Outline
• Trends in technology of copying
• Goals of DRM
• Security basics
• Three DRM technologies
• Questions
Goals of DRM
• Problem: Anything that can be done to bits, can be done by a general-purpose computer
• Some people want to give you bits, but want to prevent you from doing certain things with them:– Redistribution– Public performance– Derivative works– Permanent storage– …(Call these restrictions the policy.)
• The DRM Dream: make it “hard enough” for users to violate policy without permission
Security basics
• DRM is a security measure (it protects the confidentiality and integrity of certain data)
• “Security” is not a binary property; it can only be measured in terms of tradeoffs and costs in a particular context:
Q1. What is the the resource being protected, and how much is it worth?
Q2. What are the expected attacks?Q3. How well do the available security measures stand up against
these attacks?Q4. What is the cost of these measures?
EncryptionSymmetric:
Public-key:
+ )
encryption decryption
+
+
encryption decryption
+Public key Private key
)
)
)
DRM as a security problem
Q2: What are the expected attacks?
• Brute-force decryption• Analog capture• Software:
– Key recovery– Plaintext memory read
• Hardware:– Key recovery or plaintext capture
Attacks in detail
• Brute-force decryption– Attack cryptographic algorithm directly to recover
plaintext– Infeasible for well-designed cryptosystems
• Analog capture– Render into human-consumable form using provided
mechanisms, and capture using other equipment– Always feasible– May be inconvenient, and result in minor loss of
quality, metadata, or features
Attacks in detail (2)
• Software: key recovery or plaintext memory read– Systems usually require that unencrypted keys and/or
plaintext be transmitted and/or reside in memory• Cory Doctorow: “Alice has to provide Bob --- the attacker ---
with the key, the cipher, and the ciphertext. Hilarity ensues.”
– In most computers, always possible to inspect any location in memory
– Hence, user can, in principle, always circumvent software-only DRM solutions by this attack
Attacks in detail (3)
• Hardware attacks:– To defeat software attacks, some functions
can be “locked up” in hardware– Hardware is harder for user to inspect/modify
than software– If hardware is designed naively, user can
probe hardware to extract keys or plaintext, or “trick” hardware into doing things it should not
Constructing DRM systems
Q3. How well do the available security measures stand up against these attacks?
Consider 3 example systems:• FairPlay• Content Scrambling System• Self-Protecting Digital Content
FairPlay (Apple iTunes)Policy: user may
– Copy tracks to any iPod or burn to any CD
– Play tracks on 5 computers
– Burn playlist to CD up to 7 times without changing the playlist
+ )Track
master key Encrypted
track
Plaintext music
file
+User key
iTunes server
user
Track master
key
)
Encrypted master key
+ )+ )
iTunes client software
Client machine
OS sound driver
Sound card
Speakers
Content Scrambling System (DVDs)
Policy: user may decrypt content on licensed device
Architecture:• DVD data divided into “titles”• Each title encrypted with a
title key• Each title key encrypted with a
disc key, and placed on disc• Disc key copied 409 times,
each encrypted with a different one of the 409 player keys, and all encrypted copies placed on disc
• One or more player keys distributed to each licensed device manufacturer
+ ) …
+ )
…
+++
+…)
DVD
DVD drive
DVD producer
Title keys Titles
Disc key Title keys
Player keys
Disc key copies
Attacks on CSS
Key recovery attack:– Can compromise one player, get the key, and decrypt all DVDs– “Break Once, Break Everywhere” (BOBE)
Memory attack:– DVD-ROMs are attached to general-purpose computers; can
read video out of memory buffer during playback
Analog attack– With appropriate adapters, can plug video out into VCR.
Note: CSS doesn’t really prevent copying anyway; DVD ciphertext can be copied without ever decrypting contents.
SPDC: Attacks
• Safe from software key recovery and memory read attacks:– key and plaintext never leave secure environment on chip, and
so never appear in memory accessible to general-purpose computer
• Hardware attacks:– Can build (imperfectly) tamper-resistant hardware– Even if attack succeeds, may compromise existing content only;
future content uses different encryption schemes– Can add more features for extra security
• e.g., require content to “phone home” over net to authenticate that hardware/software environment has not been compromised
• Analog attack: can put a camcorder in front of the monitor
Aside: a note on watermarks
• Watermarking can be applied to content independently of other DRM schemes
• Watermarks can usually be erased by clever users or clever software
• Still, some users are too dumb to use clever software, so watermarks may yield some forensic benefits
DRM as a security problem
Q4: What are the costs of these security measures?…for content producers?
…for device manufacturers?
…for technical innovators?
…for honest consumers?
Questions
• Given the prerequisites for a SPDC system, is there a path to probable market acceptance of strong DRM?
• What is the real effect/value of weak DRM?• Are there restriction policies that users of e-
books might consider “reasonable”?– Consumers?– Scholarly users?– Public libraries?– Users with accessibility needs?– Hackers?