The Security Newsletter

Transcription

1 The Security Newsletter In this issue Be our guest: Jacques Stern In the news USB hacksaw Virus shares secrets Social engineering: the USB way The largest Mersenne prime number Recovering secrets via simple branch prediction analysis The DRM war: news from the front lines Fingerprinting and filtering Theory to practice: an audio/video fingerprint What is the state-of-the-art content filtering technology? Anti-piracy in theaters Published quarterly by: Thomson Corporate Research Part of the Technology Division Technical Editor: Eric Diehl Editors: Nicholas de Wolff Elizabeth Marx Contributors: Michael Arnold Jeffrey Bloom Olivier Courtay Alain Durand Didier Doyen Marc Joye Mohamed Karroumi Frédéric Lefebvre Yves Maetz Stéphane Onno Jacques Stern (ENS) SBU Technology Head: Jean-Charles Hourcade 005 will probably remain, in the history of security, as the year that marked of the first successful attack on SHA-1: the cryptographic hash function standard (see security newsletter N 1). In reaction, the US National Institute of Standards and Technologies (NIST) initiated a process to select the successor to SHA-1. NIST already standardized several cryptographic functions such as DES, AES or SHA-1. This summer, NIST disclosed its tentative schedule: a five-year long public process. During the first year, the requirements of the new algorithm will be defined, followed by three successive rounds of evaluation over the next three years to select the final candidate. Each round will study the candidates, evaluate the attacks and eliminate the weakest candidates. The worldwide cryptographic community will participate in this process. At the end of this process, NIST will draft the standard, collect comments, and publish the new standard cryptographic function. The final publication should be in th quarter 01. In our ever-faster paced world, this may seem incomprehensibly long. In the security world, this is normal. Basic cryptographic functions and protocols are the foundations of all secure systems. Weak foundations make for poor construction. Serious security requires two things: time and careful scrutiny. NIST rightfully incorporates both components into its process. The Security Newsletter is glad to welcome recent CNRS gold medal recipient Jacques Stern. Jacques is a well-known cryptographer. Thomson and Jacques have collaborated for more than ten years. E. DIEHL, Technical Editor security.newsletter@thomson.net Web: 1 Copyright Thomson 006

2 Be our guest: Jacques Stern (ENS) Interview by A. DURAND Jacques, we would first like to congratulate you for your recent CNRS Gold Medal award. Could you explain what the award is for? Since 195, the CNRS Gold Medal is a yearly distinction awarded to a French Researcher for the whole of his scientific work. Sixty scientists have already been honored, including seven Nobel and two Fields Medal laureates. Furthermore, this is the first time it has been awarded to a computer scientist. What are the current trends in Cryptology research? I foresee the continuing effort in research of both foundations and applications. As for theory, the past twenty years have been mostly dedicated to block ciphers analysis, the study of RSA and security proofs. These domains are now quite well understood even if some progress can still be expected. The three main domains for further research are hash functions; stream ciphers; and security proofs for protocols involving many parties and many cryptographic primitives (e.g. multi-party computation or composition). Finally, some surprises and new fields may turn up. For instance, it is amazing that zero knowledge was proposed ten years ago only after the discovery of public key cryptography. You just mentioned hash functions. What do you think about the process set up by the NIST? The process is similar to the one used to come up with AES and it was a good process. However, when the AES process started, cryptanalysis of block ciphers was already well studied. This is not the case for hash functions. There is indecision on whether we should base new hash functions designed on the same constructions and design them to counter known attacks or if we should start the work over which would take at least 15 years. As a conclusion, we need to stand back, pay attention, and not rush too quickly towards a given direction. And what about the future of cryptographic applications? Many applications already use cryptography but I can think of several new fields. First, electronic voting has been subject to much research. What is disturbing is that none of the currently deployed systems actually use these results. We know however, that cryptography is necessary to guarantee trust in