Scalable Authentication and Nonrepudiation ... - Semantic Scholar

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.11 NOVEMBER 2006

2945

PAPER

Special Section on Image Media Quality

Scalable Authentication and Nonrepudiation Technique for JPEG 2000 Images Using JPSEC Protection Tools Ayman HAGGAG†a) , Mohamed GHONEIM† , Student Members, Jianming LU† , and Takashi YAHAGI† , Members

SUMMARY In this paper, we first briefly discuss the newly emerging Secured JPEG (JPSEC) standard for security services for JPEG 2000 compressed images. We then propose our novel approach for applying authentication to JPEG 2000 images in a scalable manner. Our authentication technique can be used for source authentication, nonrepudiation and integrity verification for the received possibly transcoded JPEG 2000 images in such a way that it is possible to authenticate different resolutions or different qualities extracted or received from a JPEG 2000 encoded image. Three different implementation methods for our authentication technique are presented. Packet-Based Authentication involves using the MD5 hashing algorithm for calculating the hash value for each individual packet in the JPEG 2000 codestream. Hash values are truncated to a specified length to reduce the overhead in storage space, concatenated into a single string, and then signed using the RSA algorithm and the author’s private key for repudiation prevention. Resolution-Based Authentication and Quality-Based Authentication methods involve generating a single hash value from all contiguous packets from each entire resolution or each entire quality layer, respectively. Our algorithms maintain most of the inherent flexibility and scalability of JPEG 2000 compressed images. The resultant secured codestream is still JPEG 2000 compliant and compatible with JPEG 2000 compliant decoders. Also, our algorithms are compatible with the Public Key Infrastructure (PKI) for preventing signing repudiation from the sender and are implemented using the new JPSEC standard for security signaling. key words: JPEG 2000, JPSEC, scalable coding, authentication, nonrepudiation, Public Key Infrastructure (PKI)

1.

Introduction

With the rapid improvement of the quality of digital images and the ability and speed of exchanging images over networks, digital documents are being increasingly used for official purposes. In order to benefit from such an increase in image quality, an equivalent development in the quality and flexibility of security services applied to these digital documents must be achieved. The Joint Photographic Experts Group (JPEG) established a new image coding standard called JPEG 2000 that became an International Standard in August 2000. This new image coding standard, referred to as Part 1 of the JPEG 2000 specifications [1], supports new features such as scalability, transcodability and direct access to spatial regions. A detailed study of JPEG 2000 standards is presented in [2]. The JPEG 2000 standards use structures such as tiles, precincts, resolution levels, quality layers, and color components and provide a syntax that allows easy access to these Manuscript received November 30, 2005. Manuscript revised April 18, 2006. Final manuscript received July 13, 2006. † The authors are with the Graduate School of Science and Technology, Chiba University, Chiba-shi, 263-8522 Japan. a) E-mail: [email protected] DOI: 10.1093/ietfec/e89–a.11.2945

Fig. 1 A JPEG 2000 part 1 encoder algorithm typically accomplishes four operations: Wavelet transform, (optional) scalar quantization, entropy coding and codestream building (i.e., rate allocation).

various components. A JPEG 2000 codestream, as shown in Fig. 1, consists of a header followed by packets of data. In each packet, the codewords of the codeblocks that belong to the same image component, image resolution, and layer appear. Thus, a packet corresponds to a body, with the codingpasses codewords, and a header that contains identification and information about corresponding codeblocks. Hence a packet is part of the bitstream comprising a packet header and the coded date from one layer, of one resolution level, of one precinct, of one component, of one tile. There are 5 progression modes supported by JPEG 2000: LRCP, RLCP, RPCL, PCRL, and CPRL, where L represents layer, R represents resolution, C represents component, and P represents position. The process of JPEG 2000 encoding is shown in Fig. 1. One of the interesting new features in JPEG 2000 is scalability; scalability refers to the ability to extract portions of a coded image from a JPEG 2000 codestream without full decoding. This is referred to as the “compress once, decompress many ways” property [2], i.e., it allows extractions of transcoded subimages (e.g., images with various resolutions, pixel fidelities, tiles and components) from a single compressed image codestream. For example, reducing the resolution simply requires extracting a subset of resolution levels. Likewise, reducing the bit rate simply requires extracting a subset of quality layers. The transcoding process is shown in Fig. 2. It follows that there is an increasing necessity to be able to authenticate those extracts independent of the whole image. It is also highly desirable, after generating and securing JPEG 2000 codestreams, to allow untrusted transcoders at intermediate network nodes to perform downstreaming of the JPEG 2000 codestream or to parse the codestream and hence change its progression order. This must be done without unprotecting the image contents and without access to security keys, thus preserving end-to-end security. In the meantime, a new security standard is being de-

c 2006 The Institute of Electronics, Information and Communication Engineers Copyright


IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.11 NOVEMBER 2006

2946

Fig. 2 Transcoding or downstreaming of a JPEG 2000 image is a very simple operation that only requires the truncation or elimination of packets.

