Upload
laurence-potter
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
1
Anonymous Trust: Digital Rights Management Using Broadcast Encryption
Proceedings of the IEEE, Vol. 92, No. 6, June 2004
2
Outline
Introduction Broadcast encryption Content binding Server side binding
-the anonymous trust system XCP cluster protocol and the home
network Download to the home network Conclusion
3
Introduction
Cryptography in DRM system The attacker has the keys Providing a hook to force compliance
Public-key based system Both the client and server have public-key
certificates Using the handshake protocol Expensive The dependency on an online handshake protocol
makes it unsuitable for physical media or broadcast-based distribution
→Broadcast encryption
4
Broadcast encryption
Fiat & Naor, 1993find a key management scheme with revocation, but without the handshake protocol →called broadcast encryption to emphasize its one-way nature
Size/performance tradeoff Much larger amount of data should be tran
sferred Require less time for calculations
5
Broadcast encryption
Matrix-based schemes Content protection for recordable media (C
PRM) Content protection for prerecorded media
(CPPM) Media key block Device keys Drawbacks:
the size of the matrix Sensitive to insider attacks
6
Broadcast encryption
The media key block is prerecorded on blank media at manufacturing time
The key matrix is generated by the CPRM licensing agency and is preembossed in the lead-in area on the disk
The media key block is the encryption of the media using different device key
8
Broadcast encryption
Tree-based schemes Wallner, 1997 and Wong, 1997
→ Logical key hierarchy (LKH) trees IBM, 2001
→ subset-difference approach (NNL trees) More concise than LKH trees The size of the key management block in an
NNL system is literally of the same order as the size of a public-key certificate revocation list
11
Broadcast encryption
Tricks in NNL Revoke more than one device How does it store the billions of keys?
→ the lower level keys are one-way functions of the higher level keys
NNL trees is the strongest known key management block technology in terms of number of revocations for a given size
12
Content binding in CPRM
The unique media key calculationKmu=H(Km,IDm)
→ the binding step Encryption
Di=eKmu(KtiH[CCIi])CCI : copy control informationDi is then stored on the media(the unique media key encrypts the title keys, and the title keys encrypt the content)
13
Server side binding
CPRM enables a simple DRM system The client software would read the media
key block and the media ID on the blank recordable DVD, and upload it to a DRM server.
The server have a set of device keys to process the media key block, perform the binding calculation, and prepare a disk image
The client software burns the DVD
14
Server side binding
Advantages of this system The client software contains no secrets The question of when to charge the
consumer for the download does not occur(before or after the acknowledge of the client?)→ The content has been customized to one particular piece of media, so it can be downloaded over and over again without the extra downloads counting as extra copies
15
Server side binding
Advantages for the consumer The content is designed to be consumed in
the user’s normal electronic devices (e.g. TV, DVD player)
Supporting the concept of “doctrine of first sale” (only payable on the first sale)
The content owners are confident that the content will not be misused, even if they do not know who they have given to it→ the anonymous part of anonymous trust
16
XCP cluster protocol and the home network
Next-generation entertainment devices are increasingly incorporating home networking technologies that allow easier access to content
The approach proposed in this paper is the only system that uses broadcast encryption, all other systems rely on public-key cryptography
17
XCP cluster protocol and the home network
A cluster of devices agree on a common key for content encryption
18
XCP cluster protocol and the home network The devices in the xCP cluster have agreed upo
n three things: A common key management block The binding identifier (the network id) The authorization table
Binding key Kb=H(Km,IDbH[Auth table])
All content in the home is protected by the binding key (the binding key encrypts the title keys for each piece of content, and the title keys are used to actually encrypt the content)
19
XCP cluster protocol and the home network
Devices can calculate the binding key without having to have a conversation with any other device on the network
Devices are compliant and will not perform the forbidden action
23
Download to the home network The xCP cluster protocol supports the DRM do
wnload function by having the DRM server actually join the cluster
The DRM server can deliver and bind content to an entire home, not just a single piece of media
The server learns the cluster ID and can calculate the cluster’s binding key
Instead of a pay-for-download service, it uses the broadcast encryption
24
Conclusion
Many DRM systems use public-key cryptography but this approach has several drawbacks Computationally demanding Bidirection connection The end user’s privacy can be compromised easily
A new approach: broadcast encryption Suited for integration in low-cost consumer devices Providing a much higher level of consumer privacy Supporting disconnected distribution
DRM systems based on Broadcast encryption has high potential