Digital Rights Management

download Digital Rights Management

of 84

  • date post

    04-Jan-2016
  • Category

    Documents

  • view

    25
  • download

    0

Embed Size (px)

description

Digital Rights Management. the Good, the Bad and the Ugly Mark Stamp Department of Computer Science San Jose State University stamp@cs.sjsu.edu DRM resources at http://www.cs.sjsu.edu/faculty/stamp/DRM/. Who Am I?. 1992: PhD, Texas Tech 1992-1993: WPI 1993-2000: NSA - PowerPoint PPT Presentation

Transcript of Digital Rights Management

  • Digital Rights Managementthe Good, the Bad and the Ugly

    Mark StampDepartment of Computer ScienceSan Jose State Universitystamp@cs.sjsu.edu

    DRM resources at http://www.cs.sjsu.edu/faculty/stamp/DRM/

  • Who Am I?1992: PhD, Texas Tech 1992-1993: WPI1993-2000: NSA2000-2002: MediaSnap, Inc.2002-Present: SJSU

  • What was MediaSnap?Silicon Valley startup companyFounded June 2000I joined in December 2000Maximum of 15 employeesNot a dot-comFunded by In-Q-Tel (CIA VC fund)Digital rights management (DRM) product

  • Why MediaSnap?NSA providedJob securityTenure after 1 yearInteresting work, good people, etc., etc.Why leave NSA for startup company?Three reasonsMoney MoneyMoney(salary)(benefits)(worthless stock options)

  • Outline of TalkWhat is DRM?Overview of MediaSnap DRM systemOverview of streaming media DRM modelMediaSnaps competitorsTCG/NGSCBNon-technical issuesEnterprise DRMConclusions

  • DRM Overview

  • What is DRM?Remote control problemDigital book exampleDigital music, video, etc.Enterprise document protectionPrivacy-enhancing technology?

  • Persistent ProtectionRestrictions on use after deliveryFor exampleNo copyingLimited number of reads/playsTime limits: do not open until ChristmasNo forwardingEtc.

  • What to Do?The honor system?Stephen Kings, The PlantGive up?Internet sales? HIPAA? SOA? etc.If you cant beat em, join em...Lame software-based DRM?The standard DRM system todayBetter software-based DRM?MediaSnaps goalTamper-resistant hardware?Closed systems: Game Cube, etc.Open systems: TCG/NGSCB for PCs

  • Is Crypto the Answer?Attackers goal is to recover the keyIn standard crypto scenario, attacker hasCiphertext, some plaintext, side-channel info, etc.In DRM scenario, attacker hasEverything in the box (if not more)Crypto was not designed to solve DRM problem!

  • Current State of DRMAt best, security by obscurityA derogatory term in the security worldSecret designsIn violation of Kerckhoffs PrincipleCrypto is kingWhoever thinks his problem can be solved using cryptography, doesnt understand his problem and doesnt understand cryptography. --- Attributed by Roger Needham and Butler Lampson to each other

  • Rules to the DRM GameThe analog holeWhen content is rendered, it can be captured in analog formDRM cannot prevent attack via the analog holeHuman nature mattersAbsolute DRM security is impossibleWant something that works in practiceWhat works depends on contextDRM lives in no mans landSomewhere between CS and MIS

  • Software-based DRMStrong software-based DRM is impossibleWe cant really hide a secret in softwareTo do so, we would have to prevent software reverse engineering (SRE)User of system with full admin privilege can break anti-SRE protectionBottom line: The killer attack on software-based DRM is software reverse engineering

  • MediaSnap DRM

  • MediaSnap DRM OverviewServer sideSecure Document Server (SDS)Client sidePDF plugin (reader)

  • Protecting a DocumentSDSRecipientSenderencryptpersistentprotection

  • Accessing a Document inTethered ModeSDSRecipientSenderkeyRequest key

  • Accessing a Document inUntethered ModeSDSRecipientSenderkey

  • Tethered vs UntetheredTethered advantagesServer controls accessDocument can be shredded (Authentica)Key is less exposedUntethered advantagesCan access data without network connectionKey is more exposedMediaSnap implemented both modes

  • Security Issues Server side (SDS)Protect keys, authentication data, etc.Apply persistent protection Client side (Reader/PDF plugin)Protect keys, authenticate user, etc.Enforce persistent protection Remaining discussion concerns client

  • Security OverviewObscurityTamper-resistance

  • Tamper-ResistanceAnti-debuggerEncrypted code

  • ObscurityApplied toKey managementAuthenticationCaching (keys, authentication, etc.)Encryption and scramblingKey parts (data and/or code)Multiple keys/key partsObscurity can only slow down attacker --- the persistent attacker wins!

  • Other MediaSnap Features Code tamper checking (hashing)Must know what code is executing Anti-screen capturePrevent most obvious attack on documents WatermarkingIn theory, can trace stolen contentIn practice, watermarking is disappointing Unique-ification (or metamorphism)Break once, break everywhere (BOBE) resistant

  • Other Measures/ConcernsGeneral code obfuscationCollberg and ThomborsonQuestions concerning actual strength Code fragilization (guards)Code hash checks itselfAny change should cause code to breakCan we trust OS?How can we protect ourselves?