veloped and integrated in the JPEG 2000 coding standards; it is referred to as JPEG 2000 Part 8 Security standard or Secure JPEG (JPSEC), which is meant to provide security services for JPEG 2000 images. The JPSEC has currently reached the FDIS stage [3]. While it is being developed, it is very important to adapt this future security standard in newly developed security services for JPEG 2000 images. Image authentication has been previously targeted in a variety of ways. Fragile image authentication [4], also known as file-based authentication, is a very simple approach where only one hash value is calculated for the whole image file. On the other hand, semifragile image authentication aims at verifying the authenticity of the image while allowing some acceptable manipulations such as lossy compression or transcoding. Several semifragile image authentication techniques have been proposed, where the image content, rather than the image data, is protected. Some of these techniques make use of watermarking to embed the hash value in the coded image [5]. In the technique presented in [6], the authors introduced the concept of Secure Scalable Streaming and Secure Transcoding (SSS), and proposed calculating the hash value for each allowed transcodable result for the JPEG 2000 codestream, and storing these hash values in the SEC marker segment. Another scheme of using a digital signature for authentication is presented in [7], where a digital signature is created for each individual codeblock in the bitstream and attached to the end of each codeblock. In our previous work [8], we presented our solution to this problem, that included producing a hash value for each individual packet in the JPEG 2000 codestream using the SHA-1 hashing algorithm and then signing each hash value using RSA. We also proposed producing a single hash value for each entire resolution level or entire quality layer. However, we found some security threats in signing each individual hash value using RSA due to their small sizes (160 bits), and the speed and the storage overhead produced by the SHA-1 algorithm needed to be improved. In the remainder of this paper, we will give a detailed review of the new JPSEC standard in Sect. 2. In Sect. 3, we will present our new image authentication technique and propose 3 different implementation methods for this technique. In Sect. 4 we will provide evaluations and results, and Sect. 5 will be the conclusion and summary. 2.

JPSEC Overview

JPSEC is an extension of JPEG 2000 specifications that is meant to provide a standardized framework for secure imaging, in order to support tools needed to secure digital images,

such as content protection, data integrity check, authentication, and conditional access control [9]. JPSEC is a very flexible and open framework that provides a wide range of JPSEC normative tools, which are predefined security service tools in what is called template protection tools, to implement security functions. It also provides an extensible open framework for JPSEC nonnormative tools, which are new tools that may have been developed and registered a priory with the JPSEC registration authority or defined privately. Template protection tools contain different protection templates to target a wide range of protection services. Four protection templates are defined in the JPSEC Committee Draft [3]: Decryption template, Authentication template, Integrity template, and Key Information template. The Decryption template supports three cipher modes: Block cipher mode, Stream cipher mode, and Asymmetric cipher mode using an RSA cipher type. The Authentication template contains three general classes of authentication methods: Hash-based Authentication, also referred to as (HMAC), Cipher-based Authentication, and Digital Signature methods. The Integrity template is a keyless integrity check that utilizes the same hash functions as used by the Hash-bashed Authentication template. The Key Information template is defined to communicate key information using a Public key, X.509 Certificate, or URI for the certificate or secret key. The JPSEC introduced two new marker segments in the JPEG 2000 codestream to signal the security syntax: the SEC marker segment present in the main header, and an optional INSEC marker segment that can be inserted anywhere in the bitstream to provide additional or alternative security signaling. The SEC marker segment supports the specification of single or multiple security tools, as well as the Zone of Influence (ZOI), which describes the data associated with each protection tool. The ZOI may contain one or more zones, and in this case, the influenced zone is their union. The ZOI may use image-related description classes that specify the region in terms of Image region, Tile, Resolution, Layer, Component, Precinct, Packet, Sub-band, Codeblock, ROI or a user-defined unit. It may also use non-image-related description classes that specify the region in terms of Byte range, Padded byte range, TRLCP tags, Distortion value, Relative importance or a user-defined unit. The TRLCP tag is a new data structure defined by JPSEC to uniquely identify a JPEG 2000 packet by specifying its tile index, resolution level index, layer index, component index, and precinct index. The distortion field is used to associate a distortion value with an area specified by the ZOI. The relative importance field can be used to describe the relative importance among different coding units. The Processing Domain (PD) is used to indicate at which domain the protection method is used. There are three possible domains: Pixel domain, Wavelet coefficient domain, and Codestream domain. The Granularity Level (GL) is also used to indicate the

HAGGAG et al.: SCALABLE AUTHENTICATION AND NONREPUDIATION TECHNIQUE

2947

unit of protection for each protection method. The granularity syntax may define whether the unit of protection is an entire codestream, tile, tile-part, component, resolution level, layer, precinct, packet, sub-band, codeblock, or a zone identified in the ZOI, and for each unit, whether or not the header part is protected. The Processing Order (PO) defines the processing order used when applying the protection tool to the codestream. Five processing orders are supported: Tile Resolution Layer Component Precinct, Tile Component Precinct Resolution Layer, Tile Layer Resolution Component Precinct, Tile Precinct Component Resolution Layer, and Tile Resolution Precinct Component Layer. The INSEC marker segment present in the bitstream itself can be used to give additional or alternative parameters for one of the security tools. The INSEC marker must reference one tool by using its instance index specified in the SEC marker segment. The JPSEC Registration Authority provides a mechanism for identifying non-normative security tools that follow the JPSEC standards, supplementing the already listed JPSEC RA tools. Among this list, two authentication JPSEC RA tools are available. The first authentication JPSEC RA tool, titled “A unified authentication framework for JPEG 2000” [3], is based on the approach presented in [10]–[12], where the authors introduced the concept of Lowest Authentication Bit Rate (LABR). Their method involves extracting invariant features from the fractionalized bit-plans during the procedure of EBCOT. Then the digital signature is produced and an Error Correction Code (ECC) is applied to it. The result is embedded in the JPEG 2000 image as a watermark. The second authentication JPSEC RA tool, titled “Scalable authentication of JPEG 2000” [3], is based on the concept of the Merkle Hash tree presented in [13]–[15]. A hash tree is constructed with each leaf corresponding to a codestream packet. The hash value is calculated for each individual packet and the hash tree is processed upward, concatenating neighbor leaves and hashing them together until the root hash value is generated and signed using the owner’s private key. The algorithm can support the authentication of subimages of the original image by providing the root digital signature together with some auxiliary information that includes the intermediate hash values for the discarded nodes that correspond to the truncated part of the image. 3.

