Using digital watermarks to combat insiders.
TERENIN Aleksey Alekseevich, Candidate of Technical Sciences
MELNIKOV Yury Nikolaevich, Doctor of Technical Sciences, Professor
POGULYAYEV Vadim Vladimirovich
Using digital watermarks to combat insiders
Source: magazine «Special Equipment» No. 1 2008
Information technologies are becoming increasingly important for successful business. After all, with the help of its information system, each company organizes all internal processes, interacts with external partners, contractors and clients, government agencies. Ensuring the security and constant operability of the information system is one of the priority tasks of any company for survival in intense competition.
Much has already been written about ensuring information security, but in this article the authors draw attention to one of the methods that can be used to protect against malicious actions directed against the company from within.
As statistics show, more than 80% of incidents with an information system are initiated from within the corporate network — violations are committed by its own employees. The proposed method copes well with an internal threat, as well as with an external one.
Protection using steganography
The proposed protection method consists of a combination of the use of an electronic digital signature (EDS) and the use of steganography — embedding digital watermarks (DW) in the document being protected.
Steganography translated from Greek means secret writing. Its use hides the very fact of the presence of a message or data transmission channel. It has been known since ancient times. Now, over the past 20 — 30 years, a new direction has been actively developing — computer steganography. This is due to the large-scale distribution of computers and computer networks. Steganography complements cryptography; it allows you to increase the level of protection of an encrypted message.
Security services are faced or may face the problem of steganography being used by attackers to organize hidden channels for leaking information from an organization. Ordinary photographs may secretly contain messages intended for reading by external recipients. Since it is almost impossible to detect the presence of a hidden message, it is necessary to take strict measures in the company's security policy and prohibit the use of any files in music, photo and video formats for non-work purposes.
Despite the development and use of statistical file analyzers to detect hidden data, steganographic inserts remain a headache for security personnel. The question arises: how can steganography be used in the interests of the defending party? To answer this question, it is necessary to analyze the basic principles of steganography.
The essence of steganography can be briefly outlined as follows.
There is data that needs to be “hidden” in a file so that after computer conversion and display of the result on the screen, the peculiarities of human perception would not allow one to see the hidden data or signs of its presence. The file to which data is added unnoticed is called a “container”. The size of the container should significantly exceed the size of the hidden data. Files of almost all popular formats can be used as a container. This can be audio data, an image, a video file, and plain text. In our case, the container is an electronic document, and the digital watermark acts as the hidden data.
In order for an electronic document to remain unalterable, steganographic inserts can be used. Data that is invisibly added to the protected document is called a digital watermark [1] from the analogue used by manufacturers of banknotes and other securities.
Digital watermarks (or marks) are divided into two types: visible and invisible.
Visible marks include logos and inscriptions. Such a digital watermark can be easily removed or replaced with another one, using many graphic or text editors. A visible digital watermark does not withstand changes to the container itself. Note that a visible (printed) digital sign cannot be used as material evidence, since it can be easily changed, removed or replaced. Invisible digital watermarks are built-in distortions that are invisible to the human eye. A digital watermark is a binary code of a logo or text indicating the organization (author) protecting the document, and, possibly, the time of creation of the document. A logo can be protected as a trademark or a patent can be obtained for it. In addition, a digital watermark can contain control information about confidentiality and restrictions on the use of the document.
It is also useful to include the URL (Internet address) of the protected object, e-mail address and/or other company coordinates in the marking data. Currently, a visible logo (recognition, reputation, etc.) and a hidden digital watermark are used together. This allows you to increase the overall level of security.
The built-in CVD provides a guarantee that the file was created in a specific document management system. The verification program is provided with a sample, and the CVD determines the authenticity of the document's belonging to the system.
In the image, the watermarks are «scattered» in the least significant bits of color, which is practically unnoticeable to the human eye, although they can be detected during statistical analysis. To protect against detection, «noise» is used, which brings statistical data to a normal (average) form. The text may use a special arrangement of spaces or hyphens. At a lower level, the watermarks are embedded in the voids of files and disks, in the control elements of files, disks and network packets.