  • DRM for Streaming Media

  • Attacks on Streaming MediaSpoof stream between endpointsMan in the middleCapture streamMalicious software stealing stream at client endReplay/redistribute data

  • DesignScrambling algorithmsEncryption-like algorithmsMany such algorithms avaliableNegotiation of random algorithmServer and client must share algorithm Decryption at receiver endRemove strong encryptionDe-scrambling in device driverRemove scrambling just prior to rendering

  • Scrambling AlgorithmsServer has a large set of scrambling algorithms: M = {1,2,3,4,,N}A client has a subset of algorithms, LIST = {12,45,2,37,23,31}The LIST is stored on client, encrypted with servers key: E(LIST,Kserver)

  • Server-side ScramblingOn server sidedatascrambleddataencryptedscrambled dataServer must scramble data with an algorithm the client supportsServer must securely communicate algorithm choice to client

  • Scrambling SelectionScrambling algorithm database distributed to clientsList is random subset of algorithmsAlice(client)Bob(server)E(LIST, K)E(m,Ks)scrambled (encrypted) datausing Alices m-th algorithm

  • Client-side De-scramblingOn client sidedatascrambleddataencryptedscrambled dataKeep plaintext away from attackerProprietary device driverScrambling algorithms baked inAble to de-scramble at last moment

  • Why Scrambling?Uniqueness or metamorphismIf a scrambling algorithm is known to be broken, server does not choose itIf client has too many broken algorithms, server can force upgradeProprietary algorithm harder to reverse engineerWe cannot trust crypto strength of proprietary algorithms, so we also encrypt

  • Why Uniqueness?The threat is reverse engineering (SRE)Reverse engineering a standard crypto algorithm is easy (unnecessary)Reverse engineering a scrambling algorithm is potentially much more difficultWe also encrypt so not violating Kerchoffs Principle (at least not too much)This is clearly security by obscurity and Im not ashamed to admit it!

  • Exploit Systems and DRM

  • Exploit SystemsExploit Systems (ES) management consists entirely of musiciansNot all of them are on drugsThey offered me a job with huge salaryPayable as soon as the get fundingExploit Systems international office?A coffee shop in Palo AltoOnly in Silicon Valley

  • Exploit SystemsExploit Systems is a peer offering service Their web site is (purposely?) vague on the definition of peer offering serviceBut I happen to know what they are doing...ES tries to gently coerce people into paying for content obtained from a peer-to-peer (P2P) network

  • P2P File Sharing: QuerySuppose Alice requests Hey JudeBlack arrow: queryRed arrow: positive responseFrankTedCarolPatMarilynBobAliceDeanFredAlice can select from: Carol, PatCarolPat

  • P2P File Sharing with ESSuppose Alice requests Hey JudeBlack arrow: queryRed arrow: positive responseExploitSystemsTedCarolPatMarilynBobAliceDeanFredAlice selects from: Bill, Ben, Carol, Joe, PatBill, Ben, and Joe have legal content!BillBenJoeCarolPat

  • Exploit SystemsBill, Ben and Joe look legitimateGoal is to have at least half of top 10 be Exploit Systems (ES) responsesIf victim clicks on ES responseDRM protected (legal) content downloadedThen small payment required to playVictim can choose not to payBut then must download againIs it worth the hassle to avoid paying $0.25?ES content also offers extras

  • Exploit SystemsA very clever ideaPiggybacking on P2P networkWeak DRM works well herePirated content already existsDRM only needs to be more hassle to break than hassle of clicking and waiting (a few times)Current state of Exploit Systems?Very little interest from the music industryLots of interest from the adult industry

  • Enterprise DRM

  • Why Enterprise DRM?Health Insurance Portability and Accountability Act (HIPAA)Medical records must be protectedFines of up to $10,000 per incidentSarbanes-Oxley Act (SOA)Protect documents of interest to SECAlso Draconian penaltiesDRM required for regulatory compliance

  • Whats Different in Enterprise DRM?Technically, it is similar to e-commerce But motivation for DRM is differentRegulatory complianceNot to make money, but to not lose money!Human dimension is also much differentLegal threats are far more plausibleLegally, corporation is probably off the hook provided active attack is necessary

  • Enterprise DRMModerate DRM security is sufficientPolicy management issuesEasy to set policies for groups, roles, etc.Yet policies must be flexibleAuthentication issuesMust interface with existing systemMust prevent network authentication spoofing (authenticate the authentication server)Enterprise DRM is a solvable problem

  • Case Study ISarbanes-Oxley Act (SOA) Requires retention/tagging of all documents related to SEC disclosureDRM softwareTag new documents created by SOA authorsAllow any SOA author to modify tagged docsRead-only access for non-SOA authorsTransparent to users --- comply by default!

  • Case Study IIAccess control without authenticationExample: