Computer Security Digital Rights Management

Transcription

1 Computer Security Digital Rights Management Version 0.7 Authors Christopher Andrews, Tim Ellis, Dafyd Jenkins, Ajay Sailopal, Eakbal Singh, Jaspreet Singh. I

2 Table of Contents 1 INTRODUCTION OUTLINE COPYRIGHT OVERVIEW AND DIGITAL MILLENNIUM COPYRIGHT ACT WHAT IS A COPYRIGHT? OVERVIEW OF COPYRIGHT PRIVILEGES DMCA DIGITAL MILLENNIUM COPYRIGHT ACT The DMCA consists of five sections General discussion of legislations Conclusions to DMCA DRM CONCEPTUAL MODEL DRM ON OPTICAL MEDIA STARFORCE StarForce Professional implementation Effectiveness Circumvention CACTUS DATA SHIELD Cactus Data Shield Implementation Effectiveness Circumvention INTERNET BASED DRM IMPLEMENTATIONS ITUNES itunes DRM implementation Rjindael & MD5 as encryption techniques Circumvention of FairPlay (PlayFair) E-BOOKS The EBX System Adobe Implementation of EBX Standard DRM THROUGH TRUSTED COMPUTING INTRODUCTION EXISTING SOFTWARE EXISTING HARDWARE TRUSTED COMPUTING ARCHITECTURE Trusted Platform Module (TPM) a.k.a Fritz Chip Attestation Protocol Sealed storage NGSCB Nexus Hardware Interface IMPLICATIONS FOR DRM CIRCUMVENTION Hardware attacks Software attacks DISCUSSION OF THE DRM PARADIGM USER ADVANTAGES PRODUCER ADVANTAGES USER DISADVANTAGES PRODUCER DISADVANTAGES CONCLUSIONS RESOURCES USED...28 II

3 1 Introduction Digital Rights Management (DRM) is a combination of encryption and Internet validation for protecting vendor copyrights to prevent unauthorised copying of digital content (software, music, books, movies, and so on) 1. Commercial organisations have invested heavily in preventing their work from being copied illegally and distributed over file-sharing mechanisms. This has given rise to many DRM technologies which have been put in place, some of them being discussed in the report. The subject of DRM is three fold. It concerns the social implications of the implementations, the technicalities of these implementations and the legislation put in place to support the development of such technologies. Although DRM was first coined in the early 90s, it is still very much in its infancy and is always evolving taking advantage of new technologies. This document will detail previous attempts at enforcing DRM, its current state and which direction it could follow in the future. It is also a subject that is steeped in legislative and ethical issues as well as being technical adding to the breadth as well as depth of the field. 1.1 Outline DRM is a wide field and has vast capabilities and potential, however for this document only a concise and opinionated view is given and much of the copious technical detail has been omitted for the sake of simplicity, whilst retaining the core fundamentals. Considering this approach, this document will be structured in the various stages as follows. Background of legislations Previous forms of DRM through optical media DRM through the Internet The future of DRM through Trusted Computing A general outlook and conclusions 1 highered.mcgraw-hill.com/sites/ /student_view0/glossary.html 1

