Cryptographic keys management for H.264 scalable ...

1 downloads 72 Views 3MB Size Report
management issues in scalable video coding (H.264/SVC) and propose a top down .... scheme has been tested with the SVC reference software (Joint. Scalable ...
Cryptographic Keys Management for H.264 Scalable Coded Video Security Mamoona Asghar

Mohammad Ghanbari, Fellow IEEE

School of Computing and Electronic Systems University of Essex, Colchester, CO4 3SQ Essex, United Kingdom [email protected]

School of Computing and Electronic Systems University of Essex, Colchester, CO4 3SQ Essex, United Kingdom [email protected]

standard and scalable coded video. Recently Wang, et al., [3] pointed out the idea of hierarchical key generation for the cipher algorithm to encrypt the partial H.264/AVC video content. The protection for scalable video coding has been described in research [4], [5]. Li, et al. [6] devised a NAL level selective encryption technique for H.264/ SVC with stream cipher LEX (Leak Extraction) algorithm. The LEX used three keys for the three NAL units individually. The study pointed out some future work on the key management scheme, which is a key issue in security of any cipher algorithm. Park and Shin [7] designed a hierarchical key management scheme for the selective encryption of scalable video coding. The key management scheme provides the robustness against the known brute-force attack due to the different NAL unit keys.

Abstract—Scalable multi-layered coded video requires its individual layer security, as every layer has its own characteristics i.e. bit-rate, frame rate, resolution and quality. We investigate a problem of individual layer cryptographic key management issues in scalable video coding (H.264/SVC) and propose a top down hierarchical keys generation and distribution system by using a standard key management protocol MIKEY (Multimedia Internet Keying Protocol). The research goal is to enhance the security, while reducing the multiple encryption keys overhead for scalable video content retrieval, and derive a mechanism in which every entitled user needs to hold single encryption key to watch his subscribed layer data, but this key can open the doors of all layers below. The timing results are calculated for SVC bit-stream encryption/decryption and hierarchical keys generation to prove the suitability of the proposed scheme. We combine a standard protocol with the DRM (Digital Rights Management) techniques to accomplish the security demands of scalable video content on the application level.

All the reviewed researches have their own devised key management mechanisms but don‟t provide any reference to any standard key management protocol. For the hierarchical Scalable layers key generation/distribution, we have used the standard Multimedia Internet Keying Protocol (MIKEY) [8] which is a significant addition to the security of multimedia specifically designed to tackle the key exchange problems in Real-time networks. MIKEY has proposed three methods for transporting/establishing a master key TGK (Traffic Generation Key), for the all communication scenarios. We have implemented Diffie Hellman [9] for key establishment integrated with a keyed hash message authentication code (HMAC) [10] for attaining combined authentication and message integrity of the key management messages exchanged.

Keywords- H.264/SVC; MIKEY; DRM; Cryptographic keys; AES encryption; security

I.

INTRODUCTION

Scalable Video Coding (H.264/SVC) [1] is the emerging model and has quickly come up to satisfy the needs of multimedia services. Scalable Video Coding technology permits devices to send and receive multi-layered bit streams; it allows the transmission and decoding of partial bit streams to provide video services with different frame rates, spatial resolutions (picture size) and quality. The bit stream components of SVC are encapsulated in network abstraction layer (NAL) units which are then arranged as access units. Cryptography is a conventional technique to provide security to the multimedia contents. Most of the research has been done in the context of naive and selective encryption of video contents, to provide security. All Cipher algorithms require the data as input but also need unique value known as „Key‟ for the operation on plain text as described by Kerckhoff‟s principle which states that the rival can know the chosen cipher algorithm but not the key [2]. The key generation and distribution is the critically tackled issue to enhance the security of any cipher algorithm. In recent years, some work has been done on keys generation/distribution for

The Advanced Encryption Standard (AES) [11] is a symmetric key block cipher (128-bit block size), based on modified substitution-permutation network. AES uses the keys of three lengths with respective varied round steps, 128 bit key with 10, 192 bit key with 12 and 256 bit key with 14 round steps. The reason to choose the AES counter mode for the encryption is that the time required to break the 128 bit key by applying all possible keys at 50 billion keys/sec. is 5 x 1021 years. [12] So its strength is excellent for all the exhaustive key search attacks.

