Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Digital Rights Management Systems Hugo Jonker

Published byAnn Gosse Modified over 9 years ago

Similar presentations

Presentation on theme: "Security of Digital Rights Management Systems Hugo Jonker"— Presentation transcript:

1 Security of Digital Rights Management Systems Hugo Jonker http://www.win.tue.nl/~hjonker/

2 Outline Introduction Supporting techniques Modelling DRM systems Security Closing remarks

3 Copyright in the digital era Early content protection systems (e.g. cable tv, CSS): –Either full access or no access, no possibility to update access rights –Content supplier also grants access rights Current situation: –Digital versions of music/films/books (content) are being exchanged in various (digital) manners –Existing copy-protection measures (e.g. CSS) are not sufficient New possibilities: –Desire to offer digitised content (e.g. over the Internet) whilst ensuring copy protections after delivery –Interest in offering tailor-made access to content Legal situation Netherlands (2004): uploading bad, downloading not bad Introduction copyright purpose description constraints state Techniques Model Security Closing remarks

4 Purpose of DRM systems A new content protection mechanism –As desired by those offering content Access control –Not just copy prevention Practical security –In absense of perfect security, settle for practical security (e.g. prevent “break once, run everywhere”, updatable security measures) Introduction copyright purpose description constraints state Techniques Model Security Closing remarks

5 General description of DRM systems Govern the distribution and protective measures of content –video, audio, tekst, graphics, software Content can only be accessed with a license –More precise: in adherence to a valid license, issued by a bona fide license issuer –License specifies the access rights –License is typically bound to a device –Unlicensed access to protected content should be impossible Network oriented technique –Internet, cable television, cellular phone, CD / DVD Introduction copyright purpose description constraints state Techniques Model Security Closing remarks

6 Constraints DRM systems (as we consider them) offer: No protection of analogue content –DRM protection ends when content has been rendered No payment mechanisms –As this can be considered a seperate problem Introduction copyright purpose description constraints state Techniques Model Security Closing remarks

7 State of DRM development Existing systems: –Apple: iTunes (music) –Microsoft: MS Media DRM (music, audio/video), MS Reader (text) –Adobe: eBooks (text) Standards: –XrML, ODRL (right expression languages) – (metadata) –OMA (cellphones) Developments by: –Open Mobile Alliance (cellphones) –MPEG, OpenIPMP, SDMI, SMPTE, ISMA, OeBF, CRF, OASIS (IT industry) Note: there is not one standard DRM system, nor a DRM system which is market leader on all markets Introduction copyright purpose description constraints state Techniques Model Security Closing remarks

8 Supporting techniques

9 General goals: –Updatability –Interoperability Specialised techniques –Content identification: DOI, watermarking, fingerprinting –Stating rights: Right Expression Language, Rights Data Dictionary (REL, RDD) –Cryptography: secure container –Security enabling: hard/software Trusted Computing Base (TCB) –Traitor tracing Introduction Techniques supporting techniques content identification rights expression cryptography TCB Model Security Closing remarks

10 Content identification Digital Object Identifier (DOI) –Lookup system using codes, similar to bar codes –DOI number identifies content, but must be supplied with content Watermarking –Embedding information in content without disturbing perception of content –Embedded information can be used to identify content (e.g. a DOI) Fingerprinting –Identifying content based on perceptual equivalence Introduction Techniques supporting techniques content identification rights expression cryptography TCB Model Security Closing remarks

11 Rights expression Rights Expression Language (REL): syntax of the license Rights Data Dictionary (RDD): semantics of the REL Two main contenders: Open Data Rights Language (ODRL) –open standard, supported by OMA eXtensible rights Markup Language (XrML) –proprietary standard from Contentguard, supported by MPEG, Microsoft Both are XML-based Introduction Techniques supporting techniques content identification rights expression cryptography TCB Model Security Closing remarks

