Wrong.

I think Bruce Schneier described it best (paraphrased): Cryptography is like having a really strong front door on your house… 2 foot thick steal, blast proof, the whole 9 yards. A thief isn’t going to try and break through your front door… they’ll just climb through a window!

Security is about the whole system; not just the crypto. xkcd summed it up nicely:

—

Okay, THIS is funny because of the glaring security mistakes made by San Francisco’s Department of Technology (or Department of Ignorance, after this one). From the New York Times:

A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail…

Prosecutors say Childs, who works in the Department of Technology… tampered with the city’s new FiberWAN (Wide Area Network), where records such as officials’ e-mails, city payroll files, confidential law enforcement documents and jail inmates’ bookings are stored.

Officials also said they feared that although Childs is in jail, he may have enabled a third party to access the system by telephone or other electronic device and order the destruction of hundreds of thousands of sensitive documents.

This is like security 101… you never give this much power to any single person. On critical systems like this, you always have check-and-balances, outside security code reviews, and strict audits. The S.F. DoT was basically driving around without insurance and got in an accident… I don’t feel sorry for them. It’s really sad how ignorant the world is about security (sigh).

This got me thinking I should write about the complex problem of securing a video stream. There are many aspects to securing a video stream: integrity, authenticity, and privacy being the most important. I’m not going to spend time talking about integrity and authenticity, because those are somewhat simpler problems to solve (integritiy = digital signatures, authenticity = digital certificates). The main focus of this post is about privacy; keeping an eavesdropper from deducing the contents of a video stream.

Terms

Privacy: The goal of privacy is to limit the amount of information that an attacker can deduce from the data stream (ideally, none). This is a much more difficult problem than it first appears to be. If you think all you have to do is encrypt the video, you REALLY need to keep reading.

Entopy: A measure of the minimum number of bits required to communicate a unit of information. Most forms of data (especially video) have a lot of redundant information in them that is not necessary to transmit to the receiver.

Compression: The process of removing redundant data so that the number of bits transmitted is as close as possible to the entropy value.

Encryption: The process of encoding data into a form that is impractical to decode without knowing the key. A good encryption algorithm will cause patterns in the input to have no correlating pattern on the output. The input is called plaintext and the output is called ciphertext.

MPEG-4 and h.264 Video Compression

I’m going to talk specifically about video compressed with MPEG-4/h.264, but these concepts apply to any variable bitrate compression algorithm. Also, to simplify writing, I’m going to refer to MPEG-4 and h.264 collectively as MPEG-4 (since both are part of the same standard and have similar characteristics).

As I mentioned above, raw video has a tremendous amount of redundant data. Except for a few rare cases, the difference between 2 successive video frames is small (many times the background is unchanging or panning in a predictable manner). MPEG-4 takes advantage of this by outputting the difference between frames; complete frames are only produced periodically. Since the difference between frames is usually small, MPEG-4 does a good job of minimizing the video data close to its entropy value.

Below is a graphical representation of an MPEG-4 video stream. I-frames are the complete frames, and P-frames are the ‘difference’ frames. The period between I-frames defines the Group Of Pictures (GOP) length.

As you can see, MPEG-4 greatly reduces the amount of data that needs to be transmitted to the receiver. This is an important feature to have, because it allows more streams (or higher-quality streams.. your choice) to be transmitted over the same network infrastructure.

Securing the Video

Okay, so how do we prevent an attacker from gaining any information about the contents of the video? The naive approach would be to simply encrypt the video using something like AES and call it good. True, this would prevent the attacker from decoding the raw video (assuming the key exchange infrastructure is designed correctly… but that’s another post). However, this may not be good enough to fulfill our requirement of privacy. For example, what if the attacker couldn’t watch the video, but was able to determine if there was movement in the video? Would this be valuable information? It could be, if the attacker is trying to determine the schedule of a security guard making his rounds.

First, let’s look at what an encrypted stream would look like to the attacker:

Assuming the video is transmitted using a common transport protocol like RTP, it is easy for an attacker to determine the frame boundaries (there are bits in the RTP header that specify this). The attacker still can’t decode the video to watch it, but he now has a vital piece of information: the encrypted frame size.

The size of the encrypted frame matters, because there is a strong correlation between the size of the ciphertext and the size of the original plaintext. Most symmetric encryption algorithms (like AES) do nothing to mask the size of the data they encode. Thus, the size of the encrypted output is almost exactly the size of the original input (‘almost’, because symmetric block ciphers will pad the data so it is an exact multiple of the block size). Thus, the attacker can use the frame size to determine the GOP length simply by analyzing the data stream and looking for periodic spikes in the size of the frame data. Since the GOP length rarely (if ever) changes, it’s trivial to find the I-frame… everything else is therefore a P-frame.