83

With the advent of digital media, the digital rights management becomes a known issue for the digital content manufacturers and publishers. To implement Digital Rights Management, many methods for digital media have been adopted [13]. For DRM, only cryptographic techniques are not enough to provide the flexible content delivery and secure usage. Much work has been done on the joint DRM security techniques, i.e. encryption along with key management [14], encryption along with finger printing [15] and encryption along with digital watermarking [16], [17], [18]. The proposed key management scheme provides the “Confidentiality Encryption”, that is the complete security to the content with full encryption. The research work incorporates the following DRM security processes. 1) Authentication key will be derived authentication of sender and receiver. 2) Encryption of Data with Cipher Algorithm 3) Key management with Standard Protocol II.

for

at once to get L0 to Li layer data, memory consumption and time to save the eK0 to eKi keys which are sizeable as per security needs. So, the goal is to derive a mechanism in which each user needs to hold a single encryption key to retrieve his subscribed layer data. Thus a number of keys will not travel over the network, hence reducing security hazard. Table II shows the characteristics of all MIKEY keys (key length, life time and constants) with their generation/distribution summaries. TABLE II. Characteristics of MIKEY keys

Keys

the

PROPOSED KEY MANAGEMENT SCHEME

The paper devises a key management (generation/distribution) scheme to enhance the security of scalable video coded Layers at the application level. The security to the scalable data means to provide the encryption on all layers of data from L0 (Base Layer) to Ln (Top enhancement Layer). Let‟s assume user Ui is subscribed to receive the data of layer Li, so he must have the all lower layer encryption keys i.e. eK0 to eKi to decode the subscribed layer data because the encryption is applied from layer L0 to Li .

Li-1

MIKEY Constants

Key Life Time

DH prime & base values

01 month

TGK (Master key)

128

TEK (Traffic Encryption key)

128

HMACSHA1(TGK)

0x2AD01C64

Daily for 12 Hrs.

Master Encryption key (eK) Authentication Key (aK)

128

HMACSHA1(TEK)

0x15798CEF

For Session

160

HMACSHA1(TEK)

0x1B5C7973

Unique for every User

Salt Keys (sK)

112

HMACSHA1(TEK)

0x39A2C14B

Daily for 12 Hrs.

There are five general equations for overall system keys generation:

L0

TGK gsr mod p (Diffie Hellman)

Figure1. Scalable Layers

(1)

where p=prime no., g=generator, sr=sender & receiver RAND values

TABLE I: Set of encryption keys should be held for each hierarchical layer

Li Li-1 L3 L2 L1 L0

Generation/ Distribution Methods & Parameters Diffie Hellman

As Table II shows, TGK is generated by Diffie-Hellman algorithm and it generates the TEK, while TEK further generates the master Encryption key, Authentication key and Salt keys. The purpose of Salt keys generation is to enhance the security by altering some bytes of TEK on daily basis. The few bytes of the Salt key are replaced in the TEK and after 12 hours use of TEK, the salted TEK will be used for the next 12 hours.

Li

Layers

Key Length (bits)

TEK  HMAC (TGK , MIKEY Constant || RAND, TEK length) (2)

Encryption Keys held for each Layer eK0, eK1, eK2, eK3, … , eKi-1, eKi eK0, eK1, eK2, eK3, … , eKi-1 eK0, eK1, eK2, eK3 eK0, eK1, eK2 eK0, eK1 eK0

Master eK  HMAC (TEK , eK Constant || RAND, eK length)

(3)

aK  HMAC (TEK , aK Constant || RAND, aK length)

(4)

sK  HMAC (TEK , sK Constant || RAND, sK length)

(5)

The Master Encryption Key further generates the lower layer keys to encrypt the content of the lower layers of SVC by the use of self defined constants for each layer as mentioned by the MIKEY specified constants. The keys are generated in recursive hierarchical fashion, i.e. on the receiver side top enhancement SVC layer Ln encryption key eKn will generate its immediate lower Ln-1 key eKn-1 and eKn-1 will generate eKn-2 key and so on. The general equations for generation of encryption keys for lower SVC layers are:

The management of all sets of layer Li keys (shown in Table I) for user Ui is a huge security hazard. The handling of multiple keys for user of Li data is complicated especially when the salable data has a large number of layers. Many problems arise with the large number of keys generation especially the computational cost of generating multiple keys

84

eKn HMAC (TEK , eKn Constant || RAND, eKn length)

(6)

eKn-1 HMAC (eKn , eKn-1Constant || RAND, eKn-1 length)

(7)

eKn-2HMAC (eKn-1 , eKn-2Constant || RAND, eKn-2 length)

(8)

layers will not be re-encrypted on the upper layers. Only the respective layer frame(s) will be encrypted with the corresponding layer encryption key. The general equations for the bit streams encryption on all layers:

RAND is generated according to the PRF (a keyed pseudorandom function) in [8]. The overall key management scheme is shown in Figure 2. Sender

Transfer encrypted TEK

sK

aK

eKn-1 Ln-1 Frames – Ln-2 Frames

(10)

III.

