A Simple and Secure Watermarking Protocol

A Simple and Secure Watermarking Protocol Antonio Cuomo, Franco Frattolillo, Federica Landolfi, Umberto Villano Department of Engineering University of Sannio Benevento, Italy Email: {cuomo,frattolillo,landolfi,villano}@unisannio.it

Abstract—The advances in multimedia and networking technologies enable copyright infringement of digital content distributed on Internet. Such infringement, particularly promoted by peer-to-peer file-sharing, causes copyright holders lost sales every year. Consequently, methods to protect digital copyright protection are needed in a global Internet environment. Watermarking protocols are recognized as a promising technique developed to address the problem of asserting authorship and determining accountability when piracy occurs. In this paper, a simple watermarking protocol purposely designed to be easily implemented in the current model of content distribution on the Internet is proposed. The protocol is secure and able to protect the digital asset of the web-based distribution and associated rights. Keywords-Watermarking protocols, copyright protection, digital watermarking.

I. I NTRODUCTION Content digitalisation and peer-to-peer file sharing services have greatly promoted piracy of copyright protected content. This has motivated the development of technological solutions faced at preventing economic losses for Content Providers (CPs). Digital watermarking [1], particularly if based on fingerprinting techniques [2], is one of the most appropriate technique aimed at implementing copyright protection of digital content distributed on the Internet. It consists in inserting the proprietary mark in the content distributed on the web, which may be easily retrieved by the owners to verify about ownership. Furthermore, if the watermarks are generated in the form of fingerprints to identify content consumers, each distributed copy of a content becomes individually marked with the fingerprint of the customer, in such a way that a unique watermark links a particular copy to the consumer who receives it. However, digital watermarking needs to be used in combination with appropriate web protocols able to manage the process of content protection and webbased distribution. These protocols, called “watermarking protocols”, provide appropriate infrastructures to support the digital rights management process for digital content, and implement effective mechanisms for tracking down improper use of digital content which are owned and then distributed by CPs [3], [4]. In recent years, a variety of relevant watermarking protocols allowing CPs to preserve the copyright and identify copyright violators have been proposed. These protocols are mainly based on three web entities: the buyer (B), the content provider or seller (CP), and the Watermark Certification Authority (WCA), which is usually assumed

c 978-1-4673-4794-5/12/$31.00 2012 IEEE

to be a trusted entity which is responsible for guaranteeing the whole protection and distribution process. From the analysis of these proposals, it is possible to derive that most of the current protocols are secure but not suited to be integrated into the models of business and content distribution currently adopted on the Internet. In this paper, a new watermarking protocol is proposed. The protocol is simple and secure and overcomes the limitations and drawbacks that affect existing solutions and make them unsuited for the web context. The paper is organized as follows. Section II discusses some of the most relevant watermarking protocols existing in literature. Section III describes the proposed protocol in detail. Section IV analyzes the protocol and discusses its main achievements. In Section V, a brief conclusion is available. II. R ELATED W ORK “Buyer-seller” watermarking protocols mainly combine a public key cryptosystem with digital watermarking to guarantee the protection of rights for both the buyer and the CP. These protocols usually involve three main entities: the buyer, the CP or seller, and a Watermark Certification Authority (WCA), which takes charge of generating the necessary watermarks and signatures, and ensuring the correct execution of the protocol. One of the first buyer-seller watermark protocol is described in [5]. It deals with the “customer’s right problem”, which arises when a watermark is inserted solely by the seller which, therefore, may benefit from framing attacks to an innocent buyer. Moreover, it uses a “homomorphic” public key infrastructure (PKI) to embed the watermark directly in the encrypted domain [6]. In the proposed protection scheme, the seller and the buyer perform the protocol and both generate only part of the watermark, and this ensures that the watermarked content delivered to the buyer is unknown by the seller, the unwatermarked original content is unavailable to the buyer, and none of them have access to the embedded watermark. However, the protocol also introduced a new issue, the “unbinding problem”, in the proposed scheme, which arises when a dishonest seller frames an innocent buyer by transplanting the buyer’s watermark into a copy of higher-priced digital content which the buyer never bought. The protocol proposed in [6] employs a PKI to attain several important achievements, such as to implement the correct authentication of buyers without exposing their