4 2 Copyright overview and Digital Millennium Copyright Act As mentioned in the introduction, DRM is a field that is not purely technical but has deep roots in legislative and social issues. It is often these issues that dictate to what extent the various technologies concerning DRM can be developed and used. Henceforth, it is necessary to gain a grounding firstly in the legislative aspect of the subject and in particular to provide an overview of copyright issuances and Digital Millennium Copyright Act regulations. 2.1 What is a Copyright? A copyright is symbolised by, it is different from a trademark in that it is enforceable against anyone, where as the latter is usually only enforceable against competitors. A copyright exists as soon as some work is produced that is original and involves some skill. However it exists only for a number of years, after which the work enters the public domain and becomes available for use free of charge. The owner of the rights also has the right to transfer it to a third party giving them all or some of the associated privileges. 2.2 Overview of Copyright privileges The privileges of copyright can be broken into two sub-categories namely those privileges provided to the owner and those to the user Owner s Privileges o All rights are exclusive therefore the owner and only the owner has the right to exercise them o Owner has rights to make copies o Owner has the right to distribute these copies o Owner has the right to perform work in public o Owner has right to display work in public o Owner has right to export and import the work o Owner has rights to sell or assign the rights to others to corporate companies who have the marketing and financial power to distribute the product. User Privileges o User is permitted to carry out some form of copying such as work involving non profit making organisations and various other factors such as marketing implications are also considered o User is able to resell the product that they have legally purchased 2.3 DMCA Digital Millennium Copyright Act This act was brought into action on 28 th October 1998 and was later amended in The act amends the US copyright law and in summary makes it illegal to develop and/or distribute technologies that circumvent copyright protection technologies. There are similar legislations around the world for example the European Union Copyright Directive (EUCD), its Article 6 2 mirrors some of the controversial aspects of the DMCA The DMCA consists of five sections 1. WIPO 3 Copyright and Performances and Phonograms Treaties Implementation Act of 1998 this act requires any country to provide protection and remedies against circumvention technologies. 2. Online Copyright Infringement Liability Limitation Act provides protection to the service provider as long as they satisfy the conditions mentioned in points 2 and 3 of section World Intellectual Property Organisation 2

5 3. Computer Maintenance Competition Assurance Act allows those repairing computers to make temporary and limited copies. 4. Miscellaneous Provisions This contains provisions relating to functions of Copyright office distance education, assistance of libraries, allowing the creation of short-term copies for broadcast purposes and for the collective bargaining of movie rights. 5. Vessel Hull Design Protection Act This section of the act is not applicable for this report General discussion of legislations 1. The act makes it a crime to develop technologies that circumvent anti piracy measures that are built into many digital productions. There are however exemptions to this, including development of technologies for encryption or reverse engineering. Non-profit organisations such as universities are also exempt. 2. In general the act limits the liability of service providers from copyright infringement that may occur if users use their services to access copyrighted material in an illegal manner. An example of such a scenario would be a user that subscribes Telewest Broadband as their ISP and then uses the connection to illegally obtain copyrighted material. However in order to be exempt the service providers must a. Provide the users information about the copyright property b. Terminate user accounts if they continuously violate copyright protection c. Not interfere with the copyright measures of the copyright owners. 3. The service providers are also limited in liability if their networks are used to transmit the copyrighted data illegally. Such a scenario could occur in the UK; where BT owns most of the telephone network. If a user on another ISP (e.g. Wanadoo) uses their connection to illegally obtain copyrighted material that is transmitted through BT s network, BT would not be held liable under this condition. Wanadoo would only be exempt if they satisfy the conditions stated in 2. However in order for BT or any other network provider to be exempt the following must be ensured: - a. Transmission was initiated by someone other than the service provider b. Transmission of the data is automatic c. Service provider does not select recipient of the material d. No copy is made and is not held for longer than necessary and is only accessible by the initiator e. Material is transmitted without modification. 4. Limits liability of non-profit higher education institutions - when they serve as online service providers and under other circumstances such as copyright infringement by faculty members or students. 5. Requires that "webcasters" i.e. anyone that streams media over the internet, pay licensing fees to record companies. 6. Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users." 7. States explicitly that "[n]othing in this section shall affect rights, remedies, limitations, or defences to copyright infringement, including fair use..." Conclusions to DMCA The act has been introduced as a legislative tool to counter the increasing use of technology to circumvent copyright protection mechanisms. However having researched the subject and having 4 3

6 experienced the restrictions of DRM technology it is believed that current DRM implementations violate the DMCA as they fail to satisfy point 7 of section Certain aspects of copyright legislation such as the first sale doctrine or fair use are prevented. Further, the DMCA is believed to hinder progress in research. Researchers are afraid that if they release their knowledge into the public domain they might enter litigation with companies who hiding behind the DMCA. A classic example of this is the arrest of Dmitri Sklyarov who worked for Elcomsoft and developed a way of avoiding Adobe s weak e-book protection mechanism. 3 DRM conceptual model The first generation of DRM was very crude and modelled a broad view of the full capabilities of the mechanism. It used basic security and encryption to stop unauthorised copying. The general idea was to lock content and allow distribution to individuals that have paid for it. This was largely achieved through obscurity. Second generation DRM technologies, namely Internet-Based DRM are discussed in detail further in this document. These protocols essentially consider a myriad of technologies to protect the usage of content, both tangible and intangible. This type of DRM manages relationships with individuals who have a right to the content. If this were portrayed in a conceptual model one would arrive at the following high-level functional architecture. The following diagram has been adapted from its original version. Figure 1: Conceptual model of a DRM architecture 5 5 Adapted from: 4

