Document Security Document Security • The Center for Security Technologies – security and privacy • Physical documents – overview • Electronic documents – steganography Washington University and the Center for Security Technologies Securing our World through Technology • Washington University – USNWR: ranked 9th nationally, top 10 in endowment – 8 Schools: Medicine, Social Work ranked 2nd • CST – interdisciplinary academic research center (50 faculty from 5 schools) – built on existing strengths in security research • Technology expected to (and will!) respond with improved solutions to threats new and existing – applies to both planned and natural attacks • Insist on coordination with law, privacy, economics, and public policy – expect reason to be applied Reasons for Document Security • Authentication/verification • Copy protection • Detection of data integrity/manipulation • Traitor tracing • Forensics • . . . Physical Documents • Includes paper, containers, objects, . . . • Produce authentic documents/articles • Authenticate genuine document • Verify data of object • Determine if copied and where copies came from • . . . Electronic Documents • Includes text, audio, video • Transmission as well as storage • Determine authenticity • Verify if altered • Protect intellectual property • Trace copies • . . . Some Considerations • Cost - including infrastructure and societal • Ease of manufacture/creation • Ease of duplication • Ease of measurement • Overt/covert • Protection or authentication • How often will it need to be examined? • Who has the right to secure or verify or clean? • Legal (do you need to have original in court) Physical Solutions • Printing – inks, wavelengths, magnetic particles, physical particles, DNA-typing, dye migration, age – secure paper – process: shifting, micro-printing • Additional materials – holograms – random particles and taggants – labels • One time use 2D bar code • Chips inside • . . . Bar Codes, Reflectives, Additives Multi-wavelength Fluorescence Angle Shifting and Tamper Evidence Secure Papers Magnetic Fingerprinting • A medium's physical microstructure – non-removable – recoverable – irreproducible, unique feature • This distribution can be quantified and used as a "fingerprint" of the object Solutions to Electronic Fraud • Digital fingerprinting and watermarking • Authentication • Traitor tracing • Storage at a TTP • PKI • Hashing/date & time stamping • . . . A bit about Bytes • 1's and 0's: a trim alphabet • bits and Bytes: usually 8 bits/Byte • kilo, Mega, Giga, Tera, Peta, Exa: 103 – kilobyte: printed page of text – Megabyte: novel – Gigabyte: movie – Terabyte: US Library of Congress – Petabyte: all US academic research libraries – Exabyte: every word produced by humans Massive Data Modern Steganography • National security/government applications • More than security: $ • Multimedia and consumer applications • . . . National Security Applications • Document authentication – official documents – international communications • Digital fingerprinting – traitor tracing • Covert communications – February 2001: USA Today reported that Osama Bin Laden used steganography to communicate with operative What is Steganography? Hiding a secret message inside of an open message – Steganography = Covered Writing • Greek word steganos means "covered" • Greek word graphia means "writing" – the existence of the secret message is not known except to those who are expecting it – extracting the secret message may require special tools Steganography Example Other Examples in History Steganography and Watermarks Steganography: The message hidden is a secret and it is not generally related to what it's hidden in Watermarking: The message embedded might not be a secret (it might not even be hidden!) and does relate to what it's in What Does Digital Mean? Representing signals (such as words, sounds, and pictures, for example) with numbers – A CD stores about 74 minutes of music with about 400 million numbers – A typical digital picture requires around a million numbers to represent Code Table to Digitize Words Digital Text "meet me behind the restaurant at midnight" 13 5 5 20 27 13 5 27 2 5 8 9 14 4 27 20 8 5 27 18 5 19 20 1 21 18 1 14 20 27 1 20 27 13 9 4 14 9 7 8 20 Digitized Sound • 3 seconds of Homer is about 30,000 numbers • What can we do with these numbers? – store them (CD, hard disk drive) – transmit them (over the Internet) – CHANGE SOME OF THEM! Hide the Message in Homer Change some of the number's in Homer's voice file into the secret message numbers – we only have to change 41 numbers out of 30,000 – will Homer sound different? – can you tell that there is a hidden message by listening to the sound? Longer Message (1,926 letters) Digital Images • A digital image is a grid of tiny squares, called pixels • Each pixel is assigned a number • A pixel's number determines it's 'color' Hiding Images within Images Hide an image of the moon in an image of Saturn. – "How much" of the moon do we want to put into Saturn? More Picture Hiding Covert Data 'Composite' Image Undetectable (unless aware) Observations • It is easy to hide small digital messages inside of larger ones • If you try to hide too much, it doesn't work very well Working to provide as much hidden information as possible without detection (e.g., distortion-compensated quantization index modulation - QIM) Digital Fingerprinting and Traitor Tracing • Digital fingerprinting – Authenticate – Who bought/sold/ . . . – Printers/copiers • Mark copies to find out where the data are being compromised Embed Biometric into Document How Good is Steganography? "Bootleg copies of Oscar-nominated movies showing up on Internet" AP January 14, 2004 • "The Last Samurai," "Something's Gotta Give," "Cold Mountain," "House of Sand and Fog" – "The Los Angeles Times reported that security features on the tape [Cold Mountain] indicated that it belonged to Ivan Kruglak, an academy member and president of a wireless data communications company." – "This year the screeners carried invisible markings for the first time; the studios were able to identify the Academy member for whom they had been intended." Securing Documents • Determine security goal • Assess cost and performance • Choose technology • Understand game theoretic aspect • Integrate/implement system Should be able to provide useable, long-term solution