DRM: Technology overview Keunwoo Lee CSE 590 SO 19 April 2005

Outline Trends in technology of copying Goals of DRM Security basics Three DRM technologies Questions

Trends in technology of copying Kucher et al., Self-Protecting Digital Content

Goals of DRM Problem: Anything that can be done to bits, can be done by a general-purpose computer Some people want to give you bits, but want to prevent you from doing certain things with them: –Redistribution –Public performance –Derivative works –Permanent storage –… (Call these restrictions the policy.) The DRM Dream: make it “hard enough” for users to violate policy without permission

Security basics DRM is a security measure (it protects the confidentiality and integrity of certain data) “Security” is not a binary property; it can only be measured in terms of tradeoffs and costs in a particular context: Q1. What is the the resource being protected, and how much is it worth? Q2. What are the expected attacks? Q3. How well do the available security measures stand up against these attacks? Q4. What is the cost of these measures?

A short detour into cryptography Encryption Digital signatures Watermarks

Encryption Symmetric: Public-key: +) encryption decryption + + encryptiondecryption + Public key Private key ) ) )

Digital signatures + signing Private key Public key + X OK verification +) ) ) + X ) a a a a b

Watermarks +ID ) watermarking detection ) ) ) )

DRM as a security problem Q1: What is the resource being protected, and how much is it worth?

DRM as a security problem Q2: What are the expected attacks? Brute-force decryption Analog capture Software: –Key recovery –Plaintext memory read Hardware: –Key recovery or plaintext capture

Attacks in detail Brute-force decryption –Attack cryptographic algorithm directly to recover plaintext –Infeasible for well-designed cryptosystems Analog capture –Render into human-consumable form using provided mechanisms, and capture using other equipment –Always feasible –May be inconvenient, and result in minor loss of quality, metadata, or features

Attacks in detail (2) Software: key recovery or plaintext memory read –Systems usually require that unencrypted keys and/or plaintext be transmitted and/or reside in memory Cory Doctorow: “Alice has to provide Bob --- the attacker --- with the key, the cipher, and the ciphertext. Hilarity ensues.” –In most computers, always possible to inspect any location in memory –Hence, user can, in principle, always circumvent software-only DRM solutions by this attack

Attacks in detail (3) Hardware attacks: –To defeat software attacks, some functions can be “locked up” in hardware –Hardware is harder for user to inspect/modify than software –If hardware is designed naively, user can probe hardware to extract keys or plaintext, or “trick” hardware into doing things it should not

Constructing DRM systems Q3. How well do the available security measures stand up against these attacks? Consider 3 example systems: FairPlay Content Scrambling System Self-Protecting Digital Content

FairPlay (Apple iTunes) Policy: user may –Copy tracks to any iPod or burn to any CD –Play tracks on 5 computers –Burn playlist to CD up to 7 times without changing the playlist + ) Track master key Encrypted track Plaintext music file + User key iTunes server user Track master key ) Encrypted master key +) + ) iTunes client software Client machine OS sound driver Sound card Speakers

Content Scrambling System (DVDs) Policy: user may decrypt content on licensed device Architecture: DVD data divided into “titles” Each title encrypted with a title key Each title key encrypted with a disc key, and placed on disc Disc key copied 409 times, each encrypted with a different one of the 409 player keys, and all encrypted copies placed on disc One or more player keys distributed to each licensed device manufacturer +) … +) … … ) DVD DVD drive DVD producer Title keysTitles Disc keyTitle keys Player keys Disc key copies

Attacks on CSS Key recovery attack: –Can compromise one player, get the key, and decrypt all DVDs –“Break Once, Break Everywhere” (BOBE) Memory attack: –DVD-ROMs are attached to general-purpose computers; can read video out of memory buffer during playback Analog attack –With appropriate adapters, can plug video out into VCR. Note: CSS doesn’t really prevent copying anyway; DVD ciphertext can be copied without ever decrypting contents.

Self-Protecting Digital Content [Kucher et al.]

SPDC: End-to-end security

SPDC: Attacks Safe from software key recovery and memory read attacks: –key and plaintext never leave secure environment on chip, and so never appear in memory accessible to general-purpose computer Hardware attacks: –Can build (imperfectly) tamper-resistant hardware –Even if attack succeeds, may compromise existing content only; future content uses different encryption schemes –Can add more features for extra security e.g., require content to “phone home” over net to authenticate that hardware/software environment has not been compromised Analog attack: can put a camcorder in front of the monitor

Aside: a note on watermarks Watermarking can be applied to content independently of other DRM schemes Watermarks can usually be erased by clever users or clever software Still, some users are too dumb to use clever software, so watermarks may yield some forensic benefits

DRM as a security problem Q4: What are the costs of these security measures? …for content producers? …for device manufacturers? …for technical innovators? …for honest consumers?

Questions Given the prerequisites for a SPDC system, is there a path to probable market acceptance of strong DRM? What is the real effect/value of weak DRM? Are there restriction policies that users of e- books might consider “reasonable”? –Consumers? –Scholarly users? –Public libraries? –Users with accessibility needs? –Hackers?