206

Table I T HE NEGOTIATION PHASE B B visits the CP’s web site and chooses the content X m1 = {AGRX }

CP

m

1 −→

m

m3 = {CP, AGRX , SgnCP , Bid }

WCA

2 ←−

SgnCP = SignpkCP (AGRX , T IDCP , T SCP ); List(WCA) m2 = {SgnCP , List(WCA)}

m

3 −→

identities during the purchase web transactions. Furthermore, the protocol exploits trusted WCAs in order to both carry out watermark insertions and ensure a correct copyright protection process. However, the protocol requires that buyers can participate in web transactions only if they can autonomously perform some security actions, such as the management of the digital signature of the exchanged messages. Moreover, it requires a double watermark insertion performed by the distinct entities involved in the watermarking protocol, such as CP and WCA. The protocol proposed in [7] does not need the assistance of a Trusted Third Party (TTP), but only involves the buyer and CP. The main goal of the protocol is to avoid “conspiracy problems”, arising when both a dishonest CP and a malicious buyer collude with an untrustworthy third party to fabricate piracy. The basic idea is to generate a watermark composed of two secrets independently produced by the buyer and the CP. This prevents both buyer and CP from knowing the exact embedded watermark, which can thus neither be removed from the protected content by the buyer nor be generated by the CP to fabricate piracy. In such a way, a CP could not attempt to cause the effects of the unbinding problem or the customer’s right problem, whereas the buyer could not confound the tracing of piracy by obtaining the removal of the watermark from the purchased content. However, the protocol is characterized by an arbitration process that needs the assistance of the buyer. The protocol proposed in [8] does not adopt a protection scheme based on enciphering both watermark and content by using a homomorphic public-key cipher and on directly embedding the watermark in the enciphered domain. It uses a “secure” watermark embedding algorithm implemented by using symmetric ciphers and “partial encryption”. In fact, the algorithm additively distorts selected transform coefficients of a content with a noise sequence, which has to be then partially removed by the buyer, thus leaving only the watermark. The main aim is to achieve a high level of efficiency in applying the watermark protection, since the adopted enciphering scheme only involves computations of modular additions, whereas the other schemes based on homomorphic encryption require computations of modular exponentiations, which are much more expensive than modular additions.

m

3 −→

−→ · · · −→

check on m3

Table II I NFORMATION CONTAINED IN Bid DEPENDING ON THE NEGOTIATION MECHANISMS

Negotiation mechanism Anonymous Personal Based on credit card

Bid Personal information Payment information anonymous digital certificate anonymous prepaid card personal digital certificate anonymous prepaid card personal digital certificate credit card identity on credit card credit card

The protocol described in [9] is mainly based on two security primitives: group signatures and homomorphic encryption. The former primitive allows buyers to sign the purchase messages they send to the seller on behalf of the group of buyers. This enables the seller to verify the signature without knowing buyers’ identity, thus implementing anonymous purchases. However, when a pirated copy is found and traced back to a particular purchase, the corresponding signature can be opened to know the identity of the buyer that released the pirated copy. The latter primitive allows buyer and seller to jointly compute an encryption of the watermark to be embedded in the original content in such a way that none of the parties knows it. In fact, as reported above, the encryption of the watermark is directly embedded in the encrypted domain. III. P ROPOSED WATERMARKING P ROTOCOL The proposed protocol exploits a limited set of wellknown security facilities: a PKI, homomorphic encryption [6], and digital purchase certificates [3]. These facilities enable: (1) the seller or CP (denoted by CP) to release content in an encrypted form; (2) WCA (denoted by WCA) to watermark content directly in the encrypted domain; (3) the buyer (denoted by B) to obtain the purchased and protected content by simply decrypting it. In particular, WCA is assumed to be a trusted authority that does not carry out colluding actions. A fourth, optional, entity is represented by the service provider (SP), which is a web entity specialized in supplying trusted watermarking services. It enables WCAs to be relieved of the task of directly watermarking digital content and to provide web users with an effective and on the fly protection service [10]. The proposed watermarking protocol comprises two subprotocols: the protection protocol and the identification and arbitration protocol.

