Title: A%20System%20for%20End-to-end%20Authentication%20of%20Adaptive%20Multimedia%20Content
1A System for End-to-end Authentication of
Adaptive Multimedia Content
- T. Suzuki1, Z. Ramzan2, H. Fujimoto1, C. Gentry2,
T. Nakayama1, and R. Jain2 - 1NTT DoCoMo, Inc.
- 2DoCoMo Communication Laboratories, USA
2Background
- Adaptive (derivative) content distribution
systems - Application examples
- Content customization
- Based on preference, device capability, location,
etc - Personalized advertisement insertion
- Content creation
- Create original content using commercially
available content - Add Flash/movie clip to music clip
- Extract movie/music clip for audio/visual ring
tone
Tier-1 Provider
Tier-2 Provider
Content User
Original Content
Derived Content
3Benefit of content adaptation services
- for Tier-1 providers
- Revenue from both original and derived content
- Content reuse
- for Tier-2 providers
- High quality content from tier-1 providers
- Revenue from value-added content
- for End-user
- Value-added content from tier-2 provider
4Objective of this study
- Achieve adaptive content distribution, with
end-to-end authenticity of content. - Tier-1 provider can protect original content and
its usage policy from illegitimate modification. - Tier-2 provider can protect value-added content
and additional policy. - End-user can verify the authenticity of both
original and derived content.
5Challenge contribution
- Challenge
- Achieve end-to-end authenticity while allowing
insertion of content as well as deletion by
authorized tier-2 providers - Control the place for content insertion
- Avoid deletion of the inserted content without
detection - Low communication and computation overhead
- Contribution
- Place-holder extension to Merkle-tree based
signature scheme - Embodiment of the extension using trapdoor hash
function
6Merkle tree, signing
ve
Signature ltve, Sig0(ve)gt
vi hash ( xi vi0 vi1 )
v0
v1
Construct
Verify
v00
v01
v10
v11
v000
v001
v010
v011
v100
v101
v110
v111
x000
x001
x010
x011
x100
x101
x110
X111
X
7Merkle tree, deletion
ve
Signature ltve, Sig0(ve)gt
vi hash ( xi vi0 vi1 )
v0
v1
Construct
Verify
v00
v01
v10
v11
v000
v001
v010
v011
v100
v101
v110
v111
x000
x001
x010
x011
x100
x101
x110
X111
X
8Merkle tree, placeholder extension
- Signer allocates placeholder in hash tree, so
that Proxy can insert content and commit to it.
ve
Signature ltve, Sig0(ve)gt
vn
Placeholder
Information specifying the placeholder
vn0
vn1
9Realization using conventional signature scheme
(CS)
- Signer places Proxys public key in the
placeholder. - Proxy attaches its content and signs it
separately.
Signer
Proxy
Signature ltve, Sig0(ve)gt
ltProxys signgt
ve
vn
Placeholder
Placeholder
Public key of Proxy
Public key of Proxy
vn0
vn1
vn1
m
10Realization using hash-sign-switch (HSS)
- Trapdoor hash function
- A special type of hash functions
- The owner of trapdoor key can find collision of
hash. - Trapdoor hash TH HY(m, r)
- Trapdoor key X and public key Y
- If X is unknown, there is no efficient algorithm
- to find (m1, r1) and (m2, r2), (m1?m2)
- such that HY(m1, r1) HY(m2, r2)
- If X is known, there is an efficient algorithm
given m1, m2(?m1), r2 - to find r2
- such that HY(m1, r1) HY(m2, r2)
11Realization using hash-sign-switch
- Signer places TH and Y generated by Proxy in the
placeholder. - Proxy attaches its content m and its commitment r.
Signer
Proxy
r
Signature ltve, Sig0(ve)gt
ve
vn
Placeholder
Placeholder
TH and Y generated by Proxy
TH and Y generated by Proxy
vn0
vn1
vn1
m
12Block diagram of HSS scheme
Tier-2 provider
Tier-1 provider
End User
Generate parameters X, Y, r, m
Trapdoor Hash TH HY(m, r)
TH, Y, r, m
Set Placeholder in hash tree
Commitment r TH HY(m, r)
X, r, m
TH
m
r
Sign
Verify
Sign TH
Sign TH r
r
SignTH
TH
TH
m
13Construction of a trapdoor hash function
- Based on discrete logarithm assumption (DLA)
- Let q, p be primes such that q p-1
- Let g be an element of order q in Zp
- Trapdoor key x is random number from Zq
- Public key y gx mod p
- Hy(m, r) gmyr
- To find r2 such that Hy(m1, r1) Hy(m2, r2)
byr2 ( m1 - m2 ) x -1 r1
14Limited reuse of placeholder
- In DLA based hash-sign-switch, a placeholder can
be used only once, otherwise trapdoor key x
leaks. - Modification to enable k-time reuse
- Generate k public keysyi gxi (mod p) 1 i
k - Compute hash TH gmy1r (mod p)
- To insert i-th content mi, Proxy computesri
(m rx1 mi) xi-1 mod q - Verifier checks gmiyiri TH
15Preventing removal of inserted content m
- Proxy signs each of its placeholders regardless
of whether it wishes to insert content into it. - Then, any placeholder without a signature
constitutes evidence that Proxys content was
illegitimately deleted. - Proxy aggregates its signature with Signers
signature. - Since it is impossible for a third party to
disaggregate the signatures, Proxy can ensure
that m cannot be removed without detection. - Example BGLS aggregate signature scheme 19
16Prototype System
Meta-data level adaptation
Original Meta-data
Tier-1 Provider
Tier-2 Provider
Modified Meta-data
Primary Media File
Secondary Media File
Modified Media File/Stream
Media Servers
Content User
- Apply the proposed signature scheme for meta-data
level adaptation
17Assumptions in our prototype
- User device (e.g., mobile phone) is trusted by
tier-1, tier-2 providers, and end users. - To detect modification against usage rule.
