Applications of Digital Fingerprinting and Digital Watermarking for E-Commerce Security Mechanism Cong Jin, Dong Xu, Zhi-Guo Qu Department of Computer Science, Central China Normal University, Hubei, Wuhan 430079, P.R.China E-mail:
[email protected] Abstract In this paper, a new security system in electronic commerce based on PKI and extended by digital fingerprinting and digital watermarking is proposed. The security system can effective protect the data security of electronic commerce. The whole security system integrates three parts’ strongpoint and forms its own good qualities, so it has very high level security and can suit for the complicated applications of electronic commerce.
1. Introduction Electronic commerce is a business activity which happens on the Internet in term of a set of certain standards. Electronic commerce brings about some consumers’ activities such as family shopping and stock business etc. Its flourishing opens a brand new world for human beings and directly promotes the business activities with costs being cut down. As a result, producing and consuming of the merchandises are extremely activated. Along with the shares of electronic commerce getting more and more great in the global economy, its problems are more and more extrusive. For the information’s openness on the Internet and the characteristics of electronic commerce, a global, connected, common and dynamic network of the Internet makes its security problems danger. Correspondingly, these danger problems begin to threaten and restrict its developments. Traditional electronic commerce mainly adopts security system which is based on some kinds of modern cryptology technologies to provide its security. Due to rapid growing of the modern cryptology in decades, the methods which keep the system safe have made great progresses and obtained many achievements. Menezes (1993) thinks that PKI (public
key infrastructure) is one of them. But most of achievements are only a kind of cryptographic security system, and they are not good enough to deal with all the security problems of electronic commerce. So other technologies need to be introduced in them to make up for their drawbacks. In general, the drawbacks can be depicted as follows: (1) The traditional Electronic Commerce security technologies are completely depending on encrypting and decoding processes of their cipher system to secure data of the information. In case, the cipher system is broke down or the decoding keys are revealed, the whole security system will be invalid. However, the openness of electronic commerce means that the communicating and transmitting of the data almost are all in public. This characteristic overwhelmingly increases the opportunities of being broke. It is an obvious drawback which we need find out some ideas to handle down. (2) The traditional security technologies are incapable of tracing the illegal users’ actions, even their attacking and tampering actions have been detected. This situation makes hardly possible to punish them by charging in law. Furthermore, this weak warning signal will encourage them and worsens the situation. Hence, an effective tracing system is very important to the data security of electronic commerce. So, this is the second drawback of the traditional security technologies. (3) The traditional security systems only provide the security of information. There is no way for them to judge whether the host data are attacked or not and even estimate the damaged degrees of the data and which kinds of the attacks are belonging to. It is necessary to have this step which can help us to decide whether we need change keys and resend it or not for keeping safe. If the attacks are belonging to nonmalevolent data manipulations and the damaged
degrees are low, we change nothing. Conversely, we do. Therefore, the third drawback must be made up for too. (4) In addition, the protection of information integrity is also very important in electronic commence. It is obvious to imagine that any loss of the key data just like the performance parameter of products or the amount of money etc, are very possible to cause to critical results. But the traditional security technologies completely can not take care of it. In fact, the integrity of data is always crucial to all kinds of the data security systems. It is evident that we can’t afford the prices of omitting this drawback. In view of these tradition security technology drawbacks, two important security technologies are proposed in the paper, the digital fingerprint technology and the digital watermark technology. We integrate the two technologies based on the PKI security system and form a new security system. This system has great security of data so that it can suit for all kinds of the complicated applications in electronic commerce.