2012 Fourth International Conference on Computational Aspects of Social Networks (CASoN)

207

Table III T HE PROTECTION PHASE CP

WCA

m

4 ←−

X , sk X ); E (pkCP X (X) CP pkCP X ,E m5 = {AGRX , pkCP X pkCP (X), SgnWCA }

SP

SgnWCA = SignpkWCA (Bid , CP, AGRX , T IDWCA , T SWCA ) m4 = {AGRX , SgnCP , SgnWCA }

m

5 −→

EpkX (W ) CP

m6 = {EpkX (W ), EpkX (X)} CP

CP

m

6 −→

EpkX (X) CP

m

m7 = {EpkX (X)}

7 ←−

A. Protection Protocol The protection protocol consists of three main phases: negotiation, protection and delivery. 1) Negotiation: The negotiation phase, shown in Table I, starts when B anonymously visits the CP’s web site and, after having chosen a content X, negotiates with CP to set up a common agreement AGRX . AGRX represents: (1) a “use license” that refers to X and states the rights and obligations of B and CP; (2) a “purchase order” placed by B. It is sent by B to CP in the message m1 to manifest the will of buying X. Upon receiving AGRX , CP generates T IDCP , which is the transaction identifier, and T SCP , which is the timestamp used to make the freshness of the exchanged token assessable. CP also generates the signature SgnCP = SignpkCP (AGRX , T IDCP , T SCP ) by using its public key pkCP , and a list of WCAs, denoted as List(WCA), which can be contacted by B to continue the purchase transaction. Then CP sends the signature and the list to B in the message m2 . B receives m2 and chooses a WCA from List(WCA) to continue the transaction. B generates the message m3 and sends it to the chosen WCA in order to manifest the will of buying X from CP and to require WCA to apply a digital protection according to what stated in AGRX . Therefore, m3 includes: • CP , which is the reference to the content provider CP that sells X; • AGRX , which is the document referring to X in the sense of what reported above; • SgnCP , which is a security token that links the purchase transaction to the content and the seller; • Bid , which includes the information by which B chooses to be identified in the protection protocol. In particular, according to the negotiation mechanisms provided by the protocol, Bid can be represented as a pair of information, named “personal” information and “payment” information, as reported in Table II. The former can be derived from the anonymous or personal digital certificate or from the personal data reported on the B’s credit card. The latter can be derived from the anonymous