7 The conceptual model can be divided into three main areas: Content Initialisation - this is to manage the creation of content so that it can be easily traded and where rights are assigned. Content Management - how to manage and enable the trade of the content in potentially distributed databases. Also assigns licenses to individuals/groups who have agreements for the rights. These can be issued through payment or some other fulfilment operation. This information is stored in the metadata that accompanies the content. Content Usage - how to manage the usage of content once it has been traded. This involves assigning permissions; if a person has the right only to view an e-book, he will not be able to make a printout of it. It also tracks how much the content is being used according to agreed license conditions e.g. if the e-book can only be viewed five times, it can only be downloaded five times. This conceptual model will be used as a basis to evaluate DRM systems. DRM through optical media and the Internet will be discussed through examples and the report will return to the architecture to see where the model is broken. 4 DRM on optical media Although DRM is a relatively new term, optical media is the prevalent form for distributing content. However, DRM has been in use for several decades, under the guise of copy-protection measures. Developers and publishers of electronic content on CDs and other media have been utilised in a number of different techniques to protect their content from unauthorised users. Computer games were one of the first forms of digital content which actively utilised DRM. In the mid- 1980s developers employed a simple method, users were prompted to answer a question based on the procured material. This was achieved by providing the user with a specific sheet of codes or having the answers inside the manual. However, this simple protection could be broken very easily, by simply copying the manual or code sheet. Other more elaborate cracks' were written by skilled programmers to bypass these mechanisms. Throughout the next two decades, the techniques applied became much more sophisticated. The result was that only specialist programmers could attack the protection used. 4.1 StarForce One of the most recent copy-control mechanisms employed on software is called StarForce by StarForce Technologies. StarForce uses a series of hardware and software techniques to stop the copying and distribution of content. 6 There are many different versions of the StarForce. This report will focus solely on StarForce Professional. StarForce Professional is designed to stop both casual pirates and professional pirates alike. This is achieved using a combination of both hardware and software techniques to protect the content StarForce Professional implementation StarForce protection expands on the currently used copy protection (such as SecuROM and SafeDisc) by allowing any number of files in the software to be encrypted (the exact amount is controlled by the software publisher). These files are then only decrypted at run-time, by the use of a 'Protection Library File'. This is typically in the form of an executable and dynamic link library stored on the CD/DVD or 6 See for more information on these technologies. 5

8 a device driver, which is installed when the software is initially set up. See Figure 2 for a high-level overview of this process. Figure 2: Encryption and duplication process of StarForce 7 The protection on the media works on several levels. StarForce can detect if the disk is not genuine. A digital fingerprint is embedded on the disk which can be verified (see Figure 3 for a speculative process). Software is produced in batches and this is utilised as a security measure. o Each copy of the software is supplied with a unique CD-key consisting of fourteen alphanumeric digits, which is specific to a master key of a batch. o Using several physical properties of each batch of disks generates the master key. o The CD-keys are then generated using this master key. The combination of these two keys allows the authenticity of the disc to be confirmed. Encoder Loader Content Scramble Content Scrambled Content Descramble Content (loader) Content Unique Key Loader Unique Key Encode Key Digital Signature Decode Key Figure 3: Encryption, authorisation and decryption of software 8. 7 Adapted from: StarForce Software Protection Solutions Advanced Encryption and Activation Technologies for Disk Based CD/DVD and Online Distribution document 6

