quality-optimized and secure end-to-end authentication for media delivery
DESCRIPTION
Quality-Optimized and Secure End-to-End Authentication for Media Delivery. By Qibin Sun, Member IEEE, John Apostolopoulos , Senior Member IEEE, Chang Wen Chen, Fellow IEEE, and Shih-Fu Chang, Fellow IEEE Vol. 96, No. 1, January 2008 | Proceedings of the IEEE Prepared By: Mohammad AlKurbi - PowerPoint PPT PresentationTRANSCRIPT
Quality-Optimized and Secure End-to-End Authentication for Media Delivery
By Qibin Sun, Member IEEE, John Apostolopoulos, Senior Member IEEE,Chang Wen Chen, Fellow IEEE, and Shih-Fu Chang, Fellow IEEE
Vol. 96, No. 1, January 2008 | Proceedings of the IEEE
Prepared By: Mohammad AlKurbi
CMPT – 820March 11, 2009
Abstract
Content-Aware Media Stream Authentication techniques provide better media quality than
Content-Unaware ones.
Index• Introduction.
• Media Authentication Classes.
• Performance Metrics.
• Data-Based Authentication:– Classes.– Graph-Based methods.
• Content-Aware Media SA optimized for quality:– Attributes.– Demonstration of effectiveness via examples.
Why Media Authentication is needed?
1. Multimedia communication applications (such as video conferencing , video surveillance, IPTV & video on demand …etc) are growing as a consequence to the Network bandwidth growing, improved compression formats, and advanced delivery technologies such as content delivery networks.
2. Accordingly; security issues such as confidentiality, authenticity, and secure media adaptation (integrity) are also becoming serious concerns.
• Example of security threat: Video stream can be maliciously altered for any reason.
Introd
uction
Authentication?!• Usually authentication is associated with data integrity, source identification,
and non repudiation because these issues are very often related to each other.
• Authentication –in this paper- means the process by which the authorized receivers determine whether a specified data has, with very high probability:
1. Been sent by the authorized sender.2. Not been subsequently altered or substituted for.
• Therefore, the term authentication means here both source and data authentication.
• Data authentication techniques are built upon the use of one-way hash functions by:
– Digital signature schemes (DSSs): uses asymmetric (public/private) key pair.– Message authentication codes (MACs): uses a symmetric (private) key.
Introd
uction
Stream Authentication(SA)?
• Previous “authentication” definition usually requires that the received media be identical to what was sent, as in the case of conventional data authentication.
• Well, this wont be appropriate for SA:Introd
uction
Why is SA challenging?
• Unreliable media channel / transport protocol (Lost/Distorted packets).
• Time is critical.
• Resources limitation.
• Real time streaming.
Introd
uction
A proper Approach (Packet Authentication)
• A more useful definition is that the authenticated media corresponds to the media decoded exclusively from authenticated packets.
• This definition prevents packet alteration (note that it may not be possible to identify whether a packet loss is accidental or malicious).
• Under this definition, a packet is consumed only when it is received, decodable, and authenticated.
• It works even if the received media stream is incomplete.
Introd
uction
Media Data Versus Media Content
• Media “data” refers to its exact representation (e.g., binary bit stream).
• Media “content” refers to the semantics of the represented data. It is generally subjective and depends on the applications.
• (Example) After lossy compression:– The original and reconstructed media data are different.– However, the media content should be the same (e.g., the same
people are visible in both the original and the reconstructed image).
Introd
uction
Data Authentication?Content Authentication?
• Content authentication: – Verifies the meaning of the media (semantics) has not
changed.– There are Incidental Distortion (Lossy compression,
packet lost) and Intentional Distortion (Malicious attacks).
• Data authentication: considers whether the data have not changed.
Introd
uction
Media Authentication Classes
• At the receiver; authentication can be performed at either point X or point Y.
• These two points classify existing authentication to:1. Data/Stream-based authentication (at point X).2. Content-based authentication (at point Y).
High-level attributes of (Content Based) & (Stream Based) Authentication
Stream Based Content Based
• Bitwise authentication. • Achieved via some form of digitalWatermarking.
• Extra bit rate overhead can be significant.
• Generally require less bit-rate overhead.
• Authenticated media can be far inferior to the quality of the same media afflicted by the same losses but without requiring authentication.
• Usually more robust to media distortions.
• Provide mathematically provable levels of security.
• Much more difficult to make mathematically provable statements about the system security.
• Provide a similar level of security to conventional data security techniques.
• Generally thelevel of security is significantly less
Motivations for another approach
• Media quality is arguably a more important metric than verification probability.
• Previous limitations motivate the authors to revisit stream-based methods and study whether the quality of the received media can be optimized using information from the media content.
• Media is usually coded according to certain compression standards before streaming, and this leads to coding dependencies between the different packets. These dependences should also be taken into consideration for resource allocation.