208

CP

pre-paid card or from the B’s credit card. After receiving m3 , WCA verifies data contained in Bid . If B has chosen the “anonymous” identification method, WCA verifies the anonymous digital certificate and the data associated to the pre-paid card presented by B. If B has presented a personal digital certificate and/or his/her credit card, WCA verifies these data. Therefore, if the data sent in m3 are incorrect or the payment card turns out to be invalidated or B cannot pay X, the transaction is aborted. Otherwise, the protection phase can start. 2) Protection: Message m3 involves WCA in the protection phase shown in Table III. WCA then generates the message m4 , which contains information needed to mark the protection transaction. To this end, WCA generates the signature SgnWCA = SignpkWCA (Bid , CP, AGRX , T IDWCA , T SWCA ) by using its public key, denoted as pkW CA . More in detail, T IDWCA is the code used by WCA to identify the current transaction, whereas T SWCA is the timestamp needed to make the freshness of the exchanged token assessable. SgnWCA , like SgnCP , is used as a security token that links the purchase transaction to X, B, CP and WCA. Then, WCA creates the message m4 by including AGRX , SgnCP , and SgnWCA , and sends it to CP. CP verifies its signature SgnCP returned in the message m4 and aborts the transaction if data result in being invalid. Then CP generates a public and private key pair X X (pkCP , skCP ) to be used only in the current transaction, and employs the public key to encrypt X by using a cryptosystem that is “privacy homomorphic” [6] with respect to the subsequent watermark insertion, thus generating the X (X) that has to be watermarked. Then, CP content EpkCP X (X), and the sends AGRX , the enciphered content EpkCP X , together with the signature SgnWCA , to public key pkCP WCA in the message m5 . WCA verifies its signature SgnWCA returned in the message m5 and aborts the transaction if data result in being invalid. Then, WCA generates a fingerprinting binary code, denoted as W , which is obtained by concatenating five distinct binary strings. A first string can be derived from the “personal” information sent by B in Bid , such as


Table IV T HE DELIVERY PHASE B

CP

WCA

8 ←−

m

←− · · · ←−

8 ←−

ack

−→ · · · −→

−→

−→

m

m10 CP

CP

←−

¯ ack on X

−→

X } m10 = {skCP

−→ · · · −→

9 ←−

←−

IDX = SerialW CA (W ) m9 = {IDX, T IDWCA , T SWCA }

¯ ack on X

−→

m11

m11

CP

ack

m

¯ = D X (E X (X)) X sk pk

m8 = {EpkX (X)}

payment m11 = {Cert(B, CP, X)}

←− m11 ←− · · · ←− ←− CP saves a new entry in its databases

his/her anonymous or personal digital certificate or credit card. A second string can be derived from the “payment” information sent by B in Bid and based on data reported on pre-paid or credit card. A third string can be obtained as an anti-collusion code [2], whereas a fourth string is a redundant code used to address the problem of bit errors resulting from the watermark extraction process. A fifth string is a transaction identifier. Finally, WCA encrypts X the watermark W by employing the received key pkCP , X (W ), and sends it, together with thus generating EpkCP X (X), in the message m6 to an SP selected from a EpkCP list of accredited web entities. After receiving m6 , SP can directly watermark X (X), since, as reported above, the encryption funcEpkCP tion applied by CP is assumed “privacy homomorphic” with respect to the watermark insertion operation. Then, SP can return the encrypted and watermarked content X (X) to WCA in message m7 , which closes the EpkCP protection phase. 3) Delivery: The delivery phase, shown in Table IV, starts with WCA that forwards the protected content X (X) to B in the message m8 . After receiving EpkCP X (X), B returns an acknowledgement to WCA, EpkCP which notifies this event to CP with the message m9 . In particular, m9 contains IDX, which is a serial number that shall be used by CP to refer to the data associated to the current transaction. IDX is generated by WCA by applying the specific function SerialW CA on W . Therefore, IDX = SerialW CA (W ). Furthermore, m9 contains T IDWCA and T SWCA , which have to be stored by CP as information useful for running the “identification and arbitration protocol”. The correct receipt of m9 assures CP that B has X (X) and that his/her received the encrypted content EpkCP payment card can be charged. As a consequence, CP X can send B the private key skCP corresponding to the X public key pkCP purposely used to encrypt X. After X receiving the private key skCP in the message m10 , B X (X), thus generating the final version can decrypt EpkCP

¯ In fact, of the watermarked copy of X, denoted as X. the privacy homomorphic cryptosystem exploited by the proposed protocol results in the following equalities: ¯ X (X) = Epk X (X), EpkCP CP