9 Therefore a copied disc will not authenticate, as the master key will differ. This also means that the disc cannot be mounted to a virtual drive using software such as DAEMON Tools 9 ; these programs cannot replicate the master key from the disk. The files are encrypted using 'product-specific crypto algorithms'. This implies that even if the content is copied from CD to the user s hard disk or downloaded from the Internet and a valid CD-key obtained (legally or illegally), the software will still be locked and encrypted because the master key is still required. The encryption process is performed on StarForce's secure protection server. However, due to the lack of information supplied from the developer about the encryption algorithms used; it would appear that the developer attempts to provide security through obscurity, possibly indicating that the algorithms are not very strong Effectiveness StarForce is generally considered to be one of the most effective copy-protection systems in use. Several games released using StarForce have taken several months to crack. When this is compared to the time taken to break other systems such as SecuROM and SafeDisc (which is typically within hours of release, in certain cases even before release), it is very efficient at stopping short-term piracy, which can be argued is most important. This technology is primarily used in the gaming industry where the value of games is likely to depreciate rapidly over time after release; thus StarForce effectively succeeds in providing a useful DRM solution. The system does not rely on any specific hardware, and complies with industry standards Circumvention As with any current DRM or copy-protection system, it can be circumvented in several ways: - The encrypted software can be attacked by brute force. This is likely to be extremely time consuming, as many gigabytes of data could potentially be encrypted. Each batch of software has a specific cryptographic algorithm; thus it would need to be cracked for each version of the software. The decryption tools are supplied with the software, the potential cracker has access to the entire decryption process if they reverse-engineer the Protection Library File. The user could use a memory examining program such as Soft-Ice, to examine the value of specific memory locations whilst the decryption process is in progress. This may allow the cracker to obtain the master key. The StarForce protection server could be compromised, possibly allowing access to hidden details of the encryption process. With this information attacks could be created. 4.2 Cactus Data Shield In recent years many record labels have started to produce audio CDs with various kinds of copyprotection. One controversial copy-protection used is Cactus Data Shield by Macrovision. Cactus Data Shield is designed to prevent Internet distribution of copyrighted material and prevent audio files being copied on to the users hard disk. 10 There are three different versions of Cactus Data Shield namely CDS100, CDS200 and CDS300. This report will focus on all 3 versions of CDS. CDS300 is the latest revision. It is an implementation of DRM and it offers, Portability & Controlled Burning. This allows the publisher to choose how many backup copies can be created (from zero to 8 Adapted from 9 For more information please visit 10 See for more information 7

10 infinity). Windows Media Audio files protected by DRM restrictions are also provided on the disk. Other software and hardware modifications to the disk have been incorporated in an attempt to prevent any kind of ripping that was possible with CDS Cactus Data Shield Implementation Cactus Data Shield s protection for CDS100 works by breaking industrial standards for CDs. Audio CDs typically conform to the Red Book standard developed by Philips and Sony. The standard defines the physical parameters and properties of the CD. The digital audio is encoded as 16-bit PCM (Pulse- Code Modulation) with error correction 11. Stand-alone audio CD players are created to support this standard. The first extension to this standard was the Yellow Book standard for CD-ROM. Disks could contain up to 650MB of data as well as digital audio. Multi-session discs could be created using Mode 1 12 and Mode Data is written to the disk using Yellow Book Mode 1, ISO 9660 Level 1. Yellow Book Mode 2 allows the combining of the two data modes 14. The full CD and CD-ROM specifications can be found here 15. Figure 4 depicts this more clearly. Figure 4: Model of CD with two sessions Cactus Data Shield works by breaking the Yellow Book standard. The disk is created using two sessions. Mode 2 data is written in the first session and Mode 1 data is written in the second session. A standard audio player can only read the first session of the disk, which is the audio session and will ignore the remainder of the disk. However, a computer optical drive will attempt to read the extra session first, but will fail because it will be detected as corrupt. Several techniques are used to corrupt the data track. The data might be total noise (in the case of CDS100), which prevents any data being retrieved from the disk. Alternatively an illegal table of contents may be provided, with the wrong track numbers, start and stop times; in an attempt to hide the audio session. Due to the compatibility issues with CDS100, CDS200 and CDS300 maintained the CD standard but used drivers to run the audio 11 Information paraphrased from For more information visit the URL. 12 This mode is error intolerant, meaning that it is suitable for data such as programs. 13 This mode is error tolerant, making it suitable for audio and graphics, where minor errors are largely not noticeable. 14 Information paraphrased from For more information visit the URL

