OASIS PI Meeting Feb 13-16, 2001 Odyssey Research Associates SL 01-0002 1 Cornell Business &...

OASIS PI MeetingFeb 13-16, 2001

1Odyssey Research Associates SL 01-0002

Cornell Business & Technology Park33 Thornwood Drive, Suite 500

Ithaca, NY 14850-1250(607) 257-1975

David RosenthalOdyssey Research Associates

February 13-16, 2001

Semantic Data Integrity

OASIS PI Meeting



Team Members

• Odyssey Research Associates (a subsidiary of Architecture Technology Corporation)– David Rosenthal, Matt Stillerman, David

Guaspari, Francis Fung• WetStone Technologies, Inc.

– Chet Hosmer, Milica Barjaktarovic, Mike Duren, Chris Francis, Gary Gordon, Tony Delrocco

• SUNY Binghamton– Jiri Fridrich



Scope of Talk

• Briefly describe the overall project• Concentrate on one aspect, hierarchical hashing



Technical Objectives

• Develop improved data integrity methods to identify and recover attacked data– localize possible alterations– provide partial recovery and attack information,

where feasible• Emphasis of work has been on images



Potential Attack

• An attacker may be able to maliciously alter an image in an attempt to cause a bad outcome

• If they have write access to the data, they could simply delete or totally corrupt the object. We consider the case in which they are trying to subvert some activity by partially altering the data

• To be successful the attacker will need to cover their tracks– Make it appear that there is no damage, or that it

is in a different location



Technical Approach

• Developed techniques for protecting and verifying data subsets – Developed new watermarking/self-embedding

techniques– Developed and analyzed hierarchical hashing

methods• Implemented these techniques in a software tool

called Image Fault Isolation and Recovery Engine (I-FIRE)

• Additional protection information is saved separately in Digital Semantic Integrity (DSI) mark



I-FIRE SoftwareProtection Phase

Image

Modifiedimage

Imagesegmentation

User parameters

DSI mark

Protection

Insecurechannel

Secure

channel

Image

protection



I-FIRE SoftwareVerification Phase

Image DSI mark

Suspect

image

Image verification

Insecure channel

Verification

Secure channel

Verified/recovered image

Image recovery



I-FIRE Segmentation

Original Image Segmented Image



I-FIRE Segment Verification

Forged Image Segment LevelImage Verification



Hierarchical Segmentation

• Segments are hierarchical (by containment)• Different hash methods can be applied to root,

leaves, and intermediate segments



Intersecting Hash Methods

• Intersecting hashes– Permit the sets of covered cells for two different

hashes to intersect– Hierarchical hashing is a special case of this

• Intersecting hash techniques permit a tradeoff between – strength of protection,– diagnostic ability / damage isolation



Attack Method

• If attacker does not know about the hashes or hashing scheme – then even relatively weak methods will be effective in localizing the damage

• What if attacker has access to the hashes and the hash method?

• We assume DSI mark is stored and transmitted in a protected fashion, so that an attacker cannot just change the hash values

• Attacker will need to adjust the picture to get the hashes to check

• How hard is this?



Forgery Strategies and Strength of Protection

• Assume that Cell 2 is modified

• Compensating with Cell 2 costs |h1| * |h2 |

• Compensating with Cell 1 and then Cell 3 costs |h1| + |h2|

Hash 1 Hash 2Cell 1 Cell 2 Cell 3





Example: Sequential Forgery Repair with Hierarchical Hashes

• Fix hashes in two stages– First Correction: Fix three hashes of left branch– Second Correction: Fix two hashes of right branch

To be forged



Strength of Hierarchical Hashes

• Strength of protection can be defined in terms of the cost of the attacker’s best strategy.– This value is important because we want to identify

correct subsets with sufficient assurance– Want to find an efficient method to compute the

strength of protection• The analysis presented here assumes no secret

information• In our analysis we assume

– The cost of defeating a single hash depends only on its depth in the tree of hashes. (We can handle modest variants.)



Strength of Hierarchical Hashes (cont.)

• To find best attacker strategy it suffices to consider only normal attacks:– Don’t fix the same hash twice– Every step fixes at least one broken hash

• With extra assumption on the cost function (essentially, that costs multiply):– Suffices to consider only attacks in which each

step manipulates a single cell.



Finding a Minimal Attack: Definitions

• The depth of a node is the length of the path from the node to the root.

• The floor of node h, (h), is the minimum of the depths of all the leaves below h.



Example of Depth and Floor

h

h 6

h1Cell 1 h8

h7

h4Cell 4

h5Cell 5

h2

Cell 2h3

Cell 3

Depth 1

Depth 2

Depth 3

Depth 4

( ) 3h

6( ) 3h

8( ) 4h

2( ) 4h



Strategy for Hierarchical Hashes

• Attacker’s best algorithm: – In steps: reduce the size of the branch to be fixed

from the bottom up– For each step

• Find a cell of minimum depth under the unfixed part of the branch

• Fix all hashes above that cell whose floor is the depth of that cell



Example of Algorithm

h

h 6

h1Cell 1 h8

h7

h4Cell 4

h5Cell 5

h2

Cell 2h3

Cell 3

( ) 3h

6( ) 3h

8( ) 4h

2( ) 4h

•Change {Cell 2}–Broken hashes are: {h2, h8, h6,h}

•Steps–Adjust Cell 2 to fix {h2, h8} - floor 4 –Adjust Cell 1 to fix {h1, h6, h} - floor 3



Connections to Other OASIS Efforts

• DSI mark methods typically contain secret information. Hence there is a need to protect the DSI marks.

• Other project’s methods could be used to provide this



Accomplishments

• Working software demonstrates protection and verification stages– Implements variety of detection and recovery

methods– Provides a way to try out various segmentation

and hashing combinations• Developed new watermarking and self-embedding

methods• Produced analysis of hashing methods

– Row-column vs. partition – Hierarchical hashing

OASIS PI Meeting Feb 13-16, 2001 Odyssey Research Associates SL 01-0002 1 Cornell Business &...

Documents

Transcript of OASIS PI Meeting Feb 13-16, 2001 Odyssey Research Associates SL 01-0002 1 Cornell Business &...