Proposed Image Authentication Methods

In this section, we describe our methods for image authentication and nonrepudiation while enabling different levels of scalability and transcodability. Packet-Based Authentication, which enables both resolution scalability and quality scalability at the same time, is applicable to codestreams in any progression order. Resolution-Based Authentication, which enables only resolution scalability, is applicable to codestreams only in RLCP or RPCL progression orders. Quality-Based Authentication, which enables only quality

scalability, is applicable to codestreams only in the LRCP progression order. All of our three image authentication methods are applied directly to the resultant codestream after the JPEG 2000 encoding process is completed, or to a previously encoded and stored codestream. Therefore, PD is set to the codestream domain. We define the authentication GL as the unit of data that is fed to the hashing algorithm, and a single hash value is generated for it. If maximum flexibility in transcoding the protected codestream is needed for any progression mode, GL is set to a single packet and PacketBased Authentication is applied. If only resolution scalability is needed and the codestream is in either the RLCP or RPCL progression mode, called “resolution progression,” then GL is set to the entire resolution level and ResolutionBased Authentication is applied. Similarly, if only quality scalability is needed and the codestream is in the LRCP progression mode, called “quality progression,” then GL is set to the entire quality level and Quality-Based Authentication is applied. In our methods, we will utilize a mechanism for message authentication in which a cryptographic hash function and a secret key are used. The iterative cryptographic hash function MD5 [16] is used as our message digest algorithm, although other algorithms, such as SHA-1, have proven to be cryptographically stronger than MD5, MD5 is selected for its superior performance, which is critical in our case, and because it results in a shorter message digest. MD-5 is used with a hashing secret key to produce the HMAC (Keyed-Hashing Message Authentication Code). This key must be shared by all authorized users who may need to sign or verify the authenticity of the image, so this key is a symmetric key and cannot be used for repudiation prevention. For this reason, the resultant HMAC values are signed using an asymmetric encryption algorithm; our algorithm of choice is the RSA algorithm [17], [18]. The RSA Public Key Cryptography Standard (PKCS) is used worldwide for Asymmetric Encryption and Digital Signatures [19], [20]. An RSA key pair is generated, the private key which is used to sign the HMAC values and must be kept private by the sender; the public key is made available to authorized users who may wish to authenticate the origin of the received image, and to verify that it is indeed sent by the holder of the corresponding private key. The security of the RSA algorithm cannot be guaranteed for key pair lengths less than 1024 bits or to sign messages of lengths less than 1024 bits [18]. It follows that shorter messages must be padded before being signed and the RSA algorithm produces an encrypted message having a length of at least 1024 bits. For this reason, the HMAC values are first truncated to a specific HMAC length to reduce the storage overhead, and then concatenated together into a hash string. The resultant hash string is signed using the RSA algorithm and the sender’s private key to produce the digital signature. Figure 3 summarizes our authentication methods. The digital signature is stored in the SEC marker segment in the main header in the JPEG 2000 codestream and the security tool

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.11 NOVEMBER 2006

2948

Fig. 3 Block diagram of our authentication methods. The sign procedure is on the left, and the verify procedure is on the right.

is signaled using the new standard JPSEC signaling syntax. The JPSEC Digital Signature authentication template is used to signal the security tool used, and the Key Information template is used for communicating the public key information, in accordance with the new JPSEC standard signaling. 3.1 Packet-Based Authentication In Packet-Based Authentication, referring to Fig. 3, GL is set to a single packet. The HMAC is generated for each individual packet, for both the packet-coded data and the packet header, to make our method resilient against cut-andpaste attack. Each HMAC is truncated to SIZHMAC , which is selectively chosen, according to the tolerated increase in storage overhead, as a percentage of the original image size. Reducing the size of SIZHMAC reduces the storage overhead, but at the same time, reduces the security of the HMAC. As the HMAC values will be signed afterwards using RSA and the sender’s private key, this security threat is then well compensated. Nevertheless, we will set a lower bound of 64 bits on SIZHMAC , below which, HMAC collision may occur and the algorithm would be subject to cut-and-paste attack. The order of concatenating the HMAC is critical. Therefore, PO is signaled in the Granularity syntax and is set to the original progression order of the protected image. If the progression mode of the protected image is changed afterwards, for example, due to a parsing operation, the progression order signaled in the PO parameter will be followed when applying the authentication verification algorithm to the received codestream. The string of concatenated HMAC values is signed using RSA and the sender’s private key, and the digital signature is stored in the SEC marker segment together with security parameters specified according to the JPSEC standard signaling syntax. 3.2 Resolution-Based Authentication In Resolution-Based Authentication, the codestream is or-

Fig. 4 Codestream for JPEG 2000 encoded image having RLCP progression. Resolution levels form contiguous blocks of data in the codestream.