TEK

eK

eKn-1

eKn-1

eKn-2

eKn-2

aK

sK

TABLE III. Timings of sample CIF Sample CIF Timings (Sec.)

eKn-n

eKn-n

BUS Encoding time Encryption time Decryption time Decoding time FOOTBALL Encoding time Encryption time Decryption time Decoding time CREW Encoding time Encryption time Decryption time Decoding time FOREMAN Encoding time Encryption time Decryption time Decoding time

Figure 2. Key Generation Mechanism

After the keys generation and distribution, the proposed solution will work for the encryption of layers by using AESCM Cipher algorithm. The idea behind the encryption of scalable layers can be easily understood by the figure 3 below. Frame 1

Frame 2

Frame 3

Frame 4

Frame 5

Ln

eKn

Ln-1

eKn-1

L0

EVALUATION RESULTS

The performance of the proposed key management scheme has been tested with the SVC reference software (Joint Scalable Video Model) JSVM 9.19.8 version encoder. The experiments run on a machine Intel Core i3-330M (2.13GHz) processor with 4GB RAM. AES-CM symmetric encryption is used to encrypt every layer with 128 bit encryption key except the first four bytes NAL header of every NAL unit, as the NAL header should be opened while transferring over network. For the evaluation of results; four different benchmark CIF video clips are used, which are encoded into four layers i.e. lowest is the base layer and upper three are enhancement layers with a total bit-rate of 64kbps and 16 GOP size with same Intra period. The evaluation results encompass the encryption/decryption and key generation timings with different number of encoded frames.

TGK

TGK

eK

(9)

Receiver

Generated by DH

TEK

eKn (encrypts)  Ln Frames – Ln-1 Frames

eK0 Figure 3. Keys per scalable layer

In the Figure 3 three ascending order scalable layers are shown, where lowest is the base layer and the upper two are enhancement layers. According to Figure 3, frames 1 and 5 (horizontal line pattern) are on base layer, they will be encrypted by the key eK0. The three frames are on the immediate upper layer of base layer 1, 3 and 5. Frames 1 and 5 are already encrypted by the base layer eK0 so; only frame 3 (bricks pattern) belongs to the Ln-1 which will be encrypted by eKn-1. This process of encryption is continued on all above layers and the frames which are already encrypted on lower

30 Frames

60 Frames

90 Frames

120 Frames

150 Frames

23

47

70

93

116

0.012 0.021 0.977

0.019 0.028 1.879

0.027 0.032 2.678

0.039 0.042 3.544

0.043 0.047 4.278

24

50

75

99

123

0.021 0.029 0.950

0.032 0.043 1.902

0.039 0.055 2.779

0.046 0.065 3.656

0.050 0.072 4.498

22

43

66

100

113

0.010 0.012 0.877

0.016 0.027 1.776

0.020 0.031 2.623

0.031 0.037 3.440

0.038 0.054 4.312

21 0.010 0.016

41 0.012 0.020

62 0.017 0.027

83 0.021 0.038

104 0.038 0.040

0.863

1.711

2.582

3.380

4.164

Table III shows the encoding, encryption and decryption and decoding timings (in seconds) for the four sample CIF video clips with different input frame rates. Encoding timings are taken in integral values after rounding; while encryption, decryption and decoding timings are taken in seconds upto the third place of decimal, for the clear overhead estimation of cryptography over video file. As the table shows the time taken on encryption as compared to encoding and decoding is very small. Therefore, with negligible additional

85

hierarchical key management for all layers (top to bottom). The significance of the proposed method is that subscriber of each layer has only one encryption key to use, but this key can open the doors of all layers below. This cryptographic hierarchical key management scheme is suitable for the secure video distribution to users who have subscribed to a different video quality.

computational cost, we are able to achieve security and selective distribution of bit streams. The decryption time is little more than encryption time because the reverse process to decrypt the layers and the sorting requires slightly more time. Keys TEK aK Master ek sK Ln to L0 eK

8 layers 8 19 27 33 93

6 layers 8 19 27 33 79

4 layers 8 19 27 33 64

2 layers 8 19 27 33 49

REFERENCES

Key Generation Timings

[1]

Schwarz, H., Marpe, D., Wiegand, T., "Overview of the scalable video coding extension of the H. 264/AVC standard." IEEE Transactions on circuits and systems for video technology, vol. 17(9), pp. 1103-1120, 2007.