¯ = DskX (EpkX (X)) X CP CP

where the operator Dsk denotes the decryption function corresponding to the encryption function Epk . ¯ B notifies the availability of the Once generated X, purchased content to WCA, which can charge the B’s payment card. Then, WCA can generate the token Cert(B, CP, X) = EpkWCA (AGRX , . . . . . . Bid , CP, SignCP , SgnWCA , IDX, W ) which represents the digital purchase certificate to be sent to B and CP in the message m11 . Cert(B, CP, X) contains enciphered data, and this prevents both B and CP from maliciously modifying it. After receiving the purchase certificate, CP has to store a new entry in its databases, whose search key is IDX and whose corresponding contents are AGRX , T IDCP , T SCP , T IDWCA , T SWCA , and Cert(B, CP, X). In fact, such information is needed to prove that B is the legitimate owner of the content X sold by CP through a transaction guaranteed by WCA. B. Identification and Arbitration Protocol This protocol (see Table V) is conducted whenever a pirated copy X of a protected digital content is found in the market. The main aim is to determine the identity of the responsible distributor, who was the legitimate buyer in some earlier transaction, with undeniable evidence. CP starts the protocol by sending X to WCA in the message m1 . WCA retrieves the list of the SPs that can be involved in the watermark extraction process and selects an SP. Then, WCA sends X to the selected SP in the message m2 . SP extracts the watermark from X , denoted as W , and sends it to WCA in the message m3 . WCA receives W and applies the function SerialW CA to it in


209

Table V T HE IDENTIFICATION AND ARBITRATION PROTOCOL CP

WCA

CP finds X m1 = {X }

SP

m

1 −→

WCA selects an SP m2 = {X }

m

2 −→

m

IDX = Serial m

IDX ;

4 ←−

CP searches its databases for a possible match on if a match is found then , T S , T ID m5 = {Cert(B, CP, X) , T IDCP CP WCA , T SWCA , AGRX } m5 −→

order to generate the search index IDX , which is sent to CP in m4 . CP accesses its databases and uses IDX to search them for a match. When a possible match is found [6], CP retrieves the corresponding purchase certificate Cert(B, CP, X) = EpkWCA (AGRX ,... , CP, SignCP , SgnWCA , IDX , W ) . . . Bid

and all other plaintext information stored with it rep resented by AGRX , T IDCP , T SCP , T IDWCA , and T SWCA . Then, CP requires the buyer identification by sending the certificate and the retrieved information to WCA in the message m5 . WCA decrypts the purchase certificate and compares the data contained in it with the plaintext information received from CP in the message m5 . If all data turn out to be correct, the identity of the buyer is revealed, and WCA can adjudicate him/her to be a traitor, thus closing the case. Otherwise, the protocol ends without exposing any identity. IV. D ISCUSSION This Section discusses the main characteristics and achievements of the proposed protocol. Core of the proposed protocol is the introduction of digital purchase certificates used in conjunction with digi¯ sold tal watermarking techniques. In fact, each content X by CP is protected by the insertion of a personalized, perceptually invisible watermark, which is also stored in a digital certificate that is delivered to B and CP in order to ¯ The certificate is generprove the legitimate possess of X. ated by WCA and contains coherent information digitally signed and encrypted by WCA. Therefore, nobody can autonomously generate a valid digital purchase certificate, or only access or coherently modify a certificate generated by WCA. To this end, it is worth noting that the watermark stored by WCA in the certificate associated to the content ¯ during the purchase transaction is autonomously generX X ated by WCA and encrypted by using the public key pkCP ,

210

3 ←−

W CA

m4 = {IDX }

SP extracts W from X m3 = {W }

(W )