election results. I suppose more research is needed to let research and industry solutions converge. The second is of particular interest to Thomson. DRM security is a very difficult problem that cannot be solved without the help of cryptography. The challenge is that the whole cryptographic environment is controlled by the adversary (i.e. the end user) which is not a usual assumption. Thus, we need to develop original solutions. Finally, it is surprising that there are so few examples of mass deployment of public key cryptography 30 years after its invention. If it were to spread, we would certainly have to face new problems. In the News USB hacksaw Hack5 is a monthly internet television show which presents the latest hacks. The last show introduced the USB Hacksaw. Hacksaw stealthily copies files off USB drives inserted into a PC and sends them out to an address. The hack is a modified version of the USB dumper org/. It targets a specific U3 Enabled USB Flash Drive which the computer handles as a CD-ROM drive that can load auto-run applications. Hence, the hack can automatically infect Windows PCs. This attack is valid on any USB autorun disk. Once installed, hacksaw downloads the contents of any inserted flash. Then, it silently archives the stolen data, establishes a connection to a smtp.gmail.com address, and uploads stolen data. Finally, it removes all traces of its presence. A more dangerous version can propagate onto any installed drive, thus enabling it to infect other systems. This is the first reported case of an actual USB flash drive driven worm. Some simple measures should mitigate risks. First, deactivate Autorun. For instance, hold down the Shift key when plugging a nontrusted USB device into your computer. Second, do not trust unknown PCs or at least make sure that your flash drive has no confidential information. Finally, run up-to-date antivirus software. S. ONNO Virus shares secrets A malware, named Antinny, targets Winny, a popular Japanese file sharing software. Antinny mimics itself as an interesting file for eager file sharers. Once executed, Antinny selects random files on the hard disk, distributes them and then hides itself to propagate further. There are already more than 50 variants of this virus. Many business and security secrets have already been disclosed such as an airport password to a secure area and Japanese defense plans. The recommended countermeasure is to banish Winny from computers. Antinny is the first known virus that exploits the file sharing capabilities of PP networks. Is this a new breed of risk? E. DIEHL

3 Social engineering: the USB way Social engineering refers to the nontechnological attacks that influence someone to reveal a secret [1]. It requires contact, often via the phone, between the attacker and the employee, to exert this influence. A new kind of social engineering-based intrusion attack [] recently appeared. The exploited vulnerability is people s curiosity. The vector is a hacked USB key. Here is the recipe: develop a Trojan that collects interesting information and stealthily send it to a Gmail account. Install the Trojan on USB keys. Disseminate these keys around the targeted company (parking lot, smoker area), as if lost. Then wait for the information to flow into your mailbox. How does it work? An employee finds a USB key, grabs it, and plugs it in his computer. This launches the Trojan that stealthily sends out the critical data. Compared to other social engineering techniques, this attack is easy and cheap to perform on a large scale. Moreover, it is difficult to track the origin of the attack. With the development of new easy-to-use USB hacking tools like Hacksaw, anybody can do it. Think about it the next time you plug in an unknown USB key Y. MAETZ The largest Mersenne prime number Recently two world records for the largest Mersenne prime number were announced: the 3rd and the th Mersenne primes discovered respectively on December 15, 005 and on September, 006, by the same team at the Central Missouri State University (CMSU). The th has 9,808,358 digits and is 650,000 digits larger than the 3rd. Tony Reix, of Bull S.A. Research Center in Grenoble, France using 16 Itanium 1.5 GHz CPUs, verified the records. A Mersenne prime is a prime number that writes as M p = p 1. The exponent p must be prime for M p to be prime, but the converse is not true. These numbers were named for a famous French mathematician Marin Mersenne, who studied these numbers more than 350 years ago. He did not invent the Mersenne numbers, but he provided a list of those that are prime until the 57th exponent. Unfortunately, the list was not correct: he wrongly included 67 and 57, and missed 61, 89 and 187. Mersenne primes have the