Information Hiding

Steganography
Digital watermarking
- Fingerprinting
Methods
Attacks

Classification

Why is it important?

Copy protection have never really worked - needs tamper-proof hardware
Instead we can try to detect copies
- Tracing original owner
- Detecting who made the copy
Sending secret messages without using cryptography

Who is interested?

Military and intelligence agencies
Criminals
Law enforcement and counter intelligence
Secret communication without encryption

Terminology

The information to be hidden (watermark, fingerprint, a secret message) is embedded in a cover object (cd, video, text) giving stego object (marked object).
The embedding is done with a key, a secret variable that is in general known to the object's owner.
The recovery of the embedded mark may or may not require a key

Steganography

General problem:
- Alice and Bob are in prison and need to communicate with each other to discuss their break out plan
- All messages have to through the warden Wendy
- If the warden notice any suspicious messages all communication between Alice and Bob will stop
Lot of historical examples (invisible ink, microfilm, etc.)

Wisdom from cryptography

Kerckhoffs principle:
- Assume that the attacker knows the methods
Secure steganography:
- An opponent who doesn't know the key cannot obtain any evidence of the communication

Pure steganography

No key is necessary
E: C x M -> C
D: C -> M
Relies on the secrecy of the method

Secret key steganography

Uses a shared and secret stego-key
E: C x M x K -> C
D: C x K -> M

Public key steganography

Two keys: one public and one private

Active warden

It is conjectured that neither public key steganography nor pure steganography is possible with an active (malicious) warden
A public key needs to be certified - Alice and Bob have no means of certifying the keys when all communication goes through the warden Wendy.

Security of steganography systems

Three parts: detecting, extracting and disabling embedded information
Requirements for secure steganographic algorithms:
- Messages are hidden using a public algorithm and a key; the secret key must identify the sender uniquely
- Only the holder of the correct key can detect, extract, and prove the existence of the hidden message. Nobody else should be able to find any statistical evidence of a message's existence
- Even if the enemy knows the contents of one hidden message, he should have no chance of detecting others
- It is computationally infeasible to detect hidden messages

Digital watermarking

Additional requirement: robustness
There should be no way of removing the embedded information without rendering the cover object unusable
Visible watermarks
Imperceivable watermarks
Fingerprinting: a unique watermark in each object

Applications

Watermarking for copyright protection
- Embed information about the owner of the object
- Used resolve rightful ownership
- Requires a very high level of robustness
Fingerprinting for traitor tracking
- Each object have unique watermark identifying for example the buyer of a object
- Copies can be traced
Automatic audit of radio transmission
Data augmentation
Automatic monitoring of copyrighted material on the Web

Robustness

Watermarks should resist any kind of distortion introduced by standard or malicious data processing
No such method has be proposed so far
- Not clear yet if it is possible
IFPI (International Federation for the Phonographic Industry) robustness requirements:
- The marking mechanism should not affect the sonic quality of the sound recording
- The marking information should be recoverable after a wide range of filtering and processing operations (D/A and A/D conversion, MPEG compression, adding a second mark with the same system, etc.)
- There should be no other way to remove or alter the embedded mark without sufficient degradation of the sound quality as to render it unusable

Methods

LSB
Echo Hiding
More advanced uses other domains: Discrete Cosine Transform (DCT), Fourier transform, Wavelets

Least Significant Bit tweaking

Represent the object as vector of integers
Change the least significant bit in either all or some integers to represent a 1 or 0 in the mark
For sound: e.g. 16 bit samples
For images: e.g. red, blue or green components, luminance or chrominance components
Depending on the amount of embedded information it is quite imperceivable

Echo hiding

Advanced audio marking systems
Inserts echos (delay in the 0.5-2 ms range) that cannot be perceived
Two different echos gives ones and zeros
Survives compression
Obvious attack: detect and remove echo

Attacks

Robustness attacks
Presentation attacks
Interpretation attacks

Attacks - Jitter Attack

Attacks against audio marking systems that tweak low order bits whose locations is specified by a key
First implementation:
- Split the signal into chunks of 500 samples
- Duplicate or remove on sample from each chunk, giving chunks of 499 or 501 samples
- "Almost imperceptible"
- Impossible to find the mark - we cannot use the key to find the bits anymore
Better implementation:
- Resample the chunks at a lower or higher frequency

StirMark

Most image marking schemes survive basic manipulations: rotation, compression, resizing
Combinations are often not handled though
StirMark: tool developed for simple robustness testing of image marking systems
Applies minor distortions
Defeats most commercial image marking systems

StirMark

Images are slightly stretched, sheared, bent, rotated etc.

