and digital signatures only authenticate the representation ... user's public key, much like digital signatures. It .... and the knowledge of W allows an attacker to act.
ON THE SECURITY OF THE SARI IMAGE AUTHENTICATION SYSTEM Regunathan Radhakrishnan, Nasir Memon Polytechnic University, Brooklyn.
ABSTRACT In this paper we investigate the image authentication system SARI, proposed by C.Y. Lin and S.F. Chang [1], that distinguishes JPEG compression from malicious manipulations. In particular, we look at the image digest component of this system. We show that if multiple images have been authenticated with the same secret key and the digests of these images are known to an attacker, Oscar, then he can cause arbitrary images to be authenticated with this same but unknown key. We show that the number of such images needed by Oscar to launch a successful attack is quite small, making the attack very practical. We then suggest possible solutions to enhance the security of this authentication system.
1.
INTRODUCTION
Given the proliferation of multimedia content and the ease with which such content can be manipulated, recent years have seen a growing need for authentication techniques for multimedia. Although the problem of authentication is a well-studied problem in cryptography, authentication of multimedia content raises some new and interesting issues as discussed in [2]. For example, it is desirable in many multimedia applications to authenticate the content, rather then the representation of the content. For instance, converting an image from JPEG to GIF, is a change in representation but not a change in content. Ideally, one would like the authenticator to remain valid across different representations as long as the underlying perceptual content has not changed. Conventional authentication techniques based on cryptographic hash functions, message digests and digital signatures only authenticate the representation. Hence, they are not useful in this context. Indeed, a few image content authentication techniques have been recently proposed in the
literature. These techniques compute an image digest (or hash or fingerprint) of the image and then encrypt the digest with a secret key. For public key verification of the image, the secret key is the user’s private key and hence the verification can then be done by anyone with the user’s public key, much like digital signatures. It should be noted that the image digest that is computed is much smaller than the image itself. Furthermore, the image digest has the property that as long as the image content has not changed the digest that is computed from the image remains the same. Clearly constructing such an image digest function is a difficult problem. Nevertheless, there have been a few such functions proposed in the literature and image authentication schemes based on them have been devised [1,3,4,5,6]. Perhaps the most widely cited image digest function/authentication scheme is SARI, proposed by Lin and Chang [1]. The SARI image authentication scheme contains an image digest function, which generates hash bits that are invariant to JPEG compression. That is, the hash bits do not change if the image is JPEG compressed but do change for any other significant or malicious operation. In this paper, we show that the image digest component of the SARI authentication system is not secure under certain circumstances. Specifically, we show that if an attacker has the image digests for a multiple number of images where the same secret key has been used to construct the digest, and then he or she can cause arbitrary images to be authenticated. The rest of this paper is organized as follows: In the next section, we briefly review the image digest computation component of SARI. Then in Section 3, we describe our attack and give possible solutions that can prevent our attack in Section 4. 2. SARI SYSTEM. The image digest component of SARI is based on the invariance of the relationship between
selected DCT coefficients in two given image blocks. It can be proven that this relationship is maintained even after JPEG compression using the same quantization matrix for the whole image. Since the image digest is based on this feature, SARI can distinguish between JPEG compression and other malicious operations that modify image content. More specifically, in SARI, the image to be authenticated is first transformed to the DCT domain. The DCT blocks are grouped into non-overlapping sets Pp and Pq as defined below:
malicious manipulations on the authenticated image. However, if a system uses the same secret key K and hence the same mapping function (W) to form block pairs for all the images authenticated by it, an attacker with access to a sufficient number of images authenticated by this system can produce a arbitrary fake images. We show one such possible attack in the next section.
