In this paper we investigate the image authentication system SARI, proposed by C.Y. Lin and S.F. Chang [1], that distinguishes JPEG compression from malicious manipulations. In particular, we look at the image digest component of this system. We show that if multiple images have been authenticated with the same secret key and the digests of these images are known to an attacker, Oscar, then he can cause arbitrary images to be authenticated with this same but unknown key. We show that the number of such images needed by Oscar to launch a successful attack is quite small, making the attack very practical. We then suggest possible solutions to enhance the security of this authentication system.
Regunathan Radhakrishnan, Nasir D. Memon