dered as shown in Fig. 4. From this diagram, we can note that packets from each resolution level form a contiguous block of data. For this special case, GL is set to the entire resolution level, and one HMAC is generated from each set of contiguous packets that belong to each resolution level. As the number of resolutions in a codestream is limited, typically to the order of about 10 resolutions or fewer, the number of generated HMAC values is also limited. In this case, the resultant HMAC values are not truncated and SIZHMAC is set to 128 bits, the original size of the HMAC, and the Truncate module in Fig. 3 is bypassed, as shown in the diagram. The HMAC values are concatenated according to the resolution level index. The string of concatenated HMAC values is then signed and processed in a manner similar to that in the Packet-Based Authentication method explained in the previous section. 3.3 Quality-Based Authentication In Quality-Based Authentication, the codestream is ordered in a manner similar to the codestream order shown in Fig. 4, except that packets from each quality layer form a contiguous block of data. For this special case, GL is set to the entire quality layer, and one HMAC is generated from each set of contiguous packets that belong to each quality layer. Similar to the previous method, the number of quality layers in a codestream, and the number of generated HMAC values are limited, so the resultant HMAC values are not truncated and SIZHMAC is set to 128 bits, the original size of the HMAC, and the Truncate module in Fig. 3 is also bypassed, as shown in the diagram. The HMAC values are concatenated according to the quality layer index. The string of concatenated HMAC values is then signed and processed in a manner similar to that in the Packet-Based Authentication method explained earlier. For a Fragile Authentication method equivalent to our methods, GL is set to the entire codestream, and the en-

HAGGAG et al.: SCALABLE AUTHENTICATION AND NONREPUDIATION TECHNIQUE

2949

tire JPEG 2000 codestream is fed to the MD5 algorithm to produce a single HMAC value with a size of 128 bits. The truncate module in Fig. 3 is bypassed, whereas, the HMAC is padded with zeros to increase its size to 1024 bits, because the security of the RSA algorithm cannot be guaranteed when signing messages smaller than 1024 bits. The padded HMAC is then signed using the RSA algorithm and the sender’s private key to produce a Digital Signature with a size of 1024 bits, regardless of the size or structure of the JPEG 2000 image. The Digital Signature is stored in the SEC marker segment in a manner similar to that of the proposed methods. 3.4 Sign Algorithm for Proposed Methods In this section, we will give a detailed description of the signing procedure for JPEG 2000 encoded images using proposed methods. The Sign Algorithm for our proposed methods is detailed below as the following 5 steps. Step 1: The JPEG 2000 codestream is input to the Granularity module, together with the GL parameter. The GL parameter will be equal to a packet for the Packet-Based Authentication method, or to a resolution for the Resolution-Based Authentication method, or to a quality layer for the QualityBased Authentication method. The Granularity module outputs the JPEG 2000 codestream divided into units of data, as shown in Fig. 5. Each unit of data contains either a single packet, an entire resolution, or an entire quality layer, according to the value of GL. Step 2: Units of data output from the Granularity module are then fed to the HMAC module, together with the hashing secret key K. The HMAC module calculates an HMAC value for each entered unit of data using HMACK (u) = h((K ⊕ opad)||h((K ⊕ ipad||u)),

(1)

where h is the iterated hash function, K is the secret key padded with zeros to the block size of the hash function, u is the message to be authenticated, || denotes concatenation, ⊕ denotes exclusive OR, ipad = 0x36 repeated 64 times, and opad = 0x5c repeated 64 times. Step 3: HMAC values output from the HMAC module are optionally entered (only in the case of Packet-Based Authentication) to the Truncate module together with the SIZHMAC parameter. The Truncate module reduces the size of HMAC values entered in to SIZHMAC , and outputs only the first SIZHMAC bits of each HMAC value. Step 4: HMAC values are then entered in to the Concatenate module together with the PO parameter. This module produces a single HMAC comprising of HMAC values entered in to it, by concatenating these HMAC values ordered according to the PO parameter. HMAC values are indexed and each HMAC value in the HMAC string is preceded by its index. The index is taken to be the TRLCP tag in the case of Packet-Based Authentication, the resolution index in the case of Resolution-Based Authentication, or the quality layer index in the case of Quality-Based Authentication. The structure of the HMAC string is shown in Fig. 6.

Fig. 5 Granularity module and its output when GL is equal to Packet, Resolution, or Quality Layer.

Fig. 6 Concatenate module and the construction of the HMAC string output from this module.

Step 5: The HMAC string output from the Concatenate module is fed to the RSA Sign module, together with the sender’s private key. The RSA Sign module encrypts the HMAC string using the RSA algorithm and the sender’s private key and produces the Digital Signature (DS) according to DS = (HMAC string)d mod (n),

(2)

where n is the modulus and d is the private exponent of the RSA key. Finally the Digital Signature produced and the security parameters are stored in the SEC marker segment by JPSEC standard signaling. 3.5 Verify Algorithm for Proposed Methods In this section we will give a detailed description of the verification procedure for JPEG 2000 encoded images using the proposed methods. The Digital Signature and security parameters stored in the SEC marker segment are read and the JPEG 2000 codestream is processed in exactly the same manner as steps 1 to 4 in the Sign Algorithm, to produce the regenerated HMAC string. Only step 5 in the Verify Algorithm (RSA Verification module) is different from step 5 in the Sign Algorithm (RSA Sign module), as will be explained below. Step 5: The Digital Signature and the sender’s public key are entered in to the RSA Verify module. The RSA Verify module decrypts the Digital Signature (DS) using the fol-

