Security Newsletter N°06

The Security Newsletter
N°6 /Summer 2007
Be our guest:
Ingemar Cox
How did you become interested in Digital
Watermarking?
It all started when Larry O’Gorman,
then at AT&T Bell Labs, visited NEC and
gave a talk on digital libraries. A small
portion of the talk referred to Larry’s work
on watermarking documents by changing
fonts, characters and line spacings. After
the talk, Joe Kilian, Talal Shamoon and
I started discussing how to watermark
images.
A large percentage of your digital
watermarking research
has been
based on your seminal work on spread
spectrum watermarking from the mid1990s. What led to your insight that this
technique from secure communications
could be applied to the watermarking
problem?
Well, the honest answer is
probably that I don’t remember.
However, looking back, I think
spread spectrum is a rather obvious
candidate when you realize that the
communication must happen at a
very low signal-to-noise ratio. This
is one of the key properties of spread
spectrum communications. In fact,
a number of other researchers also
recognized this link. I think it was less
obvious that perceptual modeling was
needed and that it was necessary
to hide information in perceptually
significant regions if the watermark
was to be robust.
You have been doing research in the field
of digital watermarking for many years.
Each year, we see the number of researchers
concentrating on this field grow. What are
some of the most challenging problems
remaining to be addressed?
I usually refrain from answering such
questions. Many times, I have thought
that all the interesting research in digital
watermarking was complete, only to be
surprised by novel twists and turns the field
has taken. Clearly, modeling watermarking
as communications with side information
has been very significant, but I don’t know
where the next major insight will come
from.
I am very eager to see if watermarking
can be used in applications besides security,
especially to see if it will enhance legacy
systems. There is an interesting proposal to
upgrade the analog voice communications
between aircraft and ground controls using
watermarking. This upgrade would be
completely backward compatible.
Unfortunately, introducing any new
technology into airports and aircrafts is highly
political. It sounds like it may have similar
problems to those we faced in incorporating
watermarking into DVD players.
Digital Watermarking is one component of a
larger security scheme. What is your view on
the larger issue of content security?
It will be interesting to see what becomes
of digital rights management technology in
the future. Is the recent agreement between
EMI and Apple to sell unprotected music
through Apple iTunes a sign that DRM
technologies are on the wane? On the
other hand, the new generation of highdefinition DVD recorders includes the digital
watermarking protection.
I think the main problem with DRM
is the conflicts of interest that have
developed between the content providers,
equipment manufacturers and consumers.
The beneficiaries of DRM technology are, of
course, the content providers. However, in
most cases, the content owners do not pay
for this benefit, but rather demand that it be
provided free by equipment manufacturers.
Regrettably, rather than resist this demand,
equipment manufacturers have agreed to
do so, even though their customers, the
consumers, do not want this.
As a result, the manufacturer whose
DRM implementation is most easy to
circumvent has a market advantage
when selling to consumers. This conflict
of interest is very unhealthy.
Why do we persist with this
arrangement?
Well, there are two reasons I have
considered. The first is that the content
providers don’t really believe that DRM
technologies can be effective, given the
legacy systems we have, and the fact
that all digital signals must ultimately
be converted to analog to be heard or
seen.
Thus, why pay for it? Moreover, by
adopting DRM technologies that are
then broken (e.g., CSS), the content
providers have been able to argue
more strongly, and very successfully,
for legal protections that have provided
them with real benefits, and permitted
them to suppress, or at least impede,
the introduction of new, competitive
services on the Web.
What is the reasoning for many
equipment manufacturers accepting
the DRM solutions?
Well, this is the second reason.
And that is that at least some
equipment manufacturers have seen
the opportunity to exploit DRM as a
lock-in technology.
The most successful example is, of
course, Apple with its iTunes service.
However, it has also been suggested
that Microsoft also recognizes this
opportunity and that DRM technologies
in Vista will make it much harder for
users to migrate to other operating
systems, such as Linux.
