated or not as a single unit, but how much percentage of a stream is authenticated, or what is the authentication probability of a received stream. Thirdly, even there is no obvious manipulation on original multimedia content, there might still be partial content being lost in the delivery channel. For example, Internet is such a lossy channel as it loses IP packets from time to time. Some researchers proposed to use erasure code to tolerate arbitrary patterns of packet loss. However, there are intentional attacks on the delivery channel where data might be intercepted, altered and injected. How to authenticate a stream in a malicious channel is still being studied intensively. Last but not least, many multimedia applications allow multiple streams to be composed into a single stream (e.g., movie advertisement, multi-screening and digital art creation), which are called “Stream Composition”. How to authenticate multiple sources in a composite stream and how to maintain the integrity of those media content are the ongoing research directions. To address these challenges, the multimedia security community is working very hard on providing the authentication techniques that are secure, effective and flexible.
Key Terms in this Chapter
Multimedia Authentication: Refers to the technology to verify that the multimedia content comes from the alleged sources and has not been altered illegally in transmission.
P-SAS: Refers to Packet based Stream Authentication Scheme, the method to generate authentication data based on the packets. Thus, only after packets are produced, the authentication data can be generated and amortized back onto those packets.
Amortization: The technology to divide a message into multiple parts and assign them over different packets.
Transcoding: The method to remove part of the stream content to adapt to the bandwidth of the transmission channel.
Verify: The algorithm in a digital signature scheme used to verify a cryptographically generated signature using the signer’s public key.
Sign: The algorithm in a digital signature scheme used to generate a cryptography value-signature over a message using one’s private key.
PiSAS: Refers to Packet independent Stream Authentication Scheme, the method to generate authentication data based on the multimedia content. Thus, the authentication data can be generated and amortized onto original multimedia content, which is independent of the packing process.
Message Authentication: Refers to the procedure to verify that a message comes from the alleged source and has not been altered during transmission.