2. Public key infrastructure PKI is a kind of the security models which is composed of a system of digital certificates, CA (Certificate Authorities), RA (Registration Authority), a certificate management system and some directories. The functions of the registration authorities are verifying and authenticating legality of each party involved in a transaction. Generally speaking, the PKI is a cryptographic system based on cryptology. If the system has a safe crypto-algorithm with an effective key management, it will be safe. But the security system is only valid in the channel, it is unable to protect the information if the secret messages are decoded or the encrypted texts are converted to the plain text. It means that the encryption technology is not longer avail to the data’s security if the user already has the data. Moreover, if the illegal user pretends to be legal and as a result he obtains the data, he can do whatever he wants to the data just like illegal copy, unauthorized distribution and tampering, etc. In this situation, the traditional security system is helpless. To avoid of it, we introduce the digital fingerprinting technology and the digital watermarking technology to the PKI to form a new security system for high level security.
3. Digital fingerprinting 3.1. The induction of digital fingerprinting Zhu, Zou, and Zhu (2006) think that digital fingerprinting is a copyright protecting technology. In general, a unique ID will be embedded into each digital product by the serve provider. Hence, the sever provider enables to trace the unauthorized copies and then punish the illegal users by charging them. In other words, the digital fingerprinting try to prevent peoples from illegally redistributing the digital data they have legally purchased. Digital fingerprint system contains algorithm and protocol. Algorithm includes coding, decoding, embedding and extracting processes and distributing strategy of the data. Protocol prescribes how to interact among each user to realize the data distributing and tracing. Essentially, digital fingerprinting and digital watermarking are in common. However, the digital fingerprinting emphasizes its uniqueness of convenient tracing. So the digital fingerprinting must have independent and powerful tracing system. Comparing to it, the digital watermarking mostly cares about robustness of its watermarks for identifying the ownership. The digital fingerprinting has several characteristics including transparency, robustness, reliability and traceability. In particular, the robustness and traceability are most important. According to the function of digital fingerprint, the digital fingerprint model needs following characters: (1) Transparency. The production being protected can’t risk appreciable quality degradation when embedding the digital fingerprint. (2) Robustness. Digital fingerprint should resist possible disposal, operation and attack so that the information being extracted can trace illegal distributor. (3) Reliability: The process that the digital fingerprint being extracted and the user being traced must be reliable and believable. (4) Embedding information (fingerprint): It needs adequate information after being attacked by user to trace by distributor. So it needs enough embedded capacity. (5) Cahoots are requisite in digital fingerprint. When users attack together, the distributor should at least find out one illegal distributor after the precondition that has no entanglement innocent purchaser. (6) It needs the generating algorithm and tracing algorithm has very high efficiency.
3.2. The scheme of digital fingerprinting Digital fingerprinting is introduced in the traditional PKI security system of electronic commerce for making up the drawbacks (1) and (2) of the traditional security system in the paper. Digital fingerprinting has two main attributes, high robustness and effective traceability. By taking the attributes into accounts the security of electronic commerce will be strengthened. It is because if digital fingerprints are identified in the data the illegal users will fail to copy or tamper without worrying about being punished even if they have broken cryptography system down and had the decoding keys. For this reason, high level security of the data in electronic commerce will be achieved. Hence, in the scheme of digital fingerprinting we should not only satisfy its basic acquirements and but also emphasize its robustness and effective tracing. As a result, because the abundant information of fingerprints and watermarks need be embedded in the host data, it is necessary to consider the transparence of the hidden information in a whole. According to the acquirements above, a new watermarking technology of virtual watermarking is proposed to be digital fingerprinting scheme. The idea of virtual watermarking is originated from steganography which was often used to covertly communicate in ancient time. In general, the steganography means that peoples use the public information to transmit the secret by defining a set of rules on it. The idea of virtual watermarking is just like this. The characteristic of the virtual watermarks is its outstanding transparence. That is because the virtual watermarks would not directly be embedded into the host data but exist as a kind of definition information on some important feature information of the host. So the virtual watermarks have great transparence so that it can settle down the contradiction between robustness and transparence of the traditional watermarking scheme. In addition, it also can break the limitation of the embedded watermark’s volumes in traditional watermarking scheme because virtual watermarks can enlarge its information volumes according to material acquirements. Therefore, it is obviously profitable that the virtual watermark is adopted as the digital fingerprint. Firstly, its transparence is great. Secondly, it is hard to be attacked without knowing about the defining rules which means it has great security and robustness. Meanwhile, virtual watermarks can be classified into two categories.
The first is totally virtual watermark. Actually there are not watermark data to be embedded in the host. The watermark’s exist completely depends on definition of the rules and the correspondent extracting and testing process. The second is partly virtual watermark. At this time, some or a little bits of watermark’s information will be embedded into the host just like the traditional watermarking scheme. But, these key data can be effectively enlarged in accordance with some technologies and be applied to protect integrity and security of the data by some coding technologies. In this paper, we adopt the partly virtual watermark as the digital fingerprint and set up the embedding process. Basically, the embedding process can be described as follows: Step 1 When the authorized users try to make use of the information of electronic commerce, the security system automatically encrypted the feature information of the host by user’s privacy key to create the digital fingerprint A1. Due to the privacy key being included in fingerprint, the user’s ID is corresponding to the fingerprint. For this kind of one-to-one relationship, user is incapable of denying his action. Step 2 ECC (Error correcting code) of described by Gronemeier (2006) is adopted to encode fingerprint A1 to be A2. The purpose is utilizing redundant data to enhance fingerprint’s robustness. In addition, we can set up the first level index by different codes or coding way in this step. Because a multi level index enables the security system more effectively trace the action of the user, so its setting up in embedding process is our important aim. It also means that all the users should be categorized by their location, security level or some kind of concrete assorting way etc. Their categories will be helpful to trace. Step 3 Both linear feedback generator and pseudorandom number generator can be used to enlarge fingerprint A2 to be A3 and a meaningful data sequence is introduced to calculate with A3 by XOR operation for example the company’s logo. The meaningful fingerprint A4 is obtained. At the same time, the second level index can set up by the different meaningful data. Step 4 Fingerprint A4 is permuted by Arnold transforming and then is encrypted by chaotic system according to Silvestre et al. (2001) method to create the final fingerprint sequence A5. These manipulations further enhance the security of fingerprint. At last, the third level index is established by different encrypting keys.
Step 5 This step is to choose an embedding process belonging to robust watermarking scheme proposed by Cox et al. (1996) to embed fingerprint into the host data. The blind watermarking is strongly proposed because the data volumes transmitted are very enormous and the communicating frequency is extraordinarily high in electronic commerce. Hence, the convenient and speedy extracting and testing processes are basic in the security system of electronic commerce.
4. Digital watermarking 4.1. Introduction of digital watermarking With the widespread use of the Internet and the developments in the computer industry, digital representation of audio signals and video has become popular, as this allows transmittal of digital data and copying without loss of quality. However, unauthorized copying and distribution of digital data are simplified, too. As a result, data protection methods are needed. Digital watermarking of proposed by Cox et al. (1996) is considered one of the main security techniques that can be used to discourage the unauthorized trading of multimedia digital products on the Internet. In general, watermarking technology must take two key elements into account: one, the robustness of the arithmetic, and two, the transparence of the watermark. Most of time, a good watermarking scheme should hold the balance between the two conflicting requirements. It means that the watermark must be robust as possible as it could be while it is imperceptible at the same time.
4.2. The scheme of fragile watermarking Comparing to data security of other sorts of applications, the protection for data security in electronic commerce not only need guarantee high level security but also need satisfy the integrity of data. To be taking the critical acquirements into accounts, the fragile watermarking is proposed in the paper. With its helps, the drawbacks (3) and (4) of the tradition PKI security system can be mended. The additional capability of the fragile watermarking is very available to keep integrity of data. The fragile watermarking of described by Zhu, Anthoy, and Marziliano (2007) is one sort of the watermarking technologies. It has its own traits and the most special one is the frangibility of its watermarks. In general, the fragile watermark is created by a hash function according to the data of digital products, and embedding process ensures its watermark to be hidden
in the public digital products. Any kinds of data manipulating and attacking will damage the watermark, and its extracting and testing process response to figure out where the damaging or tampering happen and what they are in the host data. Therefore, by virtue of the damaged watermarks, the manipulations and the attacks are found out and the damaged degree is estimated. As a result, integrity of the host data will be saved. For the reasons described above, the fragile watermarking is introduced in the paper with its correspondent embedding and extracting process. Basically, the embedding process is described as follows: Step 1 This step is dividing the host data into the equal pieces and generating the watermark information by Logistic mapping of the chaotic system. In the chaotic system, the initial values are key factor, and the generated sequences are very sensitive to and highly depended on them. The trivial differences of them will cause to totally different sequences. Step 2 The high frequency range of the host data is chose to be embedded into watermarks. It is because the high frequency coefficients of the data are easy to be damaged. Whatever happens on the host data, its high frequency coefficients will change corresponding to the loss of the interrelated host data. Hence, the watermarks are very sensitive to attacking or tampering. Step 3 The extracting and testing processes response to confirm what kinds of the attacks are and find out the location of tampering. If it is necessary, the scheme is capable of restoring the loss of the host data. For the sake of adopting the chaotic system, the fast blind detecting of the watermarks and speedily restoring the data integrity are fulfilled.
5. The whole security system The whole security system is composed of three parts, PKI, digital fingerprinting and fragile watermarking. They are the organic whole and can effectively work together. The data security with high level can be obtained to cater for applications in the electronic commerce. The structure chart is showed as Figure 1. PKI
User
Digital watermarking services
Digital fingerprinting services
Figure 1 Structure Chart
The process flow of the whole security system is briefly described as follows: Step 1 The user submits his requisition to the PKI and then the PKI records his requisition and authorizes him to get his own privacy keys. Step 2 The PKI transmits the user’s requisition and sends the files what he needs and his privacy keys to digital fingerprinting services. Step 3 The digital fingerprinting services embeds the fingerprints into the files according to his privacy keys and transmits the fingerprinted files to the digital watermarking services. Step 4 The digital watermarking services adds the fragile watermarks to the fingerprinted files and sends them to the user.
6. Conclusion The structure of the security system in the paper is based on PKI, digital fingerprinting and digital watermarking. The digital fingerprinting provides the effective tracing mechanism and the digital watermarking protects the integrity of data for this novel electronic commerce security system. In others word, the whole security system integrates three parts’ strongpoint and forms its own good qualities, so it has very high level security and can suit for the complicated applications of electronic commerce.
7. References
[1] I. J. Cox, et al. “A Secure Robust Watermark for Multimedia”, Workshop on Information Hiding, Cambridge, UK, Number 1174, Lecture Notes in Computer Science. Spring-Verlag, 1996, pp.185-206. [2] A. Gronemeier. “A Note nn The Decoding Complexity of Error-Correcting Codes”. Elsevier B.V., Dortmund. 2006, pp. 52-76 [3] F. Hartung, and M. Kutter. “Multimedia Watermarking Techniques”. Proceedings of the IEEE, Vol.87, No.7, 1999, pp.1079-1107 [4] A.J.Menezes. “Elliptic Curve Public Key Cryptosystem”. Boston: Kluwer Academic Publishers, 1993, 63-85 [5] G.C.M.Silvestre, et al. “Informed audio watermarking scheme using digital chaotic signals”. IEEE International Conference on Acoustics, Speech, and Signal Processing, 3: 2001, pp.1361-1364 [6] X. Z.Zhu, T.S.Anthoy, P. Marziliano. “A New SemiFragile Watermarking with Robust Tampering Restoration Using Irregular Sampling”. Elsevier B.V., Singapore, 2007, pp. 10-55 [7] Y.Zhu, W.Zou, and X.S.Zhu. “Collusion Secure Convolutional Fingerprinting Information Codes”. 1st ACM Symposium on InfromAtion, Computer and Communication Security, Taipei, China, 2006, pp. 266-274
Acknowledgements This work was supported by the Natural Science Foundation of Hubei (China) and Grant No.2007ABA119.