In addition, I found it very
interesting to read a comment in one
of Lawrence Lessig’s books regarding
a visit to MIT. He described finding
a culture within the technological
community that, I must admit, I once
shared. This is an attitude in which,
while we (techies) oppose DRM for a
variety of very valid reasons, not least
fair use, we acquiesce, reasoning that
even if DRM is adopted, it can easily
be circumvented, and will thus be
2
2
The Security Newsletter
N°6 /Summer 2007
ineffective. Unfortunately, this attitude
potentially makes criminals of all of us
and reduces our ability to take the high
ground with respect to discussions on
copyright.
What security research are you
currently doing in your lab at UCL?
Recent work has focused on
improving
quantization index
modulation (QIM), a form of
watermarking with side information,
by incorporating a perceptual model
and reducing QIM’s sensitivity to the requantization and changes in a signal’s
amplitude. We continue to study an
alternative to QIM, known as dirty
paper trellis coding, which is much
more robust than QIM, but significantly
complicated to analyze.
There is related work on
steganography and steganalysis. In
particular, steganography differs from
watermarking in that it permits the
user to choose the cover work.
We are interested in what we call
“correlated steganography,” in which
we choose cover work that is correlated
with the hidden message. By doing
so, we can substantially reduce the
number of bits we need to hide in the
cover (thereby reducing detectability),
while, at the same time, significantly
increasing the amount of information
transmitted to the receiver.
I. COX (University of London)
Interview by J. Bloom
The
TheNews
News
Update on AACS
Like any copy protection system,
AACS security relies on the secrecy
of keys. An attacker who discovers a
processing key (a master key in AACS)
can copy any disc already available
in the market. AACS was designed
to counter such attacks: after a
processing key has been compromised,
new released discs can be modified so
that they cannot be played with the
compromised key.
A few weeks after the first
processing key (“09 f9 11 02...”) leaked
on the Internet, AACS Licensing Authority
(AACS LA) announced security updates. It
issued patches for some HD DVD software
players (WinDVDTM, PowerDVDTM), and
revoked the compromised processing key
so that it can no longer be used to access
newly issued discs.
However, before the new discs’
release, SlySoftTM claimed that its
updated product would copy the future
discs. This assertion was true. Apparently,
SlySoftTM extracted another key and kept
it secret. They waited for the revocation
of the compromised key before switching
to the new one. This key was published
on different websites like “doom9 forum”
or “digg.com.” AACS LA can revoke this
new key. However, all current discs can
be copied. A new round is mandatory.
Player software will have to be updated.
The compromised key will have to be
revoked.
M. KARROUMI
Apple TV hacked
It did
not take
long
for
Apple TV to
be hacked.
In March,
t wo hackers disclosed a method to run
unsupported video formats, such as xvid
on Apple TV. Meanwhile, many new
hacks have been designed: keyboard,
mouse, mounting Apple OS X, plug-ins
for the GUI. Already, a site (http://www.
appletvhacks.net/) describes many hacks.
Furthermore, it even offers bounties for
challenged hacks! Apple TV is the new
geek playground.
E. DIEHL
Wii modchips are here
Nintendo’s Wii is a great success. As
for competitors, the business model is
based on the sales of games. Therefore,
it is paramount that copy of game DVDs
be prevented. Hardware protections
verify that the DVD is genuine. However,
hackers regularly find ways to circumvent
these protections. The preferred method
is to install an additional hardware
component inside the console. These
components are called “modchip” for
MODification microCHIP.
Many resellers offer these
modchips. Anyone can install them,
provided they know how to solder five
wires. In some countries, modified Wiis
are sold. Of course, the modification
invalidates the warranty.
Wii modchips offer interesting
features for users such as usage of
Wii or GameCube game backups, or
installation of “Homebrews” DVDs.
“Homebrews” are software (games or
other) made by non-authorized sofware
editors. Modchip can be updated by
DVD for bug correction or additional
functionalities.
How do modchips work? Wiikey,
the most popular modchip, uses the
serial port of the DVD reader and sends
a debug command. When receiving this
command, the DVD reader skips the
verification of the DVD. This technique
also applies to Xbox360. There are fake
modchips that may break the Wii. As
a counter measure, Wiikey delivers
the modchip certified with holograms.
There are other modchips. Wiifree is
an “open modchip” whose firmware
was publicly released. Infectus works
on multi-platform: PS3 and Xbox360.
Nintendo knows the flaw and
regularly changes some hardware
component (DMS, D2A and D2B).