12 Cryptography Various uses of cryptography In communications –Authentication, secure channel For a secure container –(possibly conceptual) container consisting of the encrypted content, metadata describing content, and possibly access rights for the content –Seperate encryption from key management –Secure container can be exchanged unlimited Introduction Techniques supporting techniques content identification rights expression cryptography TCB Model Security Closing remarks

13 Trusted Computing Base Trusted computing base A component that provides a trusted platform on which computations are performed Computations cannot be inspected nor disturbed Traditionally implemented in hardware (e.g. smartcards) Software TCB conceptually impossible, but practically feasible Requirements: –code tamper resistance –data tamper resistance (secure storage) –key hiding Introduction Techniques supporting techniques content identification rights expression cryptography TCB Model Security Closing remarks

14 Modelling DRM systems

15 Possible components Content packaging Media server License server Content registration server Authentication server Payment gateway DRM tools server User interface Introduction Techniques Model possible components MOSES / OpenSDRM derived model process model Security Closing remarks

16 MOSES / OpenSDRM Content Packaging server Registration server Authentication server License server e-Commerce server Media delivery server DRM Tools server Payment gateway connection storage player video driver audio driver video card display hardware analogue out sound card audio hardware analogue out Server sideUser side Introduction Techniques Model possible components MOSES / OpenSDRM derived model process model Security Closing remarks

17 Derived model (old) packager license secure container network interface storage player video driver audio driver video card video output device sound card audio output device network trusted computing base distributor’s side content provider analogue output user’s side Introduction Techniques Model possible components MOSES / OpenSDRM derived model process model Security Closing remarks

18 Process model Introduction Techniques Model possible components MOSES / OpenSDRM derived model process model Security Closing remarks

19 Security

20 Intruder model –Typical intruder threat for entire DRM systems stronger than Dolev / Yao –Dolev / Yao seems adequate for protocols Security goals –Theory focuses on complete(?) security –Practice: not per se so strict E.g. iTunes allows creating CD’s which could then be “ripped” Security requirements

21 Method 1.Stakeholder analysis Establish core roles and incentives 2.Establish (high level) properties Use concepts of DRM systems (see process model) to translate the incentives into properties 3.Derive (low level) security requirements Use process model Introduction Techniques Model Security method stakeholder analysis high-level properties security requirements Closing remarks

22 Stakeholder analysis Parties: media company, developer, user, reseller,... A party can play more than one role Three core roles: user, license creator, content creator Incentives of the content creator –support new business models (e.g. bundling of content) –Offer revenue-generating alternative to downloading (opens new market) Incentives of the license creator –Offering tailor-made access (new market) –Low overhead compared to physical devices (CD / DVD) Incentives of the user –Legitimate and known-quality content (compared to downloading) –Ease of use –Pricing can be more fine-grained Introduction Techniques Model Security method stakeholder analysis high-level properties security requirements Closing remarks

23 High-level properties Content creator 1.Content is only accessible under the conditions of a valid license issued by a bona fide license creator (includes binding of license to device) License creator 1.The above 2.The impact of breaking the system must be constrained User 1.Ordering licenses / content requires user participation 2.Content nor licenses can be linked to the user Introduction Techniques Model Security method stakeholder analysis high-level properties security requirements Closing remarks

24 Security requirements Content cannot be eavesdropped Secure communications Content will only be rendered –if a valid license for the content and the renderer is available –if all conditions of such a license have been met The manager / renderer ‘s inner workings cannot be influenced Secrets stay secrets –E.g. cryptographic keys used by manager / renderer Prevent “break once, run everywhere” Updatability... Introduction Techniques Model Security method stakeholder analysis high-level properties security requirements Closing remarks

25

26 Further research Application of security requirements Formal verification of the correctness of used protocols –Secrecy, authentication Formal verification of other security properties of protocols –E.g. privacy Formal specifications pertaining to TCB Questions?

Download ppt "Security of Digital Rights Management Systems Hugo Jonker"

Similar presentations

ContentGuard An Intellectual Property Company IPED Conference November 1, 2007 Presented By Eddie Chen CONTENTGUARD.