• It is a natural idea to allocate more authentication resources toward the more important packets.
Performance Metrics for Streaming Media Authentication
• Computation Overhead: limited computational capabilities.
• Communication Overhead: Additional rate has to be minimized, especially on limited bit rate channels, or code sharing will be effected.
• Verification Probability: Seeking high verification probability but at significantly lower costs.
• Sender Delay: Higher delay requires larger buffer.
• Receiver Delay: Higher delay requires larger buffer.
Stream/Data-based Auth. Classes
1. ECC-based methods
2. Graph-based methods:– Hash Chaining.– Efficient Multichannel Stream Signature (EMSS).– Merkle authentication tree (Tree-chaining technique).
– Butterfly graph.
Stream-based Auth: 1. ECC-based methods
• Using such as erasure code.• Construct an authentication scheme that amortizes a single signature
operation over multiple packets. • Two main goals:– Reduce communication overhead by computing the digital signature for block
of packets (one hash per packet and one signature per block of packets).– Robustness to packet loss by coded the digital signature of a block of packets
with an ECC method and dispersed it across the packets.
• Cons:– High computational overhead due to the erasure coding.– High receiver delay.
Stre
am-b
ased
Aut
h. C
lass
es
Stream-based Auth: 2. Graph-based methods
• Basic Scheme, as shown in the upper part of Fig. 4:– For each packet its hash is computed and appended to the end of the packet.– The signature is computed across all of the hashes and sent separately. – Authentication is performed after receiving the last packet.– This scheme fails when packet loss occurs.
• To overcome packet loss problem, as shown in the lower part of Fig.4:– A straightforward solution is to add redundancies (e.g., additional edges in the graph) by
attaching several hashes from other packets into the current transmitting packet. If the current packet (e.g., N) is lost, its hash can still be obtained from other packets (e.g., N + m).
Stre
am-b
ased
Aut
h. C
lass
es
Authentication graph
• A directed edge from node Pi to Pj indicates that the hash value of Pi (source packet) is appended to Pj (target packet).
• The redundancy degree of the packet Pi is the number of edges coming out of it. In particular, the redundancy degree is zero for a signature packet.
• A packet Pi is verifiable if there remains a path from Pi to the signature packet.
• An authentication graph is a directed acyclic graph.
• A node corresponds to a media packet or a signature packet signed with a crypto signature scheme, and there is typically only one signature.
Grap
h-ba
sed
SA S
chem
es
Hash chaining
• It has low overhead and low receiver delay,• but It has a high sender delay and cannot
tolerate any packet loss.
Grap
h-ba
sed
SA S
chem
es
Efficient Multichannel Stream Signature (EMSS)
• Multiple hash chains are used. Each chain represents block of packets.
• Non-repudiation through periodic signature packets, which contain the hash of several data packets.
• Robustness against packet loss is achieved through the inclusion of multiple hashes, where current packet hash is included in future packets.
• This scheme has a high receiver delay and a low sender delay.
Grap
h-ba
sed
SA S
chem
es
Merkle authentication tree(Tree-chaining technique)
• Reduce computation cost by singing block of packets.
• Make packets individually verifiable, so each packet needs to carry its own authentication information (called packet signature) consisting of:– The signed block digest (block signature).– packet position in the block.
– Digests of all other packets in the block.
• Tolerate any number of packet losses.
• A very high communication overhead.
Grap
h-ba
sed
SA S
chem
es
• The packet digests are the leaf nodes.• Other nodes represent Digest of their children.• The root is the block digest with the block signature.
Butterfly graph• A butterfly authentication graph is a directed acyclic graph (DAG) containing one signature packet S
and M = N(log2N+1) data packets.
• The M data packets are divided into (log2N+1) stages, and each stage has N packets.
• Aims to achieve:– Low overheads and high authentication probability.
– Robustness against both random and burst packet losses (Able to resist up to consecutive packet losses at stage s. )
• It has a high sender delay M, that can be reduced by pre-computing hashes and signatures before the streaming starts
Grap
h-ba
sed
SA S
chem
es
12 sN
Example: 4 stages and 8 data packets in each stage. The signature packet S contains the signature and hashes of all packets in stage 0. All packets in stage 0 to log2N-1 (i.e. 2) have two hashes. The packets in the last stage do not have any hash.
CONTENT-AWARE MEDIA SA OPTIMIZED FOR QUALITY (?)
• Previous schemes have:– Treated media packets equally.– Proven their optimality in terms of verification probability.
• But we know that media packets importance generally are not equal (such as P-frame is more important than B-frame), and so more resources can be dedicated for them.
• In Media streams the quality is more important.
Attributes
1. Stream/Data based Authentication.
2. Design and adapt the authentication for each specific media object in order to optimize the authenticated media quality (media-aware authentication).