Nevertheless, hackers quickly found a
new method for bypassing protection.
Currently, a new component (the
D2C) appears. No known modchip yet
supports this new component.
Modchips are illegal in some
countries (US, United Kingdom,
Japan...), but some countries authorize
users to modify their devices.
Nevertheless, usage of copied games
is illegal everywhere.
O. COURTAY
Figure 1: modchip
3
The Security Newsletter
N°6 /Summer 2007
Does Microsoft need your credit card
number?
Symantec recently discovered an
interesting Trojan [3]. To collect credit
card information, it uses the simplest
social engineering technique: just ask the
cardholder.
This attack is innovative in the way
that it perfectly mimics genuine Microsoft
activation screens. It is launched at the
next reboot.
The user sees
a screen that
looks like it
came from
Microsoft.
The only way
to pass through is to enter credit card
information. The Microsoft look and feel,
and the comforting message (“your credit
card will not be charged”), may mislead
naïve users. Another illustration of one of
our laws: “Trust no one.”
Y. MAETZ
RSA 1024-bit: Is the writing on the
wall?
On May 22, a research team composed
of Aoki (NTT), Franke and Kleinjung
(University of Bonn), and Lenstra and
Osvik (EPFL), announced the factorization
of a large 1017-bit number, namely the
number (21039-1)/5080711. Following this
announcement, many articles announced
the near death of RSA-1024. This forecast
is premature. First, the factorized number
is not a RSA modulus (i.e., not the product
of two randomly selected large prime
numbers), but a number of special form
(based on Mersenne [6] number 21039-1)
allowing use of a special factorization
algorithm (SNFS, Special Number Field
Sieve). The research team evaluated the
required computation power equivalent
to factorizing a 700-bit RSA modulus [7].
They estimated that the factorization of
RSA-768 was in sight within the next few
months. They considered that it would
require about five times less to go from
RSA-768 to RSA-1024 than the time
required to go from RSA-512 (done in
1999) to RSA-768.
Second, this result is not a surprise.
For several years, many publications (e.g.,
[8]) have advised the use of greater key
size for post-2010 security.
Finally, selecting key size should always
take into account the expected security
level. Secret government documents
do not require the same protection as
wedding pictures. When the first 1024bit RSA modulus is factorized, it will have
required huge computing resources. As a
comparison, using EFF cracker, a dedicated
hardware designed in 1998 to break DES
[9], a 56-bit DES key is brute forced in three
days on average. Nine years later, within
Copacobana project [10], a $10,000 FPGA
still needs seven days on average to bruteforce DES. This shows the gap between an
exploit and day-to-day applications.
In conclusion, the announced death is
not yet here. There is no urgency to switch
to larger key sizes for day-to-day business,
even if it may be safer to do so when
designing new applications.
A. DURAND
Basing cryptography
on tamper resistance
Most public-key cryptographic schemes
base their security on the hardness of
solving some difficult problems, like
computing discrete logarithms or factoring
large integers. As an alternative, we
review below two schemes: the security
of which relies on the tamper resistance
of the underlying implementations. To be
more precise, we require implementations
that behave as black boxes: only the inputs
and outputs should be available to an
adversary.
The first scheme is an identity-based
encryption scheme by Desmedt and
Quisquater [5]. The second one is a group
signature scheme by Canard and Girault
[4].
Identity-based encryption
Public-key cryptography uses two
different keys: a public key for encryption
and a private key for decryption. Anyone
with the public key can encrypt messages,
but only the person in possession of the
corresponding private decryption key
can decrypt. The problem is that, if an
adversary substitutes her own public
key for the legitimate receiver’s, then
the adversary can intercept encrypted
messages and decrypt them. Further, if the
adversary re-encrypts the messages with
the intended receiver’s public key, then the
receiver will remark nothing. To prevent
such “man in the middle” attacks, each
public key should be digitally signed by a
trustworthy entity to form what is called a
certificate.
To simplify the certificate management,
Shamir proposed, in 1984, to replace
public keys with identities for public-key
encryption. So, there is no longer a need
to maintain a certified directory listing the
identity of each user (e.g., unique name,
email address, Social Security number)
and the corresponding public key. In
identity-based systems, the private key
of each user is generated from a master
secret key by an authority called the
“private key generator.” Only the public
key corresponding to this master key needs
to be certified, as opposed to the public
key of each user in a classical public-key
based system.