WCA adjudicates

sent by CP, in order to enable the watermark insertion directly in the encrypted domain. Thus, the proposed protocol guarantees that only CP can get access to the unprotected content X, since X is released by CP only in an encrypted form. The protection core based on purchase certificates does not need a double watermark insertion, and web users can purchase digital content distributed by CPs without having to be provided with digital certificates issued by CAs. Moreover, a suspected buyer is not required to cooperate in the “identification and arbitration protocol”, since WCA, CP and SP can make appropriate adjudications autonomously and collaboratively. The protocol does not force CP to release X in an unprotected form. Moreover, B is the sole entity that ¯ protected with a personalized receives the content X watermark. Therefore, no other entity involved in the ¯ and if copies protocol can distribute illegal replicas of X, ¯ are found in the market, they can only originally of X come from B. In addition, B can neither know which watermarking algorithm has been used to protect X nor calculate the binary code representing the watermark, because this code is not always the same for a given buyer, as reported in Section III-A2. Finally, X is never released in a partially protected form, as it happens in other watermarking protocols proposed in literature, such as [6]. In such protocols, WCA receives a copy of X originally watermarked by CP but not bound to any buyer. As a result, WCA could illegally distribute copies of such a partially protected content without running the risk of being adjudicated to be a traitor, since it can claim that the illegal replicas were created and directly distributed by CP. In fact, this is a relevant problem that affects many protocols proposed in literature and that has not been addressed until now. V. C ONCLUSION In this paper, a simple and secure watermarking protocol is presented. Its major achievements can be summarized


as follows: • CP is the sole entity that gets access to the unprotected content X; • B is the sole entity that is allowed to get access to ¯ the final watermarked content X; • WCA does not receive copies of X originally watermarked by CP but not bound to any buyer; • CPs can decide to take advantage of SPs without being able to collude with them since there is never contact between them; • content protection can be implemented without requiring a double watermark insertion; • buyer participation in the protocol is simple and supported by multiple negotiation mechanisms; • confidential data are managed by a unique trusted web entity, that is WCA. Therefore, the proposed protocol adopts a design approach suitable for the web context, whereas most of the relevant watermarking protocols proposed in literature still result in being impractical or unsuited for such context. R EFERENCES [1] I. Cox, J. Bloom, and M. Miller, Digital Watermarking: Principles & Practice. Morgan Kaufman, 2001. [2] K. J. R. Liu, W. Trappe, Z. J. Wang, M. Wu, and H. Zhao, Multimedia Fingerprinting Forensics for Traitor Tracing. Hindawi Publishing Corporation, 2005.

[3] F. Frattolillo, “Watermarking protocol for web context,” IEEE Trans. Inf. Forensics Security, vol. 2, no. 3, pp. 350– 363, 2007. [4] M. Campidoglio, F. Frattolillo, and F. Landolfi, “The copyright protection problem: Challenges and suggestions,” in Proc. of the 4th Fourth Int. Conf. on Internet and Web Applications and Services, Venice, Italy, 2009. [5] N. Memon and P. W. Wong, “A buyer-seller watermarking protocol,” IEEE Trans. Image Process., vol. 10, no. 4, pp. 643–649, 2001. [6] C. L. Lei, P. L. Yu et al., “An efficient and anonymous buyer-seller watermarking protocol,” IEEE Trans. Image Process., vol. 13, no. 12, pp. 1618–1626, 2004. [7] J. Zhao, W. Kou, and K. Fan, “Secure buyer-seller watermarking protocol,” IEE Proc. Inf. Secur., vol. 153, no. 1, pp. 15–18, 2006. [8] S. Katzenbeisser, A. Lemma, M. U. Celik, M. van der Veen, and M. Maas, “A buyer-seller watermarking protocol based on secure embedding,” IEEE Trans. Inf. Forensics Security, vol. 3, no. 4, pp. 783–786, Dec. 2008. [9] A. Rial, M. Deng, T. Bianchi, A. Piva, and B. Preneel, “A provably secure anonymous buyer-seller watermarking protocol,” IEEE Trans. Inf. Forensics Security, vol. 5, no. 4, pp. 920–931, 2010. [10] F. Frattolillo, F. Landolfi, and F. Marulli, “A novel approach to DRM systems,” in Proc. of the 12th IEEE Int. Conf. on Computational Science and Engineering, Vancouver, Canada, 2009.


211