11 files in a protected environment thus limiting the access audio session. This mechanism utilises the autorun feature within the Windows operating system Effectiveness Cactus Data Shield is considered to be less than effective in many cases. As manufacturers crate hardware differently, some hardware can read the corrupt disks with no trouble. In these cases the user would be able to access the audio tracks, and rip them using standard audio ripping software. The user would not even notice any form of copy-protection Circumvention The weakness with the implementation which was discovered allowed the entire copy-protection mechanism on the CDS300 media to be circumvented with embarrassing ease. Upon inserting the CD the user could simply hold the 'shift key to prevent the disc from being auto run (this stopped the protection environment drivers from being executed); allowing access to the entire CD. The content could then simply be extracted from the disc. Macrovision claim this flaw has been fixed with the latest version of CDS300 (version 7). 5 Internet Based DRM Implementations Many Internet Based DRM systems are being put in place by commercial corporations try to counter the ever-growing problem of illegal downloading and distribution. The most common format which is downloaded and where the problem exists is audio and document files. This problem is widespread and is affecting both industries greatly, particularly financially. In this section Apple itunes and Adobe E- Books are described. 5.1 itunes Apple s itunes is music jukebox software that provides the ability to organise and play songs as well as purchase music legally from its online store. The software utilises DRM technology to place restrictions on music that is downloaded so that access rights to the content are preserved and maximum royalties are passed on to the creator itunes DRM implementation itunes uses a DRM technology called FairPlay, and this functions as follows: The content, i.e. the music is an MP4 16 Container File with an AAC 17 audio stream. The AAC part is encrypted using a combination of the Rjindael algorithm and MD5 hashing. An encrypted master key that is also stored in the MP4 is used to decrypt the AAC. For the previous to take place the master key needs to be decrypted; a user key is needed for this, which is acquired from a server when the content is purchased. This process is illustrated by Figure Container for MPEG-4, a standard by MPEG primarily to handle low bit-rate content. 17 AAC which stands for Advanced Audio Coding is a data compression method for audio streams. It was initially designed to replace MP3. 9

12 MP4 Container File Request to decrypt master key Master Key FairPlay Initialized Application Needed to decrypt and play User Key Server issues a user key to decrypt master key Server AAC Audio Stream Figure 5: The FairPlay process 18 Apple are able to enforce limitations on rights by authorising the computer from which a purchase is made by sending a unique ID to its servers (it is speculated that a hardware hash from the computer creates this unique ID). In doing so, sharing of the file is prevented to access the content requires the combination of the unique ID and user keys for decryption Rjindael & MD5 as encryption techniques For the purpose of this discussion, a brief overview of the two methods used to encrypt the AAC audio stream (and the master key to unlock this content) will now be given. The Rjindael encryption method, also known as the Advanced Encryption Standard (AES), is a symmetric key algorithm, i.e. encryption and decryption is performed using the same key. It has been chosen as encryption for the AAC audio stream because it generally executes much faster than an asymmetric key algorithm. It is assumed that the key size will generally be quite small for performance issues. However it can be prone to many security attacks because the key is shared. A system that relies on a global secret is always going to be a risky solution. This was realised when Jon Johansen, a Norwegian hacker eluded the DVD copyright protection mechanism (CSS), which also relied on a similar idea. It can be concluded from this that symmetric key algorithms like Rjindael are quite unsuitable for distribution mechanisms like FairPlay. MD5 (Message-Digest algorithm 5) is a 128-bit cryptographic hash function that is widely used in the commercial world. It is used by DRM systems such as FairPlay to ensure that downloaded content has not been tampered with in any way. MD5 19 uses a form of redundancy checking whereby the checksum of the downloaded content is compared to a public checksum from a trusted source. This is done verify the integrity of the downloaded content. It was established this year (2004) that the MD5 algorithm is breakable and its attack took approximately one hour on an IBM P690 computer (because the hash is 128 bits in length a brute force attack could be adopted, as it is small enough to do so). It was actually a collision attack that exposed the weaknesses with the algorithm. A collision attack on MD5 is a reverse engineering process in which, given the cryptographic hash as output, the inputs can be found. 18 Formulated using the description given at: 19 Please refer to for pseudocode of the MD5 algorithm 10