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.11 NOVEMBER 2006

2950

lowing equation to retrieve the encrypted HMAC string. HMAC string = (DS)e mod (n)

(3)

Here, n is the modulus and e is the public exponent of the RSA key. The retrieved HMAC string is compared with the regenerated HMAC string from the received codestream. HMAC values corresponding to each other in the two HMAC strings are compared regarding their HMAC indices. The RSA verify module judges the authenticity of the image. If HMAC values are exactly equal in the retrieved and regenerated HMAC strings, then the JPEG 2000 image is authentic with all components present. If the HMAC values are equal in the retrieved and regenerated HMAC strings, with some HMAC values absent in the regenerated HMAC string, and if those missing values correspond to complete resolution level(s) or quality layer(s), then the JPEG 2000 image is accepted as authentic, but at a lower resolution or quality, respectively. If unequal HMAC values are detected, the image is judged to be unauthentic, and the unauthentic image components (packets, resolutions, or quality layers) that correspond to the forged HMAC values are output. 4.

Evaluation and Results

A full-featured open-source JPEG 2000 codec implemented in JAVA [21] was used in our experiments. A fully compliant software toolkit [22] was used for JPEG 2000 encoding of our test images. Our methods were tested using several JPEG 2000 encoded images with different encoding parameters and progression modes, for both lossless and irreversible coding. Four different test images with different sizes and color components were used in our experiments as, shown in Fig. 7. Our methods were able to verify the source of the signed image by using the sender’s public key to decrypt the digital signature attached to the image. The decrypted string of hash values was then used together with the hashing secret key to verify the authenticity of the received image components (packets, resolutions, and quality layers). Upon the success of the verification process, the sender cannot repudiate afterwards signing the image with his corresponding private key, and the image is judged to be authentic. The output of the verification step is not merely “Yes” or “No” regarding the authenticity of the received image. The verification output indicates whether the image is authentic with all components of the received image present, or authentic but with some components not present due to a truncated resolution level or quality layer, or unauthentic, and in which case our algorithm outputs which elements of the image are unauthentic, for example, the tampered packet(s), resolution(s), or quality layer(s). Our authentication methods did not introduce any distortion or degradation of the quality of the protected image; only the efficiency of compression was slightly reduced, due to the unavoidable overhead in storage needed to store

(a) Sea

(c) Map

(b) Face

(d) Text

Fig. 7 Four different test images of different characteristics. (a) Sea: 2097 × 1397, (b) Face: 187 × 227, (c) Map: 600 × 550, and (d) Text: 529 × 751 (grayscale).

the digital signature. Also, the resultant protected codestream was backward compatible with JPEG 2000 standard decoders not aware of the security tools used; the digital signature and the security tool signaled in the SEC marker segment were ignored by JPEG 2000 decoders not aware of our security methods. Our technique, with its three implementation methods, provided a tool for the users to select the method most appropriate in each case. Packet-Based Authentication has more appealing flexibility and utilities, while ResolutionBased Authentication and Quality-Based Authentication are more reliable and efficient in terms of security and storage overhead. Our dual-key system has proven to be quite secure. The RSA public key is used for repudiation prevention and for securing the hash string, while the hashing secret key is used for authenticating the received bitstream. 4.1 Packet-Based Authentication Packet-Based Authentication was applied to our set of test images. The four test images were JPEG 2000 encoded, using the LRCP progression mode, into 3 quality layers and 4 resolution levels, except the image “Face” which was encoded into 2 quality layers and 3 resolution levels due to its very small size. All test images contained 3 color components except the image “Text” which contained 1 “grayscale” color component. Table 1 summarizes the percentage of overhead in storage when this method was applied to our four test images.

HAGGAG et al.: SCALABLE AUTHENTICATION AND NONREPUDIATION TECHNIQUE

2951 Table 1 Overhead percentage in storage for JPEG 2000 images compressed under different compression rates for Packet-Based Authentication. Image Sea Map Text Face

