Digital Rights ManagementOWASP – 09/2007

Session Overview

Digital Right Management (DRM) systems are commonly used for protecting digital assets in the wild.

A form of extended/enterprise RBAC, DRM systems have been in the news a lot lately. Some are being hacked, others are being legislated against. Content distributors are issuing manifestos.

Should you be concerned? This presentation is an overview of the objectives, terminology, and security issues of DRM system.

DRM – What is it?

“Digital Rights" - the right of a user or entity to perform an action with respect to content (an object)

Content - e.g. audio (songs), video (movies), documents (Office files, etc.), online collaborative content (chat sessions)

“Management" - implementation and enforcement of policies

– implies that the policies have to be defined

– user authentication, if any, to be able to participate

– node/system authentication, to participate

– specific policies w.r.t. actions: play/re-play/storage/stream/expiration

– Admin: user and/or node revocation/code refresh

Digital Content Delivery

Flash, MMC, SD Card

DVD, HD-DVD, Blu-Ray, CD

USB

USB

DVI

Analog

TCP/IP

Ethernet

802.11CE Devices

Pre-recorded Media

Personal Computer

Portable Devices

Home Networ

k

Home Networ

k

Internet

Internet

Telco

Terrestrial

HDTVSet-top Box

ContentContent

Cable

SatelliteLegacy

TV

TCP/IP

TCP/IP

TCP/IP

TCP/IP

TCP/IP

Key Drivers

Digital Content explosion in the home– Consumer are now comfortable with digital content

Digital pictures, ripped MP3s, Digital Video Recorders, DVDs, etc DRM market has consolidated

– Windows Media DRM and OMA DRM are two forerunners– Other include SonyMG, Real, SVP, SmartRight

Even Microsoft has acknowledged the need for “open” standards for broad consumer adoption & proliferation– Microsoft DRM running on Linux!

HD content and Digital TV increasing– Hollywood wants all the security right, before releasing it– A motivator for consumers to upgrade

Blurring of Broadcast, streaming and downloaded content– VOD vs. DVR time-shifting vs. Persistent download vs. Subscription

Consolidation to IP networks

Three Influencing Industries

Hollywood (Disney, Sony, Universal, WB)

IT(Microsoft, Intel, IBM)

CE(Matshushita, Toshiba, Sony)

DRM Specification

License

Compliance Rules

Robustness Rules

What are Robustness Rules?

All DRM initiatives are using “robustness rules” similar to those developed by 4C (www.4centity.com) with the Hollywood studios

– Improved by others but essentially the same (e.g. DTCP, HDCP, DFAST, WMDRM, OMA, CPRM/CPPM, AACS)

– Specifies what must be secure, what techniques are required and the level of resistance from attack

Robustness differentiates between software, hardware and hybrid implementations

The application enforcing the copy policies must also meet “Compliance Requirements”

Penalties and/or revocation if the implementation is not robust or non-compliant

Onus on Implementer

Robustness Overview

Construction– Defines the data and functions that must be made robust

Device keys, algorithms, etc

Methods for Robustness– Defines some minimum techniques required for robustness

Obfuscation, code encryption, signing, self-verification– Architecture choices:

Trusted vs. untrusted endpoints Tethered vs. untethered Content: staged vs. streaming Transcription: end-point conversion of content from one DRM scheme to

another

Robustness – Still More

Levels of Robustness

– Different data and functions must be resistant to different tools:

“Widely Available Tools” - general-purpose tools… file editors

“Specialized Tools” - widely available at a reasonable price, such as memory readers and writers, debuggers, decompilers, or similar software development products

“Professional Tools” – logic analyzers, chip disassembly systems, or in circuit emulators

Example Robustness Requirements

Prevent defeat or circumvention by

Widely Available Tools

Specialized Tools

Professional Tools

Device Secrets Yes with difficulty

Content Key Yes with difficulty

Yes with difficulty

Serial Number Yes with difficulty

Yes with difficulty

Secure Clock Yes with difficulty

Yes with difficulty

ConfidentialInformation

Yes with difficulty

Security Functions Yes with difficulty

Robustness – Security Challenges

Key Hiding (BIG issue… White Box Crypto is emerging std). Device Finger-printing, Node-locking Over The Air (OTA) provisioning or Re-establishing of Trust Manufacturing “assembly line” of security components

(Robustness liability rests with Intermediate or Final Licensee)– Chip foundry/IP– ODM (Original Design Mfg.) Reference Implementation– OEM (Original Equipment Mfg.)– Device Manufacturer– Carrier/Operator

The Wild Wild West of Digital Content Delivery

DVI

TCP/IP

Ethernet

802.11

USB

TCP/IP

Flash, MMC, SD Card

DVD, HD-DVD, Blu-Ray, CD

USB

Analog

CE Devices

Pre-recorded Media

Personal Computer

Portable Devices

Home Networ

k

Home Networ

k

Internet

Internet

Telco

Terrestrial

HDTVSet-top Box

ContentContent

Cable

SatelliteLegacy

TV

TCP/IP

TCP/IP

TCP/IP

TCP/IP

CSS (DVD)CPRM (DVD-A, SD)

AACS (HD-DVD)

Conditional AccessBroadcast Flag

Condit

ional

Acces

s, IP

TV

Downloaded Content

Broadcast Content

HDCP

DTCP/IPTiVo

WMDRM

OMA DRM2Real

WMDRMReal, SonyMGFairplay

CGMS-AMacrovision

Alphabet Soup

DTCP – Digital Transmission Licensing Authority

– Digital Transmission Licensing Authority (www.dtcp.com) (Founded by Hitachi, Sony, Toshiba, Intel, Matsushita)

HDCP – High-Bandwidth Digital Content Protection

– Digital Content Protection, LLC (www.digital-cp.com)

DFAST – Dynamic Feedback Arrangement Scrambling Technique

– CableLabs (www.cablelabs.com)

CPRM/CPPM – Content Protection for Recordable/Pre-recorded Media

– 4C Entity LLC (www.4centity.com) (Founded by IBM, Matsushita, Intel, Toshiba)

OMA DRM – Open Mobile Alliance Digital Right Management

– Content Management License Administrator (www.cm-la.com)

WMDRM – Windows Media Digital Rights Management

– Microsoft (www.microsoft.com)

AACS – Advanced Access Content System

– AACS Licensing Authority (www.aacsla.com) (Founded by IBM, Intel, Sony, Microsoft, Matsushita, Toshiba, Disney, Warner Bros.)

James W. Stibbards

Sr. Director – Cloakware Federal

james.stibbards@cloakware.com

(571) 232-7210