13 5.1.3 Circumvention of FairPlay (PlayFair) It was because of the weaknesses within the two encryption methods that spurned a reverse-engineered application named PlayFair which got around the DRM restrictions placed upon tracks by itunes through FairPlay. An overview of the PlayFair 20 process is as follows. The content can be split into a number of sections. A combination of these sections will yield a result that will match a global user key. The MD5 hash of a particular section will result in a byte-pattern, which used in combination with the user key and the Rjindael-128 algorithm will decrypt the file. The raw information of the audio stream can now be perceived and all DRM restrictions are removed. 5.2 E-books E-books are, an electronic edition of a physical book. They are available in various formats 21. This section of the report concentrates on the e-books distributed by Adobe. Adobe E-books differ from standard pdfs as they are protected using Adobe s DRM technology employed within the Adobe Content Server, and can only be viewed through Adobe s freely available Adobe Reader 6.0. The Adobe Content Server and Adobe Reader are based on the Electronic Book Exchange (EBX) system. This system has been developed by the EBX working group and consists of two models The Functional Model Trusted Model The EBX System This system has been developed to ensure that electronically produced content cannot be use in an unauthorised manner throughout its lifetime. The EBX system utilises symmetric and asymmetric encryption and certificates in enforcing the rights and protecting the content copyrights. The content is protected with encryption A more detailed algorithm can be found at 21 Further Details of Formats can be obtained at: 22 Source: (majority of the content within this section has been obtained from this paper) 11

14 The Functional Model Figure 6: EBX Functional Model 23 The above diagram provides an overview of the EBX Functional model. It displays the communication that takes place from the publishing stage through to delivery to the consumer. The communication between different elements is authenticated using The Trusted Model. The functional model consists of three main aspects: Publishing In this phase, the publisher uses a product from an EBX licensed vendor in order to encrypt the pdf. The outcome of this phase will be an encrypted pdf file known as the content file and an accompanying voucher, details of the encryption techniques employed are provided below. Once the files have been encrypted they are uploaded to the publisher s EBX server ready to be downloaded by a certified vendor/distributor. Encrypted Content File: The original pdf file is encrypted using a symmetric cipher that uses a random key which is itself encrypted using the publisher s public key. The key used to encrypt the pdf is used to create a template for the voucher and is included within the voucher. At present the EBX standard recommends the use of 56-bit DES for the encryption of the content, however other algorithms such as 40-bit RC4 or 3DES can be used. The Voucher: The voucher is the digital object which must accompany the e-book in order for it to be read. It contains the decryption key and the permissions for the encrypted content file. The decryption key held within the voucher is encrypted using the public key of the voucher s owner. When it is transferred to an authentic party it is decrypted using the voucher owner s private key and then re-encrypted using the recipient s public key. The EBX standard recommends the use of 1024 bit RSA for encryption of the decryption key. 23 Adapted from: Analysis of ebook Security by Guoyou He 12

15 The voucher is itself protected using a Message Authentication Code (MAC). The MAC value is calculated using a keyed hash algorithm (HMAC 24 ) over all elements in the voucher. The document decryption key is used as the key for the HMAC algorithm. The HMAC algorithm is currently only used with SHA-1. User s Private Key: The security of this model relies on the fact that the user is never aware of their own private key. Distribution Once the files are available on the publisher server downloaded from a publisher s server to a distributor s EBX server using an EBX Server Administrator enabled browser. During this process the publisher uses their private key to decrypt the decryption key. A new voucher is then created consisting of the permissions for the distributor including the copy count which determines the number of copies they are allowed to sell. The decryption key is re-encrypted using the public key of the distributor and included within the voucher. The content file remains encrypted in the original manner, both the voucher and content file are transmitted to the distributor server. Delivery to Consumers A registered EBX reading system is required to read the encrypted content. When the file is downloaded the decryption key is decrypted using private key of the distributor. A new voucher is created containing the permissions for the consumer and the decryption key is encrypted using the consumer s public key. The file is then transferred to the consumer. When the user wishes to read the content the private key provided to their registered reader will be used to decrypt the content. This is the fundamental flaw within this system, as private key resides on the user s computer and could be located by a determined attacker. If the private key is compromised the attacker would able to remove all DRM measures employed on the protected content The Trust Model The EBX system consists of several different vendors, distributors and publishers. In order to ensure that they can trust each other and ensure that secret information is not disclosed, an authentication mechanism of trust services known as Public Key Infrastructure (PKI) is used. PKI is a mechanism for vetting and vouching of third parties. It works in the following way Users are issued with public and private key pairs. The private key is used to encrypt the certificate and the public key is used to decrypt the certificate. The above mechanism works on the principle that a reputable organisation issues the public and private key pairs. PKI mechanism uses the X.509 v3 certificates because these certificates are associated with the X.500 standard which provides a strong hierarchical structure. The diagram below depicts the structure of the overall EBX Certificate Authority (CA) Architecture. These certificates contain the maximum level of security of the vendor or unit, discussion of these security levels is out scope of this document. 24 HMAC Has Message Authentication Code A message authentication code calculated using a cryptographic has function 13