Figure 2: Identity-based encryption system
An implementation of an identity-based
encryption system relying on tamperresistant hardware is depicted in figure 2.
The construction requires a secure
cipher that is not an involution (i.e., the
decryption algorithm must be different
from the encryption algorithm), for
4
The Security Newsletter
N°6 /Summer 2007
example, the AES. The master secret key,
known only to the private key generator,
is denoted by s. When a new user with
identity Idi wants to join the system, she
authenticates herself by usual means to the
private key generator, and receives her
corresponding private key, kId =AESs(Idi).
i
The public encryption key of the user is
Idi and her secret decryption key is kId .
i
Each user is given an authenticated
tamper-resistant token with master key
s embedded in it. To encrypt a message
m for a user with identity Idi, it suffices
to give (m, Idi) on input to the token. The
token then derives the user’s private key
kId from embedded master key s and
i
outputs the corresponding ciphertext
C=AESkId (m). The intended receiver
i
can now decrypt C using her private key
as m=AESkId -1 (C).
i
Group Signature
A group signature allows any group
member to digitally sign documents on
behalf of the group, so that anyone with
the group verification key can check that
the signature comes from the group, but
does not know the identity of the signer.
However, in the case of a dispute, a group
authority can recover the identity of the
actual signer.
Figure 3 describes an implementation
using tamper-resistant tokens. The group
authority generates a matching pair (SKG,
PKG) of signing and verification keys for
the group. The private signing key SKG
is embedded in the token of each group
member. The token also contains the
identity IDi of the group member as well
as the encryption key PKC of the group
authority.
When a group member signs a
message m with her token, the token
first encrypts the group member’s identity
using the encryption key of group authority,
C=EncPK (IDi) and then computes
c
the signature S= SignSK (m || C) on
G
message m concatenated to C, using the
embedded group signing key SKG. The
group signature on message m is the pair
(C, S). Anyone can now check the validity
of this group signature with the public
group verification key PKG.
To recover the identity of a group
signer, the group authority can use her
private decryption key, say SKC, and
compute IDi=EncSK -1 (C). Note that to
c
prevent the group signatures from being
linkable, the encryption algorithm Enc
should be probabilistic (i.e., encrypting
several times the same message yields
different ciphertexts).
M.JOYE
WGA’s long history of
failure
Windows
Genuine
Advantage
(WGA) is the anti-piracy measure used
by Microsoft in Windows XP, Vista,
Server 2003, and the upcoming Server
2008, to detect illegal copies. Since its
introduction, however, many attacks have
succeeded. This article describes WGA
protection and hacks.
Mandatory in current versions of
Windows, the WGA validation tool is
used mainly to force users of Microsoft
Windows to authenticate their OS. In
case of detection, WGA nags the user,
only allows critical updates (security
fixes), and blocks the download of WGA
Windows authenticated applications,
such as Internet Explorer 7, WM Player
11, Microsoft folder and Windows
Defender.
Figure 3: Group signature scheme
Furthermore, WGA keeps track of the
status of users’ OS installation. Microsoft
announced that the purpose was purely
statistic. After three months of data
collection, Microsoft claimed that 22.1%
of the 54 millions of users were detected
as using illegal copies. For many users,
WGA looks like spyware.
Known information to uniquely identify
users in WGA are:
• BIOS checksum
• MAC address
• Hard drive serial number
• Language version of the operating
sysem
• Operating system version
• PC BIOS information (make, version, date)
• PC manufacturer
• User local setting
• Validation and installation results
• Windows or Office product key
• Windows XP product ID
On April 25, Microsoft launched WGA
Notification. It provides regular alert
screens to users when the installed version
is not genuine.
Windows XP Piracy concerns about
20% of users worldwide. In China and
Russia, it is estimated that 90% of copies
are illegal. Thus, there is a strong incentive
to bypass WGA. The most common
technique used is to get a corporate
Windows version where activation keys
(stored on the installation CD) are available
on the Internet. WGA has been mandatory
since May 2005. Hackers always defeated
WGA protection. The hacks, although
sometimes unstable, mainly allow users to
get current updates, download most WGA
authenticated applications, and remove
WGA user notifications.