SIZH 128 80 128 64

Signature 4.5k 2.8k 1.5k 1.1k

Lossless 0.11% 0.60% 0.82% 1.50%

3 bpp 0.63% 2.32% 1.03% 7.03%

1bpp 1.26% 6.86% 3.06% 18.75%

We can see that the percentage of overhead is negligible for the large image “Sea,” but this percentage increases with smaller image sizes and with higher compression ratios, i.e., lower bit rates. For the image “Face” the parameter SIZHMAC was reduced to the minimum allowable size to make up for this drawback. It is worth noting here that our test images were encoded into a JPEG 2000 codestream containing a single tile and a single precinct and the use of this method was restricted to these two conditions. When this method was used with multitile or multiprecinct images, it resulted in an overwhelming increase in the number of packets in the codestream and hence the number of HMAC values, and of the digital signature increased to an unacceptable size. The use of multitile or multiprecinct images would also induce some security threats. The use of multitiles would make this algorithm vulnerable to cut-and-paste attacks because every tile is treated as an independent image, and the use of multiprecincts would raise the problem of having to decide whether or not a spatially reduced image can be accepted as authentic. 4.2 Resolution-Based Authentication and Quality-Based Authentication These two methods were applied to our set of four test images. For Resolution-Based Authentication, the four images were JPEG 2000 encoded using RLCP and RPCL progression modes into 8 precincts, 5 quality layers, and 6, 8, and 10 resolution levels. The digital signature size was found to be 1024 bits for 6 and 8 resolutions and 1280 bits for 10 resolutions. The storage overhead was a function of only the number of resolution levels in the image, and the scalability of the protected JPEG 2000 codestream was limited to only the resolution scalability. Figure 8 shows the image “Face” authenticated at three different resolution levels, and a tampered vision of the image that was judged to be unauthentic. For Quality-Based Authentication, the four images were JPEG 2000 encoded, using the LRCP progression mode, into 8 precincts, 5 resolution levels, and 6, 8, and 10 quality layers. The digital signature size was found to be 1024 bits for 6 and 8 quality layers and 1280 bits for 10 quality layers. Similar to the above case, the storage overhead was a function of only the number of quality layers in the image, and also, the scalability was limited to only the quality scalability. In both methods, the HMAC values were not truncated for achieving maximum security, and the storage overhead was found to be very close to that of the fragile authentica-

(a) (b) Fig. 8 Image “Face” (a) authenticated at 3 different resolution levels and (b) judged to be unauthentic.

Table 2 Overhead percentage for images at different compression rates for (a) Resolution-Based Authentication with 8 resolutions, and (b) Quality-Based Authentication with 8 quality layers. Image Sea Map Text Face

SIZH 128 128 128 128

Signature 1k 1k 1k 1k

Lossless 0.03% 0.21% 0.54% 1.33%

3 bpp 0.14% 0.83% 0.68% 6.25%

1bpp 0.28% 2.44% 2.04% 16.67%

Table 3 Overhead percentage for images at different compression rates for Fragile Authentication. Image Sea Map Text Face

Lossless 0.02% 0.18% 0.46% 1.13%

3 bpp 0.12 % 0.70% 0.58% 5.31%

1bpp 0.24% 2.07% 1.73% 14.17%

tion method [4], as can be seen from Table 2 and Table 3. Also, Table 2 shows that the percentage of overhead when using these two methods was greatly reduced compared with that of the Packet-Based Authentication method. The two methods were fairly effective for JPEG 2000 images encoded into multiprecincts, but they were not applicable to multitile images. It is well known that the use of multitiles in an image results in many other disadvantages with respect to compression efficiency and the cause of artifacts at the tile boundaries and is greatly discouraged in many applications. 4.3 Security Analysis of Proposed Methods In this section, we will analyze the security level of the proposed methods. We proposed using MD5 as the underlying cryptographic hash function instead of SHA-1, as the MD5 algorithm runs approximately 5 times faster than SHA-1, and MD5 produces storage overhead 20% less than that of SHA-1. This choice may raise some concerns about the security level of our methods, as it is well known that MD5 is less secure than SHA-1 and some common collision occurrences and attacks have been discovered for MD5 [23]. First it is important to note that in our proposal, we used HMAC-MD5 rather than raw MD5. HMAC is a message authentication scheme, which involves double application of the underlying hash function and uses a secret hashing key, as shown in Eq. (1). HMAC is proven to be secure as long as the underlying hash function has some reasonable cryp-

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.11 NOVEMBER 2006

2952

tographic strength [24]. In contrast, MD5 is a keyless hash function, with a fixed and known Initialization Vector (IV), which makes brute force collision search attacks or birthday attacks feasible, due to easy parallelization of these attacks. For HMAC, on the other hand, IV is replaced by a random and secret value known only to the parties involved. This greatly limits attackers’ abilities to exploit the MD5 weakness in collision occurrences, as the adversary must acquire examples of a huge number of messages, together with their HMAC values, the order of 264 messages, using the same secret key and directly from the legal user himself who knows the secret key. This makes brute force collision search attacks and birthday attacks infeasible. Also the double application of the hash function in HMAC, as shown in Eq. (1), prevents extension attacks that can find collisions even when IV is secret. Moreover, the resultant HMAC values are further encrypted using the RSA algorithm and the sender’s private key, which is known only to the sender. This further protects the HMAC values calculated, and raises the security level of our methods to that of the RSA algorithm. RSA is guaranteed to be secure under our imposed conditions that the RSA key pair length is set to 1024 bits and the length of the message fed to the RSA algorithm is a minimum of 1024 bits, either by HMAC concatenation or by HMAC padding. This makes it very difficult for an attacker to successfully produce the RSA encrypted Digital Signature without knowledge of the sender’s private key, using a reasonable processing power. This justifies our choice of using MD5 instead of SHA-1 to benefit from the reduction in processing cost, without putting the security strength of our methods at any risk. 4.4 Comparison with Previous Methods In this section, we will compare our authentication technique with previously proposed authentication methods. The storage overhead in all our authentication methods, as can be seen from Tables 1 and 2, was of the same order as, or slightly greater than, that of the fragile authentication method [4], where only one digital signature of 1024 bits is produced for the whole image, as shown in Table 3. However, for the fragile authentication method, if any one bit changes in the image data, due, for example to, a transmission error or downstreaming, the image would be rendered unauthentic. This will prohibit any transcoding or truncation of the bitstream and loses all the functionality of JPEG 2000. In our method, the protected JPEG 2000 codestream preserved all its inherent flexibility. Our technique is far more efficient than the method proposed in [7]. The image “Map” was analyzed and found to contain 36 packets and 354 codeblocks. For our method, we only needed to hash and sign the 36 packets, which is only 10% of the overhead produced by the method in [7], in which all 354 codeblocks must be hashed and signed. Also, this method is vulnerable to cut-and-paste attack, since it only authenticates individual codeblocks, not the whole im-