[2]

Cayre, F., Fontaine C., Furon T., “Watermarking security: Theory and practice”. IEEE Trans. Signal Processing vol. 53, pp. 3976–3987, 2005. Wang, X., Zheng N., Tian L., "Hash key-based video encryption scheme for H. 264/AVC." Signal Processing: Image Communication vol. 25/6, pp. 427-437, July 2010. Won, Y.G., Bae, T.M., Ro, Y.M., “Scalable Protection and Access Control in Full scalable Video Coding”. In Proceedings on the 5th International Workshop on Digital Watermarking, IWDW ‟06, volume 4283 of Lecture Notes in Computer Science, Springer, pp. 407–421, Korea, November 2006. Kim, Y., Jin, S.H., Bae, T.M., Ro, Y.M., “A Selective Video Encryption for the Region of Interest in Scalable Video Coding” In: IEEE Region 10 Conference, pp. 1–4, 2007. Li, C., X. Zhou, Zhong Y., "NAL Level Encryption for Scalable Video Coding." Advances in Multimedia Information Processing-PCM 2008 Volume 5353/2008, pp. 496-505, 2008. Park, S. and S. Shin, “An Efficient Encryption and Key Management Scheme for Layered Access Control of H. 264/Scalable Video Coding." IEICE TRANSACTIONS on Information and Systems vol. 92(5), pp. 851-858, 2009. J. Arkko, E. Carrara, F. Lindholm, M. Naslund, K. Norrman. MIKEY: Multimedia Internet KEYing, RFC 3830. Internet Engineering Task Force, http://www.ietf.org/rfc/rfc2830.txt. Aug 2004. W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Inform. Theory, vol. 22, no. 6, pp. 644–54, Nov. 1976. M. Euchner, HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY), RFC 4650, https://datatracker.ietf.org/doc/rfc4650/, September 2006. Schaad, J. and R. Housley. Advanced Encryption Standard (AES) Key Wrap Algorithm, RFC 3394, September 2002. Bernhard Esslinger, Frankfurt am Main, “The CrypTool Script: Cryptography, Mathematics and More”, Background reading for CrypTool the free e-learning program (with number theory code samples for Sage) (10th edition { distributed with CrypTool version 1.4.30) , July 5, 2010. Lawrence Harte, “Introduction to Digital Rights Management”, ISBN: 1932813403, 2007. Lin, E., Eskicioglu, A., Langendijk L., Delp, E., "Advances in digital video content protection." Proceedings of the IEEE, vol. 93(1), pp. 171183, 2005. Kundur, D. and K. Karthik, "Video fingerprinting and encryption principles for digital rights management." Proceedings of the IEEE, vol. 92(6), pp. 918-932, 2004. C.-I. Fan, M.-T. Chen, and W.-Z. Sun, “Buyer-sellerwatermarking protocols with off-line trusted third parties,” Int. J. Ad Hoc Ubiquitous Comput., vol. 4, no. 1, pp. 36–43, 2009. H. S. Ju, H. J. Kim, D. H. Lee, and J. I. Lim, “An anonymous buyerseller watermarking protocol with anonymity control,” in Information Security Cryptology (ICISC), Seoul, Korea, vol. 2587/2003, pp. 421–432, 2002. Thomas, T., Emmanuel, S., A. V. Subramanyam, Kankanhalli, M., "Joint watermarking scheme for multiparty multilevel DRM architecture." Information Forensics and Security, IEEE Transactions on 4(4), pp. 758-767, 2009.

100 Time in Microseconds

90 80 70 60

8 layers

50

6 layers

40

4 layers

30

[3]

2 layers

20 10

0 TEK

aK

Master ek

sK

Ln to L0 eK

[4] Figure 4. Keys generation Timing Graph

Figure 4 depicts the timings (in microseconds) required for generating the hierarchical keys. For each subscriber the TEK, aK and master eK has to be derived. In addition, depending upon the subscriber whether he has demanded upper layer or lower key, the master encryption key is generated and given to him then he derives his own encryption keys for the lower layers. It is a hierarchical system and each key eK is derived from others. The timings given in the graph are of keys for Layers L8, L6, L4 and L2, but while generating hierarchical encryption keys these have been derived from Layer L8 to L0. The difference is shown in keys generation timings of Layers Ln to L0 eK which are derived from the master eK. If the hierarchical encryption keys is generated for just two scalable layers (single base and enhancement layer), it will take 49 microseconds and if they are generated for eight layers (single base and seven enhancement layers) then it will take 93 microseconds. The timings of generating hierarchical encryption keys depend on the number of layers from top to bottom. The graph clearly depicts that the keys generation time is fairly negligible. So, to make the system robustly secure, the keys can be generated very often without any additional overhead on system.

[5]

[6]

[7]

[8]

[9] [10]

[11] [12]

[13]

The cryptographic keys are vulnerable to exhaustive key search attacks. The proposed system is robust enough to meet these attacks, as the cryptographic keys are changing frequently. The TEK is changing after every 12 Hrs. a day while the rest of keys are dependent on TEK for their generation.

[14]

[15]

[16]

IV.

CONCLUSION

This paper has proposed a compact key management and distribution system which is very efficient and greatly enhances the security of transmission. After the detailed analysis of key management protocol, the strength of cipher algorithm, and the encryption of layered data, it is expected that the proposed security scheme will be a desirable contribution for the security of scalable video coding especially its part of flexible

[17]

[18]

86