3. Exploit the unequal importance of different packets.
4. Provide unequal authenticity protection (UAP) by allocating the authentication resources unequally across streamed packets based on their relative importance.
CON
TEN
T-AW
ARE
MED
IA S
A
Attributes (Cont.)
5. Robustness to packet loss and therefore does not need a reliable connection (i.e. TCP).
6. Apply conventional cryptographic hashes and digital signatures to the media packets.
• The effectiveness of this approach has been demonstrated through experimental results on:– Different media types (image and video).– Different compression standards (JPEG, JPEG2000, and H.264).– Different channels (wired with packet erasures and wireless with bit errors).
CON
TEN
T-AW
ARE
MED
IA S
A
Demonstration of effectiveness through examples
Formulating Rate-Distortion-Authentication (RDA) optimization framework.
2 experiments (basic design principles) to illustrate its application for different media coding delivered over different lossy channels:
A. Application to Scalable Image Coding (JPEG-2000) Scheme.B. Application to Non scalable Video Coding (H.264) Scheme.
We demonstrate the beneficial of using information about the media content to achieve quality optimized end-to-end stream authentication.
The experimental results presented in this paper are merely for illustrative purposes; more detailed and rigorous test results are given in [18]–[20], [37], [38], [41], and [43]–[45].
CON
TEN
T-AW
ARE
MED
IA S
A
Rate-Distortion-Authentication (RDA) optimization framework
• Given a specific rate and network condition, the goal is to compute an authentication graph that minimizes the total expected distortion of the authenticated media.
• RDA Constructs an authentication graph trading off two conflicting goals:– Minimizing total rate (coded media rate and overhead).– Minimizing total expected distortion (or maximizing media
quality) of the authenticated media.
CON
TEN
T-AW
ARE
MED
IA S
A
Formulate the RDA optimization problem
• vector variable π=[π 0, π 1, . . . , π m; . . . ; πM-1 ], where πm is the set of target nodes of the edges coming out of Pm.
• Redundancy degree of Pm is , and 1
• For a given Lagrange multiplier λ>0, The goal is to find the optimal transmission scenario that minimizes:
(2)
Where λ is used to control the tradeoff between the total rate R (sum of source, channel, and authentication rates) and D (the overall expected distortion).
• A smaller value of λ will result in an optimized policy, leading to smaller expected distortion D and higher overhead R, and vice versa.
CON
TEN
T-AW
ARE
MED
IA S
A
mm
)(minarg* RD
Formulate the RDA optimization problem(Cont.)
• The authentication rate Ra is the extra bytes introduced for media authentication, e.g., the rate for all of the hashes appended to the packets and the digital signature. Its rate Ra(π) can be computed as:
(3)
Where SIZSig and SIZHash are the sizes of the signature and hash, respectively.
CON
TEN
T-AW
ARE
MED
IA S
A
mP
HashmSiga SIZSIZR )(
Formulate the RDA optimization problem(Cont.)
• The expected authentication distortion can be calculated as:
(4)
Where
is the distortion when no packet is consumed because of authentication.
∆ is the amount by which the distortion will be reduced if packet is consumed.
denotes the probability that is decodable.
denotes the probability that is verifiable with , given is decodable.
mP
mmma DDD )](1[)( 0
0D
mD mP
m)](1[ m
m
CON
TEN
T-AW
ARE
MED
IA S
A
mP
mPmP
Practical approach for the optimization problem
• Achieving the global optimization of:
Is generally computationally impractical, since many factors have to be considered from source coding, channel coding, and authentication and
their couplings.
• A more practical approach to:1. Considering overall resource allocation among source coding, channel
coding, and authentication.2. Perform iterative independent optimization across each of them.– You may empirically assign some parameter values , fix them, or omit
them.
)min(arg* RD
A. Application to Scalable Image Coding Scheme
• Source and channel factors are temporarily ignored [refer to (2)].
• Scalable media coding is examined because it encodes the bitstream in different sets of bits of differing Importance.
• Latest image coding standard JPEG-2000 is chosen, because of:– Its great potential for navigating or streaming very large images such as maps, satellite images, and
motion images.– Another reason is, during JPEG-2000 encoding, each so called JPEG-2000 packet is associated with a
quantity ∆D, which is the amount by which the overall distortion will be reduced if the packet is consumed by the decoder, or if it is lost, how much distortion it will incur.
• So, an intuitive idea for exploiting information about the content for authentication is as follows:
– For more important packets (i.e., larger ∆D), to increase their verification probability(and also the overhead), we can replicate and append their hashes in greater numbers to other packets.
– Conversely, we can allow lower verification probability for the less important packets in order to lower the overhead.
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
A. Application to Scalable Image Coding Scheme(Cont.)
• To demonstrate the effectiveness of adapting the authentication redundancy to the distortion:
– The image is encoded using JPEG-2000 with only one layer (to neutralize layer structure).