remarkable property that every such prime corresponds to exactly one perfect number, i.e.: numbers equal to the sum of their proper divisors. If M p is a Mersenne prime then M p. (M p +1)/ is a perfect number. For instance, 6 = 1xx3 = 1++3 is a perfect number which correspond to Mersenne prime M = -1 = 3. The Electronic Frontier Foundation (EFF) offers # Name Exponent p Digits Discovery Discoverer a $100,000 award for the first 10- million-digit prime number. This last record was very near to taking home the award. The table below lists the last ten known Mersenne primes, their discovery dates and those who discovered them. Mersenne prime searches have led to important advances in Fast Fourier Transforms as well as discovering computer hardware problems via rigorous stress testing. Moreover, finding large primes is at the heart of public key cryptography. Mersenne primes permit efficient implementation of arithmetic operations (e.g. modular exponentiation in Elliptic Curve cryptography). M. KARROUMI 1 M35 1,398,69 0,91 Nov. 1, 1996 Joel Armengaud/GIMPS M36,976,1 895,93 Aug., 1997 Gordon Spence/GIMPS 3 M37 3,01, ,56 Jan. 7, 1998 Roland Clarkson/GIMPS M38 6,97,593,098,960 Jun. 1, 1999 Nayan Hajratwala/GIMPS 5 M39 13,66,917,053,96 Nov. 1, 001 Michael Cameron/GIMPS 6 M0 0,996,011 6,30,30 Nov. 17, 003 Michael Shafer/GIMPS 7 M1,036,583 7,35,733 May 15, 00 Josh Findley/GIMPS 8 M 5,96,951 7,816,30 Feb. 18, 005 Martin Nowak/GIMPS 9 M3 30,0,57 9,15,05 Dec. 15, 005 Curtis Cooper and Steven Boone/GIMPS 10 M 3,58,657 9,808,358 Sep., 006 Curtis Cooper and Steven Boone/GIMPS Table 1: The last ten Mersenne prime records Recovering secrets via simple branch prediction analysis Recent press releases reported a new security flaw that could affect the security of Internet transactions. O. Acıiçmez, Ç.K. Koç, and J.-P. Seifert pointed this flaw out improving on their previous results, which will be presented at RSA007. The authors exploit branch prediction capabilities that are present in modern computer architecture to boost their performance. The timing information resulting from a correct or incorrect prediction is then used in a discriminatory way to extrapolate secret information. This attack was applied to an OpenSSL RSA implementation and allowed to collect almost all the secret key bits from a single RSA signing execution. We will analyze this attack in the next issue of the Security Newsletter. M. JOYE

4 The DRM war: news from the front lines Recently, Windows DRM and Apple s FairPlay were successfully cracked. This article analyzes the attacks, the associated threats and the counter strikes. The first version of Windows DRM appeared in 1999, the latest version, DRM v10, arrived in 00. Though regularly cracked, protection is regularly updated. DRM v10 was already cracked in 005, but the hack was not easily usable for non-specialists. In August 006, FairUseWM software appeared that is very simple to use. Removing protection from a file requires only few mouse clicks. Actually, FairUseWM calls the Windows Media Player. When the Windows Media Player reads a protected file, it stores the decryption key in memory. FairUseWM recovers the key from this memory. Nine days after the FairUseWM appeared, Microsoft proposed an update countering this software. We can conclude that Microsoft did not consider modifying its DRM to counter this vulnerability as long as the vulnerability was not perceived as exploitable. Unfortunately, three days later, a new version of FairUseWM appeared that again broke the DRM protection. A hypothesis to explain the quick reaction of the anonymous FairUseWM author is that the vulnerability used is unknown to Microsoft. Thus, the patch did not correct the vulnerability but just disturbed FairUseWM software. Interestingly, FairUseWM software is itself protected against reverse engineering (the method used to understand the internal algorithm of software). The author hides how his software works probably to hide the exploited vulnerability. Only Apple devices have access to the music sold by istore. Only istore can sell protected music that is usable on Apple devices. A perfect synergy to sell Apple devices. Famous hacker DVD Jon threatens this control. DVD Jon cracked the protection of the DVD when he was 15 years old. DVD Jon (his true name is Jon Lech Johansen) found vulnerability in the FairPlay protocol. He can retrieve protected content from FairPlay without loss of quality. Even more interesting, he can create FairPlay protected contents. Software like QTFairUse6 retrieves protected content. QTFaireUse6 launches itunes and reads the unprotected song from RAM memory. Other software like jhymn can directly retrieve songs by deciphering content but only for itunes 6 and