So, why is the original frame size important? Well, let’s look at what P-frame size tells us. When there is no movement in front of a camera, the differences between successive frames will be very small, and thus the P-frames will be small. When something changes in the frame (like a security guard entering the room), the difference between frames will be greater, and thus the P-frame size will increase. An encrypted stream with movement in it may look like:

If an attacker can determine the size of the P-frames, he can determine the amount of change between frames and possibly deduce information about what’s going on. Thus, we have failed to meet the strict definition of privacy.

Conclusion

Security is harder than it looks: much harder. Because of this, most engineers will do it wrong. As Bruce Schneier is fond of saying, no security is better than broken security, because at least you will be more careful with your data if you know your security is broken.

Security is more than simply understanding algorithms; it’s a way of thinking. It’s understanding the flow of information. It’s understanding to think like an attacker. Cryptography is just a tool, not a panacea. Relying only on cryptography for security is like trying to protect your house with a huge, electrified, steel front door covered in barbed wire… the attacker will simply break in through the window. You have to consider ALL the attack vectors.

So how do you really secure compressed video? Well, I can’t reveal that here. Solving these problems is what I’m paid to do… good old trade secrets stuff. I’ll tell you it is possible to do, but it’s not trivial. If you think you’ve solved it, be careful… you may still be revealing more than you think.

Suggested Reading

• Schneier of Security
• Applied Cryptography
• Handbook of Applied Cryptography
• Beyond Fear
• Practical Cryptography

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more.

Law #5: Weak passwords trump strong security.

Law #6: A computer is only as secure as the administrator is trustworthy.

Law #7: Encrypted data is only as secure as the decryption key.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web.

Law #10: Technology is not a panacea.

Anyways, a few months ago, Intel made this music video promoting the technology:

(requires Adobe Flash plugin… click HERE to watch it on YouTube)

Here’s a link to the paper (PDF)

Mueller’s book is filled with statistics meant to put terrorism in context. For example, international terrorism annually causes the same number of deaths as drowning in bathtubs or bee stings. It would take a repeat of Sept. 11 every month of the year to make flying as dangerous as driving. Over a lifetime, the chance of being killed by a terrorist is about the same as being struck by a meteor. Mueller’s conclusions: An American’s risk of dying at the hands of a terrorist is microscopic. The likelihood of another Sept. 11-style attack is nearly nil because it would lack the element of surprise. America can easily absorb the damage from most conceivable attacks. And the suggestion that al Qaeda poses an existential threat to the United States is ridiculous. Mueller’s statistics and conclusions are jarring only because they so starkly contradict the widely disseminated and broadly accepted image of terrorism as an urgent and all-encompassing threat.

And here’s an appropriate comic to follow:

I found this to be an interesting summary of how we generally evaluate risk:

People exaggerate risks that are:

• Spectacular
• Rare
• Personified
• Beyond their control, or externally imposed
• Talked about
• Intentional or man-made
• Immediate
• Sudden
• Affecting them personally
• New and unfamiliar
• Uncertain
• Directed against their children
• Morally offensive
• Entirely without redeeming features
• Not like their current situation

People downplay risks that are:

• Pedestrian
• Common
• Anonymous
• More under their control, or taken willingly
• Not discussed
• Natural
• Long-term or diffuse
• Evolving slowly over time
• Affecting others
• Familiar
• Well understood
• Directed towards themselves
• Morally desirable
• Associated with some ancillary benefit
• Like their current situation

From the essay:

The truth is that we’re not hopelessly bad at making security trade-offs. We are very well adapted to dealing with the security environment endemic to hominids living in small family groups on the highland plains of East Africa. It’s just that the environment in New York in 2006 is different from Kenya circa 100,000 BC. And so our feeling of security diverges from the reality of security, and we get things wrong.

…

Why is it that, even if someone knows that automobiles kill 40,000 people each year in the U.S. alone and airplanes kill only hundreds world-wide, they are more afraid of airplanes than automobiles? Why is it that, when food poisoning kills 5,000 people per year and 9/11 terrorists killed 2,973 people in only one year, are we spending tens of billions per year on terrorism defense and almost never think about food poisoning?

And a great quote from psychologist Daniel Gilbert:

The brain is a beautifully engineered get-out-of-the-way machine that constantly scans the environment for things out of whose way it should right now get. That’s what brains did for several hundred million years—and then, just a few million years ago, the mammalian brain learned a new trick: to predict the timing and location of dangers before they actually happened.

Our ability to duck that which is not yet coming is one of the brain’s most stunning innovations, and we wouldn’t have dental floss or 401(k) plans without it. But this innovation is in the early stages of development. The application that allows us to respond to visible baseballs is ancient and reliable, but the add-on utility that allows us to respond to threats that loom in an unseen future is still in beta testing.

Click here to read the PDF version of the essay.