– Empirically categorize all packets into three classes of equal number of packets according to their importance (i.e. ∆D):• For the most important packets, their hashes will be repeated 3 times.• The middle importance packets have their hashes repeated twice.• While the least important have them repeated once.
The redundancy degree is two on average
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
A. Application to Scalable Image Coding Scheme(Comparison BW Different schemes - Distortion)
• Scheme WITHOUT_AUTH is used where packets are sent in the order they appear in the JPEG-2000 code-stream, and no authentication is applied. It represents an upper bound on the performance of any authentication scheme.
• CONTENT_AUTH consistently outperforms the other schemes at all network loss rates.
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
A. Application to Scalable Image Coding Scheme(Comparison BW Different schemes - Verification)
• When the loss rate is less than 0.1, CONTENT_AUTH has a slightly lower verification probability.
• When the loss rate is larger than 0.1, a flat redundancy degree of two for all packets is not sufficient.CO
NTE
NT-
AWAR
E M
EDIA
SA
Sche
mes
A. Application to Scalable Image Coding Scheme(Conclusion)
Figs. 6 and 7 demonstrate that:
– While CONTENT_AUTH sometimes has lower verification probability than the other authentication schemes, It still produces higher PSNR.
– Therefore, CONTENT_AUTH provides improved distortion-overhead performance because its authentication overhead is added in a more cost-effective manner based on the content importance.
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
B. Application to Non scalable Video Coding Scheme
• Assuming Off line streaming (pre encoded video to be streamed).
• Motivated by recent advances Rate-Distortion Optimized (RaDio) Streaming techniques which compute a packet transmission policy (Which, When & How) that minimizes the expected end-to-end distortion at the receiver; subject to a constraint on the average transmission rate.
– A packet transmission schedule is computed based on the packet transmission policy.
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
B. Application to Non scalable Video Coding Scheme (Cont.)
• Given an encodes video with associated authentication information, then steps are:
1. Compute the important quantities associated with each packet:• The distortion increment, packet size, and display time are the same as in
conventional RaDiO techniques.• The overhead size can be computed from the topology of the authentication graph.
2. Secondly, at every transmission opportunity, R-D optimization process selects the best packet(s) for transmission based on their parameters (i.e. based on the policy). For example packets:
• With higher importance (distortion increment + authentication importance).• With smaller size (packet size + overhead size).
are assigned more transmission opportunities.The overall output is the transmission schedule.
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
B. Application to Non scalable Video Coding Scheme (Performance measures)
• Performance is highlighted via simulation results using:
– The latest video compression standard H.264.
– Original RaDiO without authentication performance as an upper bound for all other systems.
– R-D performance plot with 3% packet loss and time-varying delay.
• Dumb_AC method implements a straightforward transmission of video packets protected with Augmented chain (AC), which is claimed optimal for generic data streaming.
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
B. Application to Non scalable Video Coding Scheme (Performance measures)
• RaDiO_Butterfly_Aware outperforms other because it computes the transmission policy based on both packets’ distortion increments and authentication importance.
• At low bandwidths, the authentication-unaware RaDiO fails, and the proposed authentication-aware RaDiO provides an R-D curve that drops gracefully in parallel with the upper bound.
• However, we still notice that there is a performance gap between RaDiO and RaDiO_Butterfly_Aware (which is larger than the 8 kb/s rate for authentication overhead), which remains as our future work.
• The gap in performance between Aware/Unaware-RaDiO_Butterfly can be used to estimate the gain of authentication awareness.
CON
TEN
T-AW
ARE
MED
IA S
A Sc
hem
es
ADDITIONAL COMMENTS on designing an application-oriented media delivery authentication system.
• A clear understanding of the desired security service is critical. For example what type of manipulations, and how many, should the system be able to authenticate?
– Might require authenticating the media at the content level.
– The possible range of manipulations may be much larger and harder to describe, thereby making the security analysis much more difficult.
– Generally, as the number and range of acceptable content manipulations is increased, the provable achievable system security will decrease.
• Jointly employing both stream-based and content-based authentication methods through resource allocation across both of them can be an interested future research.
Summary• Conventional data authentication techniques are not
suitable for media streaming.
• By applying conventional cryptographic hashes and digital signatures, we can achieve a level of media security similar to that achievable in conventional data security.
• When the coded media is loss tolerant, then authentication should be loss tolerant as well.
• Reviewed some existing stream-based methods.
Summary (Cont.)
• Instead of optimizing packet verification probability, we optimize the quality of the authenticated media.
• The quality of the authenticated media is optimized by unequal authentication protection and resource allocation.
• Performance improvements were illustrated using a number of simulation experiments.
• We believe that authentication for streaming media is an important technical problem that will increase in practical importance as media streaming continues to gain in popularity.
