1 Florian Pestoni IBM Research IBM xCP Cluster Protocol IBM Presentation to Copy Protection Technical Working Group July 18 th, 2002

2 Key points Designed specifically for home networks Implements notion of “ authorized domain ” Devices with different capabilities, protocol- independent, support for intermittent connectivity Compliant with CPSA Chain of solutions based on licensing, usage rules Peer-to-peer, based on broadcast encryption More efficient and secure

3 Content Lifecycle Content Creation Content Management Broadband Distribution Digital Broadcast Physical Media Playback Device Playback Device Playback Device Playback Device Home Gateway Portable/Car MP3 player Set-Top Box Entertainment System

4 Key Management Content Protection Lifecycle Content Creation Content Management Broadband Distribution Digital Broadcast Physical Media Forensics Playback Device Playback Device Playback Device Home Gateway Encrypted content Tamper-resistent environment Watermarking

5 Usage scenarios Home entertainment network Distributed storage, remote playback Portable Connect, download, disconnect Summer home Multiple physical clusters Party Content temporarily available Marriage

6 Flexible model Vision “ Make it easy for a consumer to access all her licensed content from all her devices, but make it hard for her neighbor. ” Virtual device Think of a network of (physical) devices as making up a single (virtual) device Must limit size Avoid the “ million-device cluster ”

7 Broadcast Encryption Algorithmic Lineage Broadcast encryption - Fiat and Naor, Crypto ’ 93 Tracing traitors - Chor et al., Crypto ’ 94 Alternative to Public Key Encryption 2 or 3 orders of magnitude less overhead One-way protocols lead to more robust implementations Supports key revocation Unlike global secret schemes in which a single hacking event breaks the whole system

8 Broadcast Encryption Basics Device keys Each device is assigned a unique combination of keys Key Management Block Any device with valid device keys can process KMB to obtain key-encrypting key. Binding Key Key-encrypting key is combined with binding identifier, (hash of) usage rules, etc. Skip details

9 Key Management Blocks Scheme is large matrix of random keys Each device assigned one key from each column E Ki,j (Km) Device A Device B KMB is data structure w/multiple ciphers of same media key under different device keys

10 Tree algorithm Significantly more efficient 12 bytes per revocation Single device or group of devices Internet Research Task Force Subset-Difference based Key Management for Secure Multicast

11 Binding Media CPRM/CPPM Physical media playable on any compliant device, content cannot be copied to other media unless authorized Device PVR time-shifting/pause live broadcast Content can only be played on the device that recorded it originally User xCP All devices in a cluster can play all content recorded within the cluster

12 xCP Model Initialization Devices in a household form a “ cluster ” by agreeing on common KMB, cluster ID (secret) Binding Content is cryptographically bound to this cluster, including usage conditions Compliance Only compliant devices can join the cluster Renewability As new KMBs are released, they are adopted by the cluster, updating the local revocation list Skip protocol

13 Cluster model kmbserver authorizer client KMB authTable Content +usage rules KMB authTable

14 Local Authorization Model Step 1 Who’s there? RSVP: myURL

15 Local Authorization Model Step 2 I’m here!

16 Local Authorization Model Step 3 Authorize me? My Player ID is: 0xCAFEBABE and here is a MAC computed with your KMB

17 Local Authorization Model Step 4 Ok, you’re in. Here’s the cluster ID, encrypted just for you Must remembe r cluster ID There’s only 2 of us so far, we can have 1 more I verified the MAC, I know the new device is compliant

18 Central Authorization Model Step 1 Who’s there? RSVP: myURL

19 Central Authorization Model Step 2 I’m here!

20 Central Authorization Model Step 3 Authorize me? My Player ID is: 0xCAFEBABE and here is a MAC

21 Central Authorization Model Step 4 I need to talk to the central authorization server Please authorize player 0xCAFEBABE for cluster 0xDEADBEEF

22 Central Authorization Model Step 5 Ok, you’re in. Here’s the cluster ID, encrypted just for you Player 0xCAFEBABE authorized Add a device to cluster ID 0xDEADBEEF Must remember cluster ID

23 Attack 1 Internet-delivered software clone Five lines of Perl … Solution: update MKB Send MKB with content Physical media, broadcast Require periodic connection Download updated MKB during reprovisioning Cluster adopts new MKB MKB revokes clone(s)

24 Attack 2 Block MKB update Disconnect cluster Solution: no more content Since MKBs are delivered with content, blocking MKBs means blocking content No more content can be compromised

25 Attack 3 Roll back (Re-)Introduce MKB that does not revoke clone Solution: MKB merge When new MKB is proposed, it is merged with previous MKB Revocation list is union of both MKBs

26 Attack 4 Bridge to “ launder ” content Make a compliant device participate in multiple clusters Keep clusters separated Solution: Authorization table Peers are added to authTable All share the same authTable Content is bound to hash of authTable

27 A Scenario (I) Movie distribution to a home network Studio obtains KMB, device keys, chooses usage rules, encrypts content Content is distributed over existing channels (e.g. cable, satellite, PPV), possibly with different usage rules Additional protection may be layered, e.g. conditional access (Alternatively, free-to-air content may be transmitted in the clear, with broadcast flag set) STB receives content, (re-)encrypts, binding to local cluster Content downloaded over wireless network to minivan storage for playback on road trip

28 A Scenario (II) Export to legacy media A device on the cluster supports both xCP and CPRM (similarly DTCP, etc.) Device checks usage rules, determines export is allowed (e.g. copy once) Content is re-encrypted, bound to media (i.e using MKB on media, media id) with appropriate usage rules (e.g. copy no more) Content on media now plays on any CPRM compliant device, not just those in the cluster The different binding models are complementary This chain of content protection solutions is the principle behind CPSA.

29 A Scenario (III) Forensics and renewability A clone is detected (typically, Internet-distributed software) Device keys used by the clone are determined using forensic examination A new KMB is released that revokes that set of keys KMB is propagated to the cluster, e.g. new content is protected by this new KMB Any device on the cluster can propose a new KMB KMB is merged with old one, devices revoked in either KMB are left out Other techniques (outside the scope of xCP) Tracing traitors – identify leaks from bootleg content

30 Conclusion Flexible model for end-to-end protection Independent of transmission mechanism Intermittently connected devices supported No handshakes required Fault tolerant, easy backup Licensing for legal enforcement Compatible with CPSA-compliant technologies Balance between consumers ’ and content owner ’ s rights and expectations

31 Q & A

32 Thank you Florian Pestoni IBM Almaden Research Center San Jose, CA

33 Where can I learn more about this? IBM Submission to DVB “ DVB-CPT Call for Proposals for Content Protection & Copy Management ” IETF draft “Subset-Difference based Key Management for Secure Multicast” Crypto 2001 “Revocation and Tracing Schemes for Stateless Receivers” Dalit Naor, Moni Naor, Jeff Lotspiech to paper 2001/059) Computer Magazine cover feature “Broadcast encryption’s bright future” Jeff Lotspiech, Stefan Nusser, Florian Pestoni (to be published August 2002)