Even if Microsoft has requested
removal of WGA crack links on the Internet,
hackers continue to propose crack updates
with surprising response rates. Redirecting
the “mpa.one.microsoft.com” domain used
by WGA to the local host and performing
a set of documented operations is one
crack. Hacker teams propose automated
tools that trick WGA protection as being
genuine. The table on the next page shows
the history of WGA cracks provided by the
EHTO Hacker Team.
According to this table, life expectancy
5
The Security Newsletter
N°6 /Summer 2007
for a new, safe WGA release is
about one week. It seems that new
Microsoft releases do not contain major
countermeasures since the procedure
used by hackers is almost the same.
This is the main explanation for hackers’
efficiency and reactivity. This lack of
security is understandable if we believe
that the main goal for Microsoft is to
collect statistical information and identify
OEM’s leaking keys. As an illustration,
a recent network analysis shows how
cancellation of WGA Notification tool
setup systematically sends back users
information to Microsoft [11]. Interestingly,
Microsoft proposed discounts to purchase
a legitimate copy once it has detected an
illegal one. This is a very constructive
attitude.
The WGA team acknowledges regular
hacks for XP. Cori Hatje, WGA initiative
manager, said “Customers who use
genuine Windows Vista products should
expect, and will get, an enhanced set
of features that will not work on nongenuine or unlicensed versions.” One of
the main priorities of Vista is to enhance
security protections. Unfortunately,
at the beginning of April, a new hack
defeated the OEM BIOS-based activation
protection, in complement to WGA, four
months after the official launch of Vista.
Thus, the story continues......
M.MORVAN
Selective encryption
of image and video: a
new trend
A traditional approach for content
access control is to first encode the
video signal with a standard compression
encoder, then to encrypt the bitstream
with a symmetric encryption standard
(DES, AES, IDEA, DVB-CSA...). In
this scheme, called fully layered,
compression and encryption are separate
processes. The media stream is processed
as classic data, with the assumption that
all symbols or bits in the plaintext are of
equal importance. This scheme is relevant
when the transmission of the content is
unconstrained. Shamir [13] pointed out the
specific characteristics of image and video
content (high transmission rate, limited
allowed bandwidth), which justifies the
inadequacy of standard cryptographic
techniques for such content.
Recent works [17] explored another
way of securing the content, named
“partial encryption” or “selective
encryption” (also “soft encryption” or
“perceptual encryption”). It encrypts only
a subset of bitstream so that the resulting
bitstream is useless without decrypting
the encrypted subset. The approach
splits the content into two parts: the first
part is the basic part of the signal; for
example, DC (Direct Current) coefficients
in DCT (Discrete Cosine Transform)
decomposition, or the low frequency layer
in DWT (Discrete Wavelet Transform)
decomposition. This part allows the
reconstruction of low quality, but an
intelligible version of the original signal.
The second part could be called
the “enhancement” part; for example,
AC (Alternative current/time-varying)
coefficients in DCT decomposition of an
image, or high frequency layers in DWT);
this part allows the recovery of fine
details of the image and reconstruction
of a high quality version of the original
signal. In selective encryption, only the
basic part is encrypted. The enhancement
part remains clear, or is lightweight
scrambled. Selective encryption protects
the content, not the binary stream itself.
Compression has an important role in
defining both parts.
Selective encryption algorithms have
to cooperate with compression algorithms
to achieve compliance without degrading
compression performance. In [12], [16], [18]
and [19], the close link between selective
encryption and information theory has
been pointed out. Image and video data
are strongly correlated and have strong
spatial/temporal redundancy. In contrast
to banking information or military
communication, for example, where the
goal is to totally obscure the content,
image and video data have a very high
information rate with low value, from the
security point of view. In image and video
communication, security requirements
are quite different; content providers
and distributors would prefer that visual
degradation caused by the encryption is
high enough so that an attacker would
still understand the content, but would
prefer to pay to access the unencrypted
content.