Mosaic Attack

'Presentation Attack'
Designed to defeat systems combining watermarks and web crawlers
The image is chopped into smaller pieces and put together in the web page in e.g. a table
Each sub-picture must be small enough such that the (partial) watermark can no longer be detected (for that sub-picture)

Summary

New field computer security - general theories do not exist yet
It is still not clear if perfect (with regard to robustness) watermarking systems is possible
Most commercial system is easily defeated

More information

Information Hiding Techniques for Steganography and Digital Watermarking
Information Hiding - A Survey, Petitcolas F.A.P, Anderson R.J, Kuhn M.G.

Example questions from exams

90-100 points
Allowed aids:
- Writing and drawing tools
- English/Native language dictionary

11 Points

Explain the following cryptanalytic attacks:

a) Ciphertext-only attack. (2p)

b) Known-plaintext attack. (3p)

c) Chosen-plaintext attack. (3p)

d) Chosen-ciphertext attack. (3p)

Solution

Ciphertext-only attack.
The cryptoanalyst has the cipher-text of one or several messages. We want to recover the plain-text or (better) the key.
Known-plaintext attack.
We have not only the cipher-text, but also the plain-text of several messages. We want to recover the key.
Chosen-plaintext attack.
We get to select the plain-text that gets encrypted. We want to recover the key.
Chosen-ciphertext attack.
We can chose what cipher-texts get decrypted.

12 Points

Suppose that the substitution and permutation used in each round of a DES system when taken together map every 32-bit value to zero regardless of the value of its input. What output would this DES then produce? Justify your answer. Otherwise, even if you get the correct answer, you will get ZERO points.

DES

Input = Output

5 Points

Write a short explanation (one or two sentences is enough) of the following terms:

Malicious code
Covert channel
Control (as used in computer security)
Reference monitor
Inference attack

Solution

Malicious code

Covert channel

Control (as used in computer security)

Reference monitor

Inference attack

inferred

15 Points

There are many reasons why personal computer security management is a problem. Describe at least 5 controls for personal computer security, and motivate why they enhance personal computer security.

Solution

Perform regular backups
Practice separation of duty
Use strong operating systems (with access control, memory protection, file protection etc.)
Educate users
Secure the equipment
Use virus software
Don't leave computers unattended

5 Points

What are the security risks with the Unix set userid (setuid, suid) feature? (The feature were the privileges of a program running is not the privileges of the user that runs it, but the privileges of the owner of the program executable file.)

Solution

If there is an exploitable flaw (intentional or unintentional) in the program, an attacker might gain access to the whole system (e.g. if the owner of the setuid program has system administration rights, such as root in Unix).

10 Points

Discuss two advantages of paging as a memory protection scheme and two advantages of segmentation as a memory protection scheme. What are the disadvantages of the different memory protection schemes?

Solution

Segmentation:
- + Users can share access to segments
- + Users cannot access unpermitted segments
- - Programmers need to be aware of segments
- - Unefficient
Paging:
- + Same as segmentation
- - (Limited) fragmentation

5 Points

Passwords are often stored in encrypted form to enhance security. Why is it a security risk to allow access to the encrypted passwords, even though the encryption might be one-way (that is, there is no way to decrypt a password)?

Solutions

An attacker can then easily try to crack passwords in two ways:

Brute force: use one or several fast computer to try all combinations of passwords by encrypting them and comparing them to the encrypted passwords.
Dictionary attack: instead of trying all the different passwords it is often enough to try only likely passwords, e.g. the names of the users, words in a dictionary.

10 Points

Describe at least two different ways to do secure authentication of users over a network. Describe your assumptions of the security of the network and the hosts, and eventual weaknesses with the different schemes.

Solution

Examples: Public key cryptography (e.g. as used in PGP, SSL, ssh, etc.), Kerberos, Automatic call back, etc. See the book for details.