ContentGuard An Intellectual Property Company IPED Conference November 1, 2007 Presented By Eddie Chen CONTENTGUARD.
CONFIDENTIAL DIGITAL WATERMARKING ALLIANCE. CONFIDENTIAL DIGITAL WATERMARKING ALLIANCE 2 Digital Watermarking Alliance Charter The Digital Watermarking.

CONFIDENTIAL DIGITAL WATERMARKING ALLIANCE. CONFIDENTIAL DIGITAL WATERMARKING ALLIANCE 2 Digital Watermarking Alliance Charter The Digital Watermarking.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
FromAudiobook to Multimedia-Book Zhoulan Zhang

FromAudiobook to Multimedia-Book Zhoulan Zhang
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
H.L. Jonker Security aspects of Digital Rights Management Systems H.L. Jonker, TNO ITSEF Co-authors: S. Mauw (TU/e), J.H.S. Verschuren and A.T.S.C. Schoonen.

H.L. Jonker Security aspects of Digital Rights Management Systems H.L. Jonker, TNO ITSEF Co-authors: S. Mauw (TU/e), J.H.S. Verschuren and A.T.S.C. Schoonen.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 8. Cracking. Cracking Magnitude of piracy  All kinds of digital content (music, software, movies)  Huge economic repercussions.

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 8. Cracking. Cracking Magnitude of piracy  All kinds of digital content (music, software, movies)  Huge economic repercussions.
A Content Protection Scheme Using MPEG-21 Concepts and Tools Chia-Hsien Lu Feng-Cheng Chang Hsueh-Ming Hang Dept. Electronics Engineering National Chiao.

A Content Protection Scheme Using MPEG-21 Concepts and Tools Chia-Hsien Lu Feng-Cheng Chang Hsueh-Ming Hang Dept. Electronics Engineering National Chiao.
1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.

1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.
UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.
Digital Rights Management in Digital Libraries: an introduction to technology, effects and the available Open source tools Dr. N. S. Harinarayana Reader,

Digital Rights Management in Digital Libraries: an introduction to technology, effects and the available Open source tools Dr. N. S. Harinarayana Reader,
“...creating knowledge.” Enabling Digital Content Protection on Super-Distribution Models - Carlos Serrão ISCTE – Intituto Superior.

“...creating knowledge.” Enabling Digital Content Protection on Super-Distribution Models - Carlos Serrão ISCTE – Intituto Superior.
Project 1 Introduction to HTML.

Project 1 Introduction to HTML.
3. Technical and administrative metadata standards Metadata Standards and Applications.

3. Technical and administrative metadata standards Metadata Standards and Applications.
1 MPEG-21 : Goals and Achievements Ian Burnett, Rik Van de Walle, Keith Hill, Jan Bormans and Fernando Pereira IEEE Multimedia, October-November 2003.

1 MPEG-21 : Goals and Achievements Ian Burnett, Rik Van de Walle, Keith Hill, Jan Bormans and Fernando Pereira IEEE Multimedia, October-November 2003.
In the last part of the course we make a review of selected technical problems in multimedia signal processing First problem: CONTENT SECURITY AND WATERMARKING.

In the last part of the course we make a review of selected technical problems in multimedia signal processing First problem: CONTENT SECURITY AND WATERMARKING.
Jau-Wu Huang1 Digital Rights Management for Visual Content in Mobile Applications Trimeche, M.; Chebil, F.; Nokia Research Center Control, Communications.

Jau-Wu Huang1 Digital Rights Management for Visual Content in Mobile Applications Trimeche, M.; Chebil, F.; Nokia Research Center Control, Communications.
Philips Research France Delivery Context in MPEG-21 Sylvain Devillers Philips Research France Anthony Vetro Mitsubishi Electric Research Laboratories.

Philips Research France Delivery Context in MPEG-21 Sylvain Devillers Philips Research France Anthony Vetro Mitsubishi Electric Research Laboratories.
Applied Cryptography for Network Security

Applied Cryptography for Network Security

Similar presentations

Ads by Google