Shannon [12] highlighted the
relationship between source statistics
and the ciphertext security. A secure
encryption scheme would remove all the
redundancies from the plaintext so that
no exploitable correlation is observed
in the ciphertext. The same conclusion
holds for a perfect compressor: the goal
is to remove all of the redundancies. As a
result, the outputs of a secure encryption
scheme and a perfect compressor are
indistinguishable. The idea behind
selective encryption consists in combining
these two outputs, namely, only part of the
6
The Security Newsletter
N°6 /Summer 2007
perfect compressor output is encrypted.
The above assumptions are not
totally satisfied in the real world. Perfect
compressors do not exist. Indeed,
the highest performing compression
algorithms are based on some orthonormal
transforms that do not alienate the signal
redundancy and correlation, making it
difficult to select which part to encrypt.
Nevertheless, very interesting proposals
have appeared during the last decade. We
can classify the different algorithms into
four categories, depending on the domain
considered:
Pixel domain
Cheng and Li [14] proposed to
selectively encrypt the quadtree
representation of images by encrypting
only the quadtree structure. The leaf
values are left unencrypted. The
encryption reduction is very important
(only 14% of the data is encrypted) at low
bitrates. However, at high bitrates, the
encrypted part exceeds 50%. In addition,
at low bitrates, brute force attack becomes
practically feasible.
Transform domain
In [21], a particular orthonormal
transform is used: the Discrete Prolate
Spheroidal Sequences. This algorithm
is very efficient in terms of encryption
reduction. As for most of orthonormal
transform-based compression algorithms,
an error concealment attack exploits
coefficients correlations and distributions
[22].
Compression domain
Most interesting proposals work
in the compression domain. A joint
JPEG2000 compression and selective
encryption algorithm is proposed [20].
A quality factor controls the strength of
the encryption alogorithm. To achieve
transcodability, data are encrypted from
more detailed information to less detailed
information. Thus, low resolution images
can be retrieved without decrypting
the full data, especially high resolution
coefficients. This algorithm provides full
JPEG2000 compliance with error resiliency
mechanism.
Entropy domain
A general selective encryption approach
for fixed and variable length codes (FLC
and VLC) is proposed in [15]. FLC and VLC
code words corresponding to important
information carrying fields are selected.
Then, each code word in the VLC and FLC
(if the FLC codespace is not full) table is
assigned a fixed length code index. When
we want to encrypt the concatenation of
some VLC code words, only the indices are
encrypted. The encrypted concatenated
indexes are mapped back to a different,
but existing VLC. This approach is generic.
Unfortunately, it may create important
bandwidth expansion due to the swapping
of VLC code words, which adversely impact
the entropy coder.
Conclusion
Many interesting questions remain
open in selective encryption. Can we
design a selective encryption for any
compression algorithm? We believe
that some compression algorithms are
more cooperative and represent better
candidates for selective encryption. For
example, compared to MPEG, JPEG2000
is a very good candidate. This is due to
its flexibility (embedded encoding, blockbased-encryption, many progression orders,
local region access...).
Can we build a rule of thumb to design a good
selective encryption algorithm? The stateof-the-art algorithms show some pitfalls
to avoid. For example, selective encryption
that relies only on random permutations is
totally insecure since it is easily breakable
by chosen-plaintext attacks. Energy
concentration does not mean intelligibility
concentration, and therefore, selectively
encrypting low frequency coefficients does
not necessarily give a sufficient level of
security or visual degradation. Can we
design a selective encryption usable in
any kind of application? We believe that
it is feasible to design a flexible selective
encryption algorithm that is tunable to a
large set of applications. The algorithm
proposed in [20] is a good example.
Where will we be?
• 2007 International Conference on
Multimedia & Expo (ICME 2007), Beijing,
China, July 2-5.
Paper presentation: “False Positive Analysis of Correlation Ratio Watermark
Detection Measure” by J.TIAN, J.BLOOM
AND P. BAUM
Paper presentation: Cryptanalysis of
a video scrambling technique based on
space filling curves” by A. MASSOUDI, F.
LEFEBVRE AND M.JOYE
• International Conference on
Security and Cryptography (SECRYPT
2007), Barcelona, Spain, July 28-31.