not for itunes 7. Using this hack, any music provider could sell FairPlay protected music without Apple and thus gain access to ipod s marketplace. Manufacturers of portable music of portable music readers could enable users to buy music on istore and still use their devices. Apple s business model of dependence is under attack. Microsoft sued the anonymous author of the FairUseWM software. Strangely, Apple has not yet sued Jon Lech Johansen. A possible explanation could be the consequence if Apple would lose the case. If that happened, Apple s competitors could legally threaten Apple s monopoly. O. COURTAY Fingerprinting and filtering Theory to practice: an audio/video fingerprint A multimedia fingerprint feature extraction algorithm typically consists of six modules: preprocessing, segmentation, transformation, feature extraction, postprocessing and modeling. First, the original content is converted into a normalized digital format. Then the signal is segmented into periods taking into account the stationary of the underlying acoustic/ visual features. This process ensures robustness against misalignment in the time domain during matching process. In the next step, the sample is transformed (the frequency domain), in order to reduce redundancy. Representative features are extracted using the perceptually relevant parameters of the human auditory/visual system. The aim of the post-processing is to normalize measurements and to ease fingerprint matching. To facilitate the matching process, modeling the fingerprint is a pre-condition for selecting the appropriate distance metric for the matching process. The research challenge is to design a robust fingerprint that enables a fast searching mechanism in a database with millions of fingerprints. What is the state-of-the-art content filtering technology? Identifying and filtering video/audio content has become a hot topic for online multimedia entertainment websites. Copyright owners fight illegal distribution over file sharing sites such as YouTube, GUBA, MySpace, imesh and Snocap. To manage the digital rights and upload control, YouTube, GUBA and MySpace developed innovative filtering based on fingerprinting. To secure their business, the four main actors in online file sharing negotiated with copyright owners: YouTube with CBS Corp, Warner Music Group, Vivendi s Universal Music Group and Sony BMG Music Entertainment. MySpace with FOX and Major League Baseball (they also announced a partnership with Snocap). GUBA with Sony, Warner Bros and more recently the MPAA. Snocap with Universal Music Group, Warner Music Group, SONY BMG Music Entertainment, EMI, TVT Records, Artemis Records/ Sheridan Square Entertainment, and independent music companies. A content-filtering technology is efficient if a movie or a music track is identified by its content instead of its binary representation. It should not depend on format, resolution or file size of the content. This is extremely challenging. Ronald Maandonks, CEO of Philips Content Identification Unit, explains that distortions, also called attacks, make the matching process difficult: The process is pretty simple when the content is the exact same; it s much more challenging when the content has been changed due to scaling, cropping or conversion to another comprehension format. For instance, GUBA developed an inhouse perceptual hash technology, called Johnny [3] based on spatial-temporal wavelet decomposition. Regarding

5 the scene changes, the video is split into fragments (also called snapshots) and compressed into a more compact representation of the so-called time fingerprint. Each fingerprint is stored in a database. When a video is uploaded to the GUBA website, Johnny transcodes the uploaded file into their own format, extracts the time signature and automatically compares it to the database. In the case of correct matching, the video is flagged for human verification. Human examination shows that 1% of flagged content is identified as false positive (not copyrighted). GUBA also claims an accuracy of 90% when a video sample exceeds 3 minutes. Accuracy rate is a complex topic. It depends highly on the context: duration of the original sequence, duration of the copy, manipulations (attacks) applied to the original. The stronger the attack - a camcorder for example - the harder it is to correctly identify a copy. According to Rob Bennett, general manager of MSN Entertainment, Microsoft is working on a similar technology to monitor content available on MSN Soapbox, a YouTube-like platform. This online file sharing site is currently in beta version. The PP network imesh adopted an audio fingerprint technology from Audible Magic. Audible Magic, GraceNote and Relatable are the main