Digital labels can be embedded not only in static files, but also in data streams: IP telephony, video conferencing, data transmission, etc. A narrowband signal within a wide frequency range is used to mark the transmitted data. There is a key requirement for digital signs that ensures the possibility of their use for copyright protection: when the object is changed, the digital watermarks must not be significantly distorted. A good digital watermark should be such that when it is destroyed, the document itself ceases to exist.
For the digital watermark technology to provide protection, watermarks must meet the following requirements:
-
individuality of the digital watermark application algorithm;
-
invisibility of the mark for users;
-
impossibility of digital watermark extraction by third parties;
-
the ability to detect unauthorized use of a file marked with a digital watermark;
-
resistance to changes in the carrier/container (change in format, size — scaling, compression, rotation, filtering, special effects, editing, analog and digital conversions).
Joint protection by digital signature and digital watermark
The security system that uses digital watermark to protect electronic documents faces the following tasks:
-
Detection and prevention of attempts to change the digital watermark by an intruder;
-
Detection and prevention of changes (data corruption) of the container (electronic document);
-
Detection and prevention of simultaneous changes to both the container and the digital watermark.
To perform such tasks, the method of reversible data hiding (RDH) was invented. The essence of this method is to embed invisible control data containing information about the variable part into the protected file itself. When extracting data from a file, for example, a picture, it can be brought to its original form. In addition, it is always possible to verify whether any changes were made to the picture after the data was inserted. But this may not be enough.
In addition, as is known, a digital signature, when used as the only link in protection, does not always provide a 100% guarantee of security [2]. The authors propose the following solution, which combines the use of an EDS and a digital signature, namely: sign the entire container with embedded digital signatures on the private key of an authorized employee. The resulting signature is transferred for storage to a certification center (CA), which also stores public keys with employee certificates. The functions of issuing certificates are also assigned to certification centers in accordance with the Federal Law «On Electronic Digital Signatures».
Any company can create such a certification center in its network or use the services of an external CA provided by a third, independent party.
The latter option is especially relevant for organizing the mutual exchange of legally significant electronic documents between different organizations.
The protected file can additionally have digital timestamps of the file signing. This will allow for the organization of internal corporate control over the use of the document management system. Each legal user can use the public key from the CA to verify the authenticity and immutability of the electronic document.
A digital watermark hidden in a file serves as a guarantee that even if an intruder signs the file on his own behalf, the results of checking his signature and the digital watermark will not match and it will be possible to establish a violation. The digital watermark acts as an additional layer of protection, which is sometimes difficult to even detect, much less bypass.
Certificates for public signature keys can be issued and stored by certification authorities, which are assigned this function in accordance with the Federal Law «On Digital Electronic Signature». The certificate confirms that the public key really belongs to a certain person. In addition, the server of the certification authority can be used to store digital signatures of the authors of all created documents. The mechanism of electronic digital signature is based on the principles of two-key asymmetric cryptography.
The method of protecting the digital signature is as follows: the user of the system must have two keys — private and public. Knowing one key, it is impossible to calculate the second in a reasonable time. Using the private key, a digital signature is formed for any file, it is a set of data of a fixed length. The public key is publicly available, and any user of the system can, having the public key, the file being checked and the digital signature of the file, reliably establish the authorship and the fact of the file's immutability. If the file has been changed or signed by another user, the result of the signature verification will be negative. Thus, the digital signature contains (binds) data about the file being signed and the author who used the private signature key.
The simultaneous use of several technical protection measures (a digital signature, a digital signature, and a timestamp) will significantly complicate and increase the cost of malicious actions, such as changing a container, substituting authorship, etc. Since the protection measures are used independently, overcoming one of them does not allow an intruder to change a file for his own purposes unnoticed and with impunity.
Let's say that an intruder, using expensive equipment, will manage to pick a digital signature for a substituted electronic document over a long period of time in order to pass it off as a genuine one. Having invested a lot of money, effort and time, picking up the signature, the intruder will still be caught, since the document contained invisible digital marks of the company.
Hacking all technical means of protection often becomes economically unjustified. On the other hand, all protection can be organized programmatically and will not require large expenses.
To implement the proposed security system, it will be necessary to use certification centers and solve the problem of reliable and timely publication of public keys (PKI, Public Key Infrastructure). Some legal aspects of implementing such a system will require resolution so that the files used and the technical measures applied are legitimate and accepted for consideration by the courts, and electronic documents are recognized as legally significant.
It should be noted that programs that provide the proposed approach already exist. It is enough to use a package of programs that embed digital watermarks and sign files with an electronic signature. Currently, there are many such programs, both paid and free, including on the Internet.
Let's consider possible attacks on the proposed protection system using an EDS. The public signature key is available to everyone, including the attacker. With the public key, it is theoretically possible to calculate the private key, which will allow forging the signature of a legitimate user. To prevent this threat, it is necessary to use cryptographic keys of a length sufficient for the specified time of maintaining the confidentiality of the private key. Currently, this length is thousands of bits.
If a «weak» random number generator is used to generate a key pair (private + public), an attacker can order a sequential series of keys for himself and try to predict the next keys that will be issued to users who register after him. This will also make it possible to forge the signature of a legitimate user. To increase the level of protection, it is recommended to use a «strong» random number generation algorithm that meets a number of more stringent requirements.
A timer cannot be used to generate random numbers, since an attacker can set the time of sending a packet with great accuracy.
To generate random numbers, it is necessary to use parameters that are not available to an attacker, such as the process number or other system parameters (such as the descriptor identification number). In addition, it is necessary to apply measures to protect against studying the CA operation protocol. It is possible to replace the CA server itself, organize a DOS denial of service attack or replace the DNS server. Currently, correctly configured network programs should be able to cope with repelling such attacks. In addition, the implementation of such a threat is so obvious that the replaced server will exist only for a few hours. A browser check confirming that a connection has occurred to the right server will help against a brute-force server replacement attack.
Another cryptographic vulnerability is the selection of changes in a file in such a way that the digital signature remains consistent with the modified file. The possibility of this exponentially decreases with an increase in the length of the key used and the length of the hash function value (a one-way cryptographic function that is used in digital signature generation algorithms and digital signature verification algorithms). Agree that it will be extremely difficult even for a computer to sort through billions of variants of a large file, since it is necessary to perform cryptographic calculations that require a lot of time and processor resources. And if this is still possible to do, then the file will still contain inconspicuous digital signs with information about the true author of the signature.
Protection from internal intruders
Let everyone know about the existence of electronic digital signatures. If you do not notify the staff about the use of the method of embedding digital watermarks in all electronic documents of the information system, then in the event of a successful attempt to forge a signature or make unauthorized changes to a document, the digital watermark check will reveal malicious action. These actions (an attempt to deceive the digital signature system) can be used to judge the intentionality of the act committed by the intruder. The combination of document protection using an electronic digital signature and a digital watermark will allow you to identify the culprit. Even if the user had the right at his level to use his key to generate an electronic digital signature for an immutable file, the digital watermark check will report malicious action, because the intruder will not be able to change them. The reliability of identifying an intruder increases if the digital watermarks contain the identifiers of the users who changed or created the file. Of course, if an electronic document is entered into the document management system from outside, this will be immediately identified by the absence of any digital marks in the file.
As shown above, the proposed system has sufficient resistance to possible attacks, since the use of vulnerabilities in this case is expensive and resource-intensive. This allows us to recommend the proposed method as a technical measure for protecting electronic documents from both internal and external intruders.
Further development of the protection method
For more reliable protection, you can also embed the digital signature in the file container. The «hidden» digital signature will allow you to additionally control the document's immutability and its authorship.
An additional security guarantee is provided by signing the original file using a digital mark before embedding the digital watermark. The original together with the signature should be stored in a safe place, inaccessible from the external network, and in special cases — from the internal one.
If the company has implemented or is preparing to implement processing of client questionnaires by scanning completed forms, then the data is converted into text form and enters the enterprise information system as an electronic document.
It is proposed to make inconspicuous signs on the questionnaires, which must be recognized by the appropriate program and transferred to the document management system. If the recognizable form does not contain company marks, this is a reason to attract the attention of security personnel to the incoming document.
Literature
1. Genne O.V. Basic provisions of steganography./Information security. Confidential, N° 3, 2000.
2. Melnikov Yu.N. Electronic digital signature: is it always genuine?/Banking technologies, 1995, No. 5, pp. 56 — 62.