- To detect modification against commitment.
- To verify content authenticity.
- To take appropriate response upon detection of .
18Information flow
Tier-1 provider
Tier-2 provider
User device
Tier-2 provider
Tier-2 provider
Placeholder provisioning service
Space for Ad. phidm
Information for placeholder
Request Placeholder
Space for Ad. phidn
Build hash tree with placeholder
Insert elements
Commit
Sign
Verify
Equivalent to SMIL document structure
19Implementation
- Content of meta-data
- Scene description written in W3C/SMIL
- Usage policy and evaluation of modification
- OASIS/XACML
- Signature on meta-data
- W3C/XML-DSIG with extension to support hash tree
and placeholder extension - Placeholder request from tier-2 to tier-1
provider - W3C/SOAP
- Verification module
- HTTP proxy which evaluates a signed SMIL
document, and outputs a normal SMIL document.
20SMIL document to be signed
lt?xml version1.0?gt ltsmilgt lthead/gt ltbodygt lts
eqgt ltpargt ltvideo srcrtsp//tyer-1/video1.
rm/gt ltvideo srcrtsp//tyer-1/music1.rm/gt
lt/pargt ltpargt ltvideo
phid1/gt lt/pargt lt/seqgt lt/bodygt lt/smilgt
URLs of multimedia content which construct the
scene
Placeholder with ID (phid) of 1
21Signed SMIL document
lt?xml version1.0?gt ltDocumentRootgt ltPolicy/gt
ltsmil/gt ltSignaturegt ltSignedInfogt ltCanonic
alizationMethod/gt ltSignatureMethod/gt ltReferenc
e URI/DocumentRoot/Policy /gt ltReference
URI/DocumentRoot/smil/head /gt ltReference
URI/DocumentRoot/smil/bodygt ltDigestMethod
AlgorithmHashTreeConstruction/gt ltDigestValue
gt root_node_of_hash_tree lt/DigestValuegt lt/Refere
ncegt ltTrapdoorHashMethod AlgorithmDiscrete
Log phid1gt ltPublicValuegt
public_values_of_trapdoor_hash lt/PublicValuegt lt
TrapdoorHashValuegt trapdoor_hash_value
lt/TrapdoorHashValuegt lt/TrapdoorHashMethodgt lt/Si
gnedInfogt ltSignatureValuegt Signature
lt/SignatureValuegt lt/Signaturegt lt/DocumentRootgt
Contains XACML policy document
XML-DSIG with extension
22SMIL element after adaptation
- One video URL is deleted
- One video URL is inserted
ltsmilgt lthead/gt ltbodygt ltseqgt ltpargt ltvideo
srcrtsp//tyer-1/video1.rm/gt ltvideo
adaptationdelete/gt lt/pargt ltpargt
ltvideo phid1 srcrtsp//tyer-2/xxx.rm
adaptationadd/gt lt/pargt lt/seqgt
lt/bodygt lt/smilgt
23Signature element after commitment
- Add commitment value corresponding to the
inserted content (identified by phid)
ltSignaturegt ltSignedInfogt ltCanonicalizationMetho
d/gt ltSignatureMethod/gt ltReference
URI/DocumentRoot/Policy /gt ltReference
URI/DocumentRoot/smil/head /gt ltReference
URI/DocumentRoot/smil/body /gt ltTrapdoorHashMeth
od AlgorithmDiscrete Log phid1/gt
lt/SignedInfogt ltSignatureValue/gt ltAdditiveSigna
ture phid1gt ltCommitmentValuegtCommitment_Value
_of_TrapdoorHash lt/CommitmentValuegt lt/AdditiveSig
naturegt lt/Signaturegt
24Performance evaluation
- Platforms
- Modules in tier-2 provider (SMIL document
adaptation, policy check, commitment) - 3GHZ Pentium 4 with 1GB memory, running Redhat
Linux 2.4.20. - Modules in user device (signature and commitment
verification, policy check) - 866MHz Pentium III machine with 512 MB memory,
running Windows XP. - Parameter of public key signature
- 1024-bit DSA-SHA1 in XML-DSIG
- 1024-bit modulus for trapdoor hash (DLA)
25Computational overhead in tier-2 provider
- HSS can reduce commitment overhead by 95
compared to CS.
26Computational overhead in user device
- The verification overhead of HSS is higher than
CS by 32.
27Overall computational overhead
28Alternative approach for secure adaptive content
distribution
- Trusted content sharing system10 Content
adaptation on a trusted host - Tier-1 provider trusts the host to enforce access
policy. - Tier-1 provider trusts the host to sign the
content on its behalf. - In our system, we assume weak trust between
tier-1 and tier-2 providers. - Tier-2 buys original content subject to its usage
rule. - Tier-1 presumes tier-2 might try to perform
illegal modification of content and its usage
rule. - (We assume strong trust on user devices.)
29Related works
- Homomorphic signature scheme 12
- Permit selective content removal
- Merkle trees are used to create message digest
- Deletions involve creating a small cover for the
subset of the removed data items - We proposed placeholder extension to the Merkle
tree based signature scheme, and proposed two
schemes to realize the placeholder.
30Future works
- Other components to realize adaptive content
protection - Content encryption
- Key management
- Media data protection (streaming, mp4 file, etc)
- Etc
31Conclusion
- Presented adaptive content distribution system
with end-to-end authenticity. - Proposed a Merkle tree based signature scheme
with placeholder extension. - Proposed two scheme to realize the placeholder
- Conventional signature (CS)
- Hash-sign-switch (HSS)
- HSS can reduce commitment overhead at Proxy at
the cost of verification overhead.