Upload
liliana-green
View
213
Download
1
Embed Size (px)
Citation preview
Digital Rights ManagementOWASP – 09/2007
Session Overview
Digital Right Management (DRM) systems are commonly used for protecting digital assets in the wild.
A form of extended/enterprise RBAC, DRM systems have been in the news a lot lately. Some are being hacked, others are being legislated against. Content distributors are issuing manifestos.
Should you be concerned? This presentation is an overview of the objectives, terminology, and security issues of DRM system.
DRM – What is it?
“Digital Rights" - the right of a user or entity to perform an action with respect to content (an object)
Content - e.g. audio (songs), video (movies), documents (Office files, etc.), online collaborative content (chat sessions)
“Management" - implementation and enforcement of policies
– implies that the policies have to be defined
– user authentication, if any, to be able to participate
– node/system authentication, to participate
– specific policies w.r.t. actions: play/re-play/storage/stream/expiration
– Admin: user and/or node revocation/code refresh
Digital Content Delivery
Flash, MMC, SD Card
DVD, HD-DVD, Blu-Ray, CD
USB
USB
DVI
Analog
TCP/IP
Ethernet
802.11CE Devices
Pre-recorded Media
Personal Computer
Portable Devices
Home Networ
k
Home Networ
k
Internet
Internet
Telco
Terrestrial
HDTVSet-top Box
ContentContent
Cable
SatelliteLegacy
TV
TCP/IP
TCP/IP
TCP/IP
TCP/IP
TCP/IP
Key Drivers
Digital Content explosion in the home– Consumer are now comfortable with digital content
Digital pictures, ripped MP3s, Digital Video Recorders, DVDs, etc DRM market has consolidated
– Windows Media DRM and OMA DRM are two forerunners– Other include SonyMG, Real, SVP, SmartRight
Even Microsoft has acknowledged the need for “open” standards for broad consumer adoption & proliferation– Microsoft DRM running on Linux!
HD content and Digital TV increasing– Hollywood wants all the security right, before releasing it– A motivator for consumers to upgrade
Blurring of Broadcast, streaming and downloaded content– VOD vs. DVR time-shifting vs. Persistent download vs. Subscription
Consolidation to IP networks
Three Influencing Industries
Hollywood (Disney, Sony, Universal, WB)
IT(Microsoft, Intel, IBM)
CE(Matshushita, Toshiba, Sony)
DRM Specification
License
Compliance Rules
Robustness Rules
What are Robustness Rules?
All DRM initiatives are using “robustness rules” similar to those developed by 4C (www.4centity.com) with the Hollywood studios
– Improved by others but essentially the same (e.g. DTCP, HDCP, DFAST, WMDRM, OMA, CPRM/CPPM, AACS)
– Specifies what must be secure, what techniques are required and the level of resistance from attack
Robustness differentiates between software, hardware and hybrid implementations
The application enforcing the copy policies must also meet “Compliance Requirements”
Penalties and/or revocation if the implementation is not robust or non-compliant
Onus on Implementer
Robustness Overview
Construction– Defines the data and functions that must be made robust
Device keys, algorithms, etc
Methods for Robustness– Defines some minimum techniques required for robustness
Obfuscation, code encryption, signing, self-verification– Architecture choices:
Trusted vs. untrusted endpoints Tethered vs. untethered Content: staged vs. streaming Transcription: end-point conversion of content from one DRM scheme to
another
Robustness – Still More
Levels of Robustness
– Different data and functions must be resistant to different tools:
“Widely Available Tools” - general-purpose tools… file editors
“Specialized Tools” - widely available at a reasonable price, such as memory readers and writers, debuggers, decompilers, or similar software development products
“Professional Tools” – logic analyzers, chip disassembly systems, or in circuit emulators
Example Robustness Requirements
Prevent defeat or circumvention by
Widely Available Tools
Specialized Tools
Professional Tools
Device Secrets Yes with difficulty
Content Key Yes with difficulty
Yes with difficulty
Serial Number Yes with difficulty
Yes with difficulty
Secure Clock Yes with difficulty
Yes with difficulty
ConfidentialInformation
Yes with difficulty
Security Functions Yes with difficulty
Robustness – Security Challenges
Key Hiding (BIG issue… White Box Crypto is emerging std). Device Finger-printing, Node-locking Over The Air (OTA) provisioning or Re-establishing of Trust Manufacturing “assembly line” of security components
(Robustness liability rests with Intermediate or Final Licensee)– Chip foundry/IP– ODM (Original Design Mfg.) Reference Implementation– OEM (Original Equipment Mfg.)– Device Manufacturer– Carrier/Operator
The Wild Wild West of Digital Content Delivery
DVI
TCP/IP
Ethernet
802.11
USB
TCP/IP
Flash, MMC, SD Card
DVD, HD-DVD, Blu-Ray, CD
USB
Analog
CE Devices
Pre-recorded Media
Personal Computer
Portable Devices
Home Networ
k
Home Networ
k
Internet
Internet
Telco
Terrestrial
HDTVSet-top Box
ContentContent
Cable
SatelliteLegacy
TV
TCP/IP
TCP/IP
TCP/IP
TCP/IP
CSS (DVD)CPRM (DVD-A, SD)
AACS (HD-DVD)
Conditional AccessBroadcast Flag
Condit
ional
Acces
s, IP
TV
Downloaded Content
Broadcast Content
HDCP
DTCP/IPTiVo
WMDRM
OMA DRM2Real
WMDRMReal, SonyMGFairplay
CGMS-AMacrovision
Alphabet Soup
DTCP – Digital Transmission Licensing Authority
– Digital Transmission Licensing Authority (www.dtcp.com) (Founded by Hitachi, Sony, Toshiba, Intel, Matsushita)
HDCP – High-Bandwidth Digital Content Protection
– Digital Content Protection, LLC (www.digital-cp.com)
DFAST – Dynamic Feedback Arrangement Scrambling Technique
– CableLabs (www.cablelabs.com)
CPRM/CPPM – Content Protection for Recordable/Pre-recorded Media
– 4C Entity LLC (www.4centity.com) (Founded by IBM, Matsushita, Intel, Toshiba)
OMA DRM – Open Mobile Alliance Digital Right Management
– Content Management License Administrator (www.cm-la.com)
WMDRM – Windows Media Digital Rights Management
– Microsoft (www.microsoft.com)
AACS – Advanced Access Content System
– AACS Licensing Authority (www.aacsla.com) (Founded by IBM, Intel, Sony, Microsoft, Matsushita, Toshiba, Disney, Warner Bros.)