actors in audio fingerprinting. Audible Magic recently licensed video fingerprint technology called Motional Media ID invented by David W. Stebbings (ex-senior Vice President of Technology for the RIAA). MPAA will be benchmarking video and audio fingerprint algorithms []. All major actors, including Thomson, are expected to be candidates. The MPAA will take into consideration realistic attacks (camcorder, scaling, frame rate changes, DivX compression) and usage scenarios (PP: full-length video and online file sharing: snippets of video). F. LEFEBVRE, M. ARNOLD Anti-piracy in theaters According to the Motion Picture Association of America (MPAA), Hollywood loses billions of dollars a year on illegal copies of movies. It is difficult to evaluate precisely the real loss. Any pirated copy arriving on the black market during the exploitation window - when the film is in the theaters - will have direct impact on studio profit. Furthermore, illegal copies already affect future DVD sales, which represent more than 60% of revenue for a blockbuster. Among all forms of piracy, illegal intheater camcording represents a major attack. Pirated DVDs, using camcorded bootlegs, are on the black market very soon after the opening of a movie. The pirate industry is very efficient; a film shot in a US theater is sent to Asia for DVD replication and back to the US to be sold roughly three or four days later. The quality of a camcorder copy can vary greatly. At one extreme, when the pirate has the cooperation of a theatre employee, the quality can be so good that a buyer or viewer of this content may not be aware that it is an unauthorized copy. At the other extreme, the copy can be blurry, warped, cropped and can even contain the heads of other audience members. The audio can similarly contain auditorium and audience noise. However, if the price is low enough, the customer often will accept a relatively high degree of degradation. There are three main ways to prevent illegal camcording in theatres. The first is to detect a recording camcorder in the theatre. There are some low-tech solutions such as screening at the entry of the theater or night vision goggles. Several companies have already proposed more high-tech approaches: the detection of camcorder electronic signatures or the detection of optic elements, are trails currently followed by researchers. This track is very challenging. To remain discreet, the pirates must be creative in their art of stealth. It is very difficult to distinguish a camcorder from other legitimate devices that could be present in a theatre. It is difficult to optically distinguish the lens of a camcorder from a pair or eyeglasses. It is clear that false positive detections remain a problem for any of these technologies. A well-known social engineering technique is to voluntarily trigger a large bunch of false positive events. After a while, the guardians will give up. Nevertheless, the potential of such approaches remains high as they have the great advantage of being independent of the projection technology and thus independent of the evolution from analog to digital. The second approach is to flood the camcorder sensors by emitting infrared beam lights towards the audience. A simple countermeasure is to add the right infrared filter on the lens. However, this approach may thwart most novice pirates. The third approach is to degrade the quality of the recorded content. This is extremely challenging. The anticamcorder technology must fulfill several requirements: It must be transparent to legitimate spectators in the theatre; a group that includes golden eyes and color blind viewers. The technology cannot introduce any perceptible artifacts into the content. The recorded distortion must be disturbing enough to discourage the pirate. We have seen that pirates will accept poor quality copies, but the message such as illegal copy appearing can also have a deep impact in the value of illegal material. It must be effective on all camcorders. Once these basic technical requirements are met (invisibility and a discouraging jamming effect), other requirements are mandatory to transform a technology into a success story: Robustness to removal attempts. Upgradeability of the system to be ahead in the race with pirates. Low additional cost of technology