Pp = { P1, P2 , P3 … PN/2 } Pq = { Q1, Q2 , Q3 … QN/2 } where N is the total number of DCT blocks in the input image. An arbitrary mapping function, W, is defined between these two sets satisfying the following criteria Pp = W(K,Pq) Pp O Pq = F ?and Pp U Pq = P where P is the set of all DCT blocks of the input image. The mapping function, W, is central to the security of SARI and is not publicized. In fact, it is based on a secret key K. The mapping effectively partitions image blocks into pairs. Then for each block pair, a number of DCT coefficients are selected. Feature code or hash bits are then generated by comparing the corresponding coefficients in the paired block. For example, in the block pair (Pm, Pn) if the DC coefficient in block Pm is greater than the DC coefficient in block Pn, then the hash bit generated is ‘1’. Otherwise, a ‘0’ is generated. It is clear that a hash bit serves to preserve the relationship between the selected DCT coefficients in a given block pair. The hash bits generated for each block are concatenated to form the digest of the input image. This digest can then be either embedded into the image itself or appended as a tag. The authentication procedure at the receiving end involves the extraction of embedded digest. The digest for the received image is generated as at the encoder and compared with the extracted and decrypted digest. Figure 1 shows the authentication system in detail. Since relationships between selected DCT coefficients are maintained even after JPEG compression, this authentication system can distinguish JPEG compression from other
3. POSSIBLE ATTACK ON SARI The security of SARI system lies in the secret mapping between the two sets of blocks, Pp and Pq. If the attacker is able to get the block pairs that are being compared to generate the hash bit, then it is possible to change the DCT Coefficients in these blocks in such a way that the relationship is maintained as in the original image. An image visually different from the original can thus give the same hash, which is not desirable for any authentication application. In the rest of this section, we show that with the assumption that the attacker has access to O(log N) images and their corresponding signatures (hash bits) generated by the same secret key where N is the number of 8*8 DCT blocks in a given image, the following attack is possible. For ease of exposition, we assume that just the DC values of the blocks are being used to compute the digest and hence only one hash bit is being generated for every pair of blocks being compared. It should be noted that our attack can be extended even if multiple bits are being generated. In fact, if multiple bits are produced then the attack requires even lesser images. Our goal is to determine the secret mapping W. That is, for each hash bit, we would like to find the image block pair (Pi , Pj) which was used to generate the bit. Once we do that we know W
and the knowledge of W allows an attacker to act with impunity. Without loss of generality assume that the first bit of the image digest for the first image is 1. Now look at all possible image block pairs in the first image I1. About half of them would correspond to a 1-bit and thus we have roughly N2/2 candidates for the block pairs that could have been used for generating the first bit. Call this candidate set of blocks C1. The rest of the blocks can be eliminated. Now look at the first bit of the image digest of the second image, which we assume has been generated using the same key K as I1. Without loss of generality, say it is 0-bit. Eliminate all the candidates from C1 that do not correspond to a 0-bit in image I2. If a block pair hashes to 0 or 1 with equal probability then roughly half of C1 would get eliminated. The new candidate set, which we call C2 is roughly of size N2 /4. Clearly, we can continue in this manner eliminating half the candidate block pairs with every additional image. At the end of the k’th iteration we would have a candidate set of size roughly N2 /2K . We stop when we have a unique block pair in the candidate set and this gives us the image block pair that has been used to compute the first digest bit. It would take an average log(N2) = 2 log(N) iterations before we terminate. Hence, we need roughly 2 log(N) images to make the attack successful. We repeat the above process with every digest bit. Each round requires roughly N2 log(N) computation on the average and we have N/2 pairings to determine. So a rough approximation of the expected complexity of the attack is about N3 log N. Clearly this is feasible as N is the number of 8*8 blocks in the image. In addition, the number of images needed is roughly 2 log(N), which is a very small number. For 512 x 512 images, the number of DCT blocks is 4096 and on an average, roughly 28 images would be enough to deduce the block pairs being compared to generate the digest. The above analysis is when the two sets, Pp and Pq are arbitrary. When Pp and Pq have the structure as described in section 2 then the complexity of the attack can be reduced by a factor of N and the number of images needed can be further halved. In any case, once the block pairs are found out, (which means that the secret mapping (W) is now available to the attacker) then any object can be inserted into the image. Since the pairing is known to the attacker, the corresponding DCT
coefficient in the paired block can be modified in such a way that the original relationship is maintained. Thus, we would have generated an image that is visually different from the original but with the same hash bits. 4.