Paper
presentation:
“Securing
OpenSSL against microarchitectural
attacks” by M. JOYE and M. TUNSTALL
• 9th Workshop on Cryptographic
Hardware and Embedded Systems (CHES
2007), Vienna, Austria, September 10-13.
Paper presentation: “Highly regular
algorithms for scalar multiplication” by
M.JOYE
A. MASSOUDI
7
The Security Newsletter
N°6 /Summer 2007
References
[1] JOBS S., Thoughts on Music, 6
February 2007, available at http://www.
apple.com/hotnews/thoughtsonmusic/
[2] CASSEL J., Apple TV Design
Stresses Volume over Profits, According
to iSuppli, iSupply Corp, 11 June, 2007
available at http://www.isuppli.com/
marketwatch/default.asp?id=399
[3] h t t p : / / w w w . s y m a n t e c .
com/enterprise/security_response/
weblog/2007/05/ms_needs_your_
credit_card_deta.html
[4] CANARD S., GIRAULT M.,
Implementing group signature schemes
with smart cards, in 5th Smart Card
Research and Advanced Applications
Conference (CARDIS ’02), pp. 1—10,
Usenix Association, 2002.
[5] DESMEDT Y., QUISQUATER J.J. ,
Public-key systems based on the difficulty
of tampering (Is there a difference
between DES and RSA?), in Advances
in Cryptology – CRYPTO ’86, vol. 263 of
Lecture Notes in Computer Science, pp.
111—117, Springer-Verlag, 1987
[6] KARROUMI M., The largest
Mersenne Prime Number, The Security
Newsletter 4, Thomson Security Labs,
Winter 2006
[7] AOKI K., et al., A kilobit special
number field sieve factorization, May
2007, available at http://eprint.iacr.
org/2007/205.pdf
[8] Recommendation
for
Key
Management, Special Publication 800-57
Part 1, NIST, 03/2007
[9] http://ww.eff.org/Privacy/
Crypto/Crypto_misc/DESCracker
[10] http://www.copacobana.org/
[11] WGA notification just doesn’t
stop, Mach 2007, at http://www.heisesecurity.co.uk/news/86294
[12] SHANNON C.E., Communication
theory of secrecy systems, Declassified
Report, 1946
[13] MATIAS Y., SHAMIR A., A video
scrambling technique based on space filling
curves, in Proc. Advances in Cryptology
(CRYPTO), pp 398-417, Springer-Verlag,
1987
[14] CHENG H., LI X., Partial Encryption
of Compressed Images and Video, in IEEE
Transactions on Signal Processing, 48(8),
2000, pp. 2439-2451
[15] WEN J., et al., A formatcompliant
configurable
encryption
framework for access control of video,
IEEE Trans. Circuits Syst, Video Techno,
vol. 12, n°6, pp 545-557, 2002
[16] LOOKABAUGH T., et al., Security
analysis of selectively encrypted MPEG-2
streams, Multimedia Systems and
Applications VI, in Proc. of the SPIE,
Volume 5241, pp. 10-21, 2003.
[17] LI X., AHMET E., Selective
encryption of multimedia content in
distribution networks: challenges and
new directions, 2003, CIIT’2003.
[18] LOOKABAUGH T., Selective
encryption, information theory and
compression, Conference Record of the
Thirty-Eighth Asilomar Conference on
Signals, Systems and Computers, 2004.
pp: 373- 376 Vol.1
[19] LOOKABAUGH
T.,
SICKER
C.D., Selective encryption for consumer
applications, in IEEE Communications
Magazine, v. 42, i. 5, May 2004, pp. 124129.
[20] LIAN S., SUN J., WANG Z.,
Perceptual Cryptography on JPEG2000
Compressed Images or Videos, Proceedings
of the Fourth International Conference on
Computer and Information Technology
(CIT’04) - Volume 00, pp 78-83, 2004.
[21] VILLE D.V.D., et al., Image
Scrambling without Bandwidth Expansion,
in IEEE Trans, Circuits Sust. Video Technol.,
vol. 14, n°6, pp 892-897, 2004.
[22] LI S., et al., Cryptanalysis of
an Image Scrambling Scheme Without
Bandwidth Expansion, in Cryptology ePrint
Archive: Report 2006/215, available online
at http://eprint.iacr.org/2006/ 215, 2006
8