age codestream. Comparing our technique with the method in [6] which proposed to produce a hash value for each allowed transcodable result of the codestream, our method produces only one digital signature with a controllable size, whereas for the method in [6], the number of allowed transcodable results is very large, possibly unlimited, which would result in a very large storage overhead and processing load. Our technique was simpler to implement than the JPSEC RA tool titled, “Scalable authentication of JPEG 2000” [3] based on the concept of the Merkle hash tree method proposed in [13]–[15], and the linear processing of packets in the codestream in our technique is faster than the hierarchical approach used to produce the Merkle hash tree. Also, our technique avoids using watermarking proposed in [5] to preserve the perceived image quality. The use of watermarking results in extra processing overhead for generating and embedding the watermark, and the embedded watermark degrades the perceived image quality. Our technique also has an advantage over the JPSEC RA tool titled, “A unified authentication framework for JPEG 2000” [3] based on the approach proposed in [10]– [12] for avoiding the use of ECC and the uncertainty produced by ECC in deciding whether or not the image is authentic. Also, our method is applied directly to the JPEG 2000 codestream without the need to decode the image to verify its authenticity. In contrast, for this method, the authentication process is applied during the procedure of EBCOT coding, and thus it requires partial decoding of the image to extract the invariant features needed for authentication. Also the use of ECC makes it difficult to define the threshold between acceptable modifications and malicious attacks, particularly when the malicious attack is applied to only a small part of the image. Finally, the insertion of the hash value as a watermark into the image would induce visual distortions and degrade the perceived image quality. In this research, we proposed an approach similar to the approach we previously presented in [8], but replaced the SHA-1 hashing algorithm with MD5 due to its superior speed and performance, and its reduced hash value size (128 bits) compared with SHA-1 (160 bits). We also introduced 2 new concepts, the concept of truncating the hash values and the concept of concatenating the hash values into a hash string before being signed using RSA. The use of the MD5 hashing algorithm instead of SHA-1 reduced the storage overhead by 20%. Truncating the HMAC for the Packet-Based Authentication method enabled further reduction of the storage overhead when necessary. Meanwhile, because of the lower bound of 64 bits set on SIZHMAC , and because the HMAC string is cryptographically locked using RSA, the security of our methods is guaranteed. 5.

Conclusion

In this paper, we first introduced some of the new features of JPEG 2000 images and the need to provide security services that do not prohibit these new features. Then we followed

HAGGAG et al.: SCALABLE AUTHENTICATION AND NONREPUDIATION TECHNIQUE

2953

with a brief discussion of the newly emerging security standard, JPSEC, that is specially designed for JPEG 2000 and which will be integrated in the JPEG 2000 standards. Then we discussed the previous solutions for image authentication and presented our new authentication and nonrepudiation technique with three different implementation methods, Packet-Based Authentication, Resolution-Based Authentication, and Quality-Based Authentication. We then compared them with previous solutions for image authentication. Evaluation and results confirmed the superiority of our technique as compared with previously proposed authentication methods, as well as the efficiency and the flexibility of our three implementation methods. Our methods are backward compatible with standard JPEG 2000 compliant decoders and are compliant with the Public Key Infrastructure (PKI).

[17] R.L. Rivest, A. Shamir, and L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM, vol.21, no.2, pp.120–126, 1978. [18] C.K. Koc, “High-speed RSA implementation,” RSA Laboratories, Nov. 1994. [19] PKCS #1 V2.1 “RSA cryptography standard,” RSA Laboratories, Draft 2, Jan. 2001. [20] D.R. Kuhn, V.C. Hu, W.T. Polk, and S.-J. Chang, “Introduction to public key technology and the federal PKI infrastructure,” NIST, Feb. 2001. [21] JJ2000, “An implementation of JPEG2000 in JAVA,” available at http://jj2000.epfl.ch/ [22] Kakadu, “A fully compliant software toolkit for JPEG2000 developers,” available at http://www.kakadusoftware.com/ [23] X. Wang, D. Feng, X. Lai, and H. Yu, “Collisions for hash functions MD4, MD5, HAVAL-128 and RIPMED,” rump session of Crypto4, E-print, 2004. [24] M. Bellare, R. Canetti, and H. Karawczyk, “Keying hash functions for message authentication,” Advances in Cryptology, Crypto 96 Proc., 1996.