SOLUTION TO PROPOSED ATTACK
The basis of the proposed attack is the availability of a multiple number of images for which the digest is known and the fact that the same secret mapping function was used to authenticate those images. Perhaps the inventors of the SARI system knew of this kind of attack and to counter it to some extent it was suggested by its authors that the mean value of the DCT in each (selected) position for all blocks be included in the digest. However, this doesn’t prevent such an attack completely but makes it a bit tough for the attacker to produce the fake image. The attacker now has to meet two requirements when making a change to the image. One is to preserve the DCT coefficient relationships as in the original and the second is to make sure that the mean of the DCT coefficients doesn’t change after tampering the image. So clearly, appending the mean value has little utility and besides it serves to increase the size of an already unduly long digest. Two possible ways of preventing attacks on authentication systems have been proposed in literature. Memon et.al. [7] propose a modification for the Yeung-Mintzer authentication watermark, which increases the required computational complexity for the attacker. Similarly, SARI can be made more secure against this kind of attack by increasing the computational complexity of the attack. This could be achieved by increasing the complexity of the hash bit generation process by increasing the dimensionality of the comparison being made to generate a hash bit. Instead of comparing just two blocks, we could compare two sets of blocks each of size, M, to generate M hash bits. While comparing these two sets, it is advisable to use some joint statistic measure instead of independent comparison of blocks. Otherwise, the increase in dimensionality of comparison will not contribute to the security of the SARI system, as it is again the same problem of finding the blocks that got paired. Another solution that has been suggested in literature for the security of multimedia authentication systems is to have the watermark
dependent on the content. In the case of SARI, the secret mapping function (W) can be made dependent on the image content in order to satisfy this requirement. With this modification, the attacker will find it difficult to get multiple images with the same mapping function, as it is different for different images authenticated, although the secret key used is the same. The reader is referred to [8] for a detailed discussion on the merits and shortcomings of this approach. The main problem with this approach is that modifications to the image can always result in different bits being extracted that characterize content. Instead of the above we propose a simpler and more straightforward solution. Making the secret mapping, W, vary from image to image can be achieved by including a random number, called a “salt” which is used along with the secret key K to generate the secret mapping function W. This method of attaching a “salt” is well known in UNIX password encryption where a “salt” (12 bit random number) is selected, when a user first selects a password. The first eight characters of password along with this “salt” are used as DES key to encrypt a 64-bit block of zeros 25 times. The encryption result and the salt are both stored in the password file. At the time of authentication, the salt is retrieved from the password file and appended with the input password to create a DES key, K’. This key is then used to encrypt a 64-bit block of zeros. If this encryption result matches with stored encryption result in the password file, the user is authenticated. This method of authentication is more secure against dictionary-based attacks as the attacker has to exhaustively try out all 4096 possible salts for each key. Also, two users could have the same password and still have a different encryption result, as their salts would be different with a very high probability. Similarly, in SARI, attaching a “salt” of size say 32 or 64 bits for each image makes the secret mapping W vary from image to image. The “salt” value used can be appended to the message digest thereby being available to the verifier. This makes SARI resistant against the proposed attack. A very large number of images authenticated by the same key will be useless to an attacker as what he needs is images authenticated with same key and the same salt. since the mapping function depends on salt embedded along with the secret key. The security of SARI can be enhanced as required by a specific application by increasing the number of bits in the embedded salt. For most
applications a 32 bit salt would be more than sufficient. A more detailed analysis of this is deferred to the final version of the paper.
5.
REFERENCES
1.
C.Y.Lin and S.F.Chang, “A Robust Image Authentication Method Distinguishing JPEG Compression from Malicious Manipulation”, SPIE Storage and retrieval of Image/Video Databases, San Jose, January 1998.
2.
N. Memon and Poorvi Vora, “Authentication Techniques for Multimedia Content”, Multimedia Systems and Applications, SPIE Proceedings, Boston, MA, October 1998.
3.
Jiri Fridrich and Miroslav Goljan, “ Image Watermarking for Tamper Detection”, Proc. IEEE International Conf. On Image Processing, ICIP-98, Vol.2, pp.404-408.
4.
Jiri Fridrich, “Methods for Detecting Changes in Digital Images”, Proc. Of the 6th IEEE International Workshop on Intelligent Signal Processing and Communication Systems, 5-6 Nov.1998, Melbourne, Australia, pp.173 –177.
5.
D.Kundur and D.Hatzinakos, "Digital Watermarking for Telltale Tamper Proofing and Authentication", Proceedings of the IEEE, Vol.87, No.7, July 1999, pp.1167-1180.
6.
M. Schneider and S. F. Chang, “A Content Based Digital Signature for Image Authentication”, Proc. IEEE Intl. Conf. On Image Processing, ICIP-96, Vol 3, pp.227-230
7.
N. Memon, P. Wong and S. Shende, “On the Security of the Yeung-Mintzer Fragile Water-marking technique”, Proceedings of PICS Conference, Savannah, Georgia, April 1999.
8.
M. Holliman, N. Memon and M. Yeung. “On the Need for Image Dependent Keys in Water-marking”, Proceedings of the Second Workshop on Multimedia, NJIT, March 1999.