6 Robustness means that the pirate must not be able to use processing tools to remove the jamming effect. If it is possible, then at least it must take many days to achieve. Anti-camcorder technology would be successful if a delay of at least two weeks happened to the availability of pirated DVDs. The additional cost for technology introduction is a challenge. Current efforts are focused on digital projection environments, as the required signal processing technology is readily available in that environment. This is an advantage since most theatres will migrate towards digital cinema in the coming years, but it is mandatory not to miss this window. Technical solutions that modify the displayed content influence the architecture of both server and projector. It can require significant changes in the optical engine of the projector, in the addressing scheme of the DMD or in the data path of the server. All of these aspects require a strong collaboration with manufacturers including Texas Instruments for DLP projectors. These manufacturers must be convinced that in the end the additional cost will bring final benefit for all cinema stakeholders. There are two distinct approaches. The first, called temporal modulation approach, exploits one difference between the camcorder and the human eye. The camcorder is a sampling device, whereas the human eye is not. Shannon s theorem says that the aliasing effect appears if we sample any signal having a frequency above half the sampling frequency. For a 60Hz camcorder it means any frequency above 30Hz. The idea is then to introduce a signal higher than 30Hz inside the video content. This is technically possible thanks to flexibility of the addressing scheme of DLP projectors which can display pictures at 1Hz. The first requirement for anticamcorder technology is to remain invisible to the spectator. The frequency modulation must be set in a range where the eye does not perceive it. This means above the flicker sensitivity curve of the eye, i.e. above 50Hz. There is a range of frequency, between 50Hz and 60Hz, where the temporal modulation can introduce aliasing on camcorder without being visible to the eye. Unfortunately, the sensitivity curve is only correct in static conditions. When we move our eyes or even when we eat popcorn, the continuous integration of the eye is modified and we are able to distinguish frequencies higher than 50Hz. Another limitation is the electronic shutter of camcorders. Some camcorders have adjustable electronic shutters with variable integration periods (e.g., up to 1/15s). This trick introduces a blurring effect and reduces the amount of aliasing introduced. The second approach, called metamerism approach, exploits the difference between a camcorder and the human eye in the color domain. Metamerism is the capacity of the eye to perceive the same color even if the visual spectrum that generates this perception is different. In other words, we can create the same yellow perception for the eye with a 3-primary projector (RGB) or with a -primary projector (RGB + Cyan primary for instance). Meanwhile, the camcorder has only three sensors (RGB) with fixed sensitivity curves. In general, it does not perceive color the same as the human eye. If a part of the picture is displayed with the 3-primary system and the rest with the -primary, the eye will not perceive any difference. On the other hand, the camcorder will get a disrupted picture. The primary challenge is invisibility. As this method relies on color perception, the wide variation of color perception in the population must be considered. Color blindness introduces an interesting subpopulation. Within the constraints of transparency, a successful technology will introduce significant color distortion in the camcorder capture. Implementation cost is a significant challenge. Using more than three primaries in the projection system requires a modification of the optical engine of the projector. An intermediate solution uses a second projector. Nevertheless, the final solution should integrate the four primaries in the same projector. In conclusion, anti-camcording technology is mandatory to prevent piracy in the cinema business. Several approaches are possible with their corresponding technical challenges and limitations. Nothing is easy but solutions are possible. This is a promising battlefield. D. DOYEN, J. BLOOM Where will we be? Bertrand Chupeau, Ayoub Massoudi and Frédéric Lefèbvre, Automatic Estimation and Compensation of Geometric Distortions in Video Copies, Visual Communications and Image Processing 007, San Jose, California, USA, January 8 - February 1, 007 Jun Tian and Jeffrey A. Bloom, A Marker Code for Temporal Synchronization, Security and Watermarking of Multimedia Contents IX, San Jose, California, USA, January 8 - February 1, 007 Benoît Chevallier-Mames and Marc Joye, A Practical and Tightly Secure Signature Scheme Without Hash Function, RSA Conference 007, San Francisco, USA, February 5-9, 007 References [1] K. Mitnick, The Art of Deception: Controlling the Human Element of Security [] Steve Stasiukonis, Secure Network Technologies Inc. asp?doc_id=95556 [3] com []