References [1] JPEG 2000 part 1 Final Draft International Standard, “ISO/IEC JTC1/SC29 WG1 N189R,” Aug. 2000. [2] D. Taubman and M. Marcellin, JPEG 2000: Image Compression Fundamentals, Standards and Practice, Kluwer Academic Publishers, 2002. [3] JPSEC Final Draft International Standard, “ISO/IEC JTC 1/SC 29/WG1,” March 2005. [4] Z. Zhang, G. Qui, Q. Sun, X. Lin, Z. Ni, and Y.Q. Shi, “A unified authentication framework for JPEG2000,” ICME, vol.2, pp.915–918, 2004. [5] Z. Zhang, Q. Sun, and W.-C. Wong, “A novel lossy-to-lossless watermarking scheme for JPEG2000 images,” ICIP, vol.1, pp.573–576, 2004. [6] S. Wee and J. Apostolopoulos, “Secure transcoding with JPSEC confidentiality and authentication,” ICIP, vol.1, pp.577–580, Oct. 2004. [7] R. Grosbois, P. Gerbelot, and T. Ebrahimi, “Authentication and access control in the JPEG 2000 compressed domain,” SPIE, vol.4472, pp.95–104, 2001. [8] A. Haggag, J. Lu, and T. Yahagi, “Image authentication and integrity verification using JPSEC protection tools,” IMQA2005, pp.65–70, Sept. 2005. [9] F. Dufaux, S. Wee, J. Apostolopoulos, and T. Ebrahimi, “JPSEC for secure imaging in JPEG 2000,” SPIE Proc. Applications of Digital Image Processing, vol.5558, pp.319–330, Aug. 2004. [10] Q. Sun and S.-F. Chang, “A secure and robust digital signature scheme for JPEG2000 image authentication,” IEEE Trans. Multimed., vol.7, no.3, pp.480–494, June 2005. [11] Q. Sun, S.-F. Chang, M. Kurato, and M. Suto, “A quantitative semifragile JPEG2000 image authentication system,” ICIP, vol.2, pp.II921–II-924, Sept. 2002. [12] Q. Sun, S.-F. Chang, M. Kurato, and M. Suto, “A crypto signature scheme for image authentication over wireless channel,” ICME, vol.5, no.1, pp.1–14, June 2004. [13] R.H. Deng, D. Ma, W. Shao, and Y. Wu, “Scalable trusted online dissemination of JPEG2000 images,” ACM Multimed. Systems Journal, vol.11, no.1, pp.60–67, Nov. 2005. [14] R.H. Deng, Y. Wu, and D. Ma, “Securing JPEG2000 code-streams,” International Workshop on Advanced Developments in Software and Systems Security, Dec. 2003. [15] C. Peng, R. Deng, Y. Wu, and W. Shao, “A flexible and scalable authentication scheme for JPEG2000 codestreams,” ACM Multimed., pp.433–441, Nov. 2003. [16] M. Bellare, R. Canetti, and H. Karawczyk, “Message authentication using hash functions — The HMAC construction,” RSA Laboratories’ CryptoBytes, vol.2, no.1, 1996.

Ayman Haggag received his B.Sc. degree from Ain Shams University, Egypt, in April 1994, and M.Sc. degree from Eindhoven University of Technology, The Netherlands, in December 1997. From January 1998 to March 2004 he was with the “Industrial Education College,” Helwan University, Egypt. In April 2004, he joined the Graduate School of Science and Technology in Chiba University, Japan, as a Ph.D. student. His current research interests are in the fields of image coding and security of data and images over networks and communication channels.

Mohamed Ghoneim received his B.Sc. and M.Sc. degrees in computer science from Mansoura University, Egypt, in May 1992 and December 1998, respectively. He was with the Faculty of Science, Mansoura University from 1994 through 2005. In April 2005, he joined the Graduate School of Science and Technology in Chiba University, Japan, as a Ph.D. student. His current research interests are in the field of block motion estimation and its use in image and video coding.

Jianming Lu received his M.S. and Ph.D. degrees from Chiba University, Japan, in 1990 and 1993, respectively. In 1993, he joined Chiba University, Chiba, Japan, as an Associate in the Department of Information and Computer Sciences. Since 1994 he has been with the Graduate School of Science and Technology, Chiba University, and in 1998 he was promoted to Associate Professor in the Graduate School of Science and Technology, Chiba University. His current research interests are in the theory and applications of digital signal processing and control theory.

IEICE TRANS. FUNDAMENTALS, VOL.E89–A, NO.11 NOVEMBER 2006

2954

Takashi Yahagi received his B.S., M.S., and Ph.D. degrees, all in electronics, from the Tokyo Institute of Technology, Tokyo, Japan, in 1966, 1968 and 1971, respectively. In 1971, he joined Chiba University, Chiba, Japan, as a Lecturer in the Department of Electronics. From 1974 to 1984 he was an Associate Professor, and in 1984 he was promoted to Professor in the Department of Electrical Engineering. From 1989 to 1998, he was with the Department of Information and Computer Sciences. Since 1998 he has been with the Graduate School of Science and Technology, Chiba University. His current research interests are in the theory and applications of digital signal processing and other related areas. He is the author of “Theory of Digital Signal Processing,” Vols. 1–3 (1985, 1985, 1986), “Digital Signal Processing and Basic Theory” (1996), “Digital Filters and Signal Processing” (2001), “Kalman Filter and Adaptive Signal Processing” (2005), and the co-author of “Digital Signal Processing of Speech and Images” (1996), “VLSI and Digital Signal Processing” (1997), “Multimedia and Digital Signal Processing” (1997), “Neural Network and Fuzzy Signal Processing” (1998), “Communications and Digital Signal Processing” (1999), and “Fast Algorithms and Parallel Signal Processing” (2000) (Corona-sha, Tokyo, Japan). He is the Editor of the “Library of Digital Signal Processing” (Corona-sha, Tokyo, Japan). Since 1997, he has been the President of the Research Institute of Signal Processing, Japan, and also the Editor-in-Chief of the Journal of Signal Processing. Professor Yahagi is a member of IEEE (USA), and Research Institute of Signal Processing (Japan).