16 Figure 7: EBX Trusted Model 25 The EBX root authority will issue a certified vendor such as Adobe with certificates containing their allocated public and private key and certify them as a suitable certification authority. Adobe will then be able to issue certificates containing public and private pairs to the Adobe Content Server and Adobe Reader Adobe Implementation of EBX Standard Adobe Content Server This is a web based system that allows providers to protect their electronic content using various services that control the distribution of the e-books from inception to the procurement. Listed below are the components that facilitate the secure deployment, for this report the Book Preparation Service is of most interest. Book Preparation Service This is used by the content providers to encrypt and specify the rights available for the user. These are then stored the on the Abode Content Server and are made available for distribution. Distribution Service This service is used by the publisher or distributor to vend the e-books to approved clients. Fulfilment Service This facilitates the distribution of the content, only those parties who have entered works into the Adobe Content servers can run this service. Library Service: Allows e-books to be borrowed from online libraries. The diagram below depicts the interactions between the different elements of the Adobe Content Server 25 Adapted from: Analysis of ebook Security by Guoyou He 14

17 Bookstore Customer Book Preparation Fulfilment ODCB Complaint Database Distribution Content Server Procurment Library Library Patron Figure 8: Adobe Content Server Components The Book Preparation Process The process of Book Preparation is the stage where the DRM elements are added to the standard pdf. The process is as follows Create an entry for the e-book and supply some metadata about the book 2. Upload the unencrypted e-book 3. Specify the rights of the consumer to sell, give, lend, copy and print the e-book 4. Package the e-book consisting of a voucher, the actual content, and upload it to the database ready for distribution Viewing the Content The content distributed through the Adobe protection system is only readable through Adobe Reader which must be registered with Adobe (who will issue an X.509 v3 certificate with a public and private key combination), this locks ebooks to the registered software. The reader contains an EBX handler which performs the content decryption internally. This handler provides assurances to the EBX system that the user is authorised to view the content in a specified manner Decrypting Content Key within the Voucher Interim key calculation from hardware IDs Interim key calculation from hidden copy son.dat son.datfile file CPU CPU ID+ ID+ Volume Volume ID ID SHA1 SHA1 Interim Interim key key Fixed Fixed key key RC5 RC5 Decrypt Decrypt Interim Interim key key Document key calculation mor.dat mor.datfile file Voucher Interim Interim key key RC5 RC5 Decrypt Private Private RSA RSA key key RSA RSA Decrypt Document key key Figure 9: Process of Decrypting Content Key Adapted from: Adobe Content Server User Guide 27 The process assumes that the party concerned has already registered with Adobe Content Server 28 Source: Dimitri Skylarov s presentation to DEFCON 9 in

18 In order to lock down the Adobe Reader to a specific computer an interim key is calculated using one of two mechanisms shown in the top half of the diagram CPU ID and Volume ID of hard disk are combined and hashed to obtain a key which is used as the interim key. Use a fixed key which is allocated at the time of registration to decrypt the contents of the son.dat file (included within the reader) using RC5 decryption in order to obtain the interim key. Once this interim key is obtained it is used to decrypt the contents of the mor.dat 29 file. The outcome of this will be the Private RSA Key. The Private RSA key is then used to decrypt the decryption key of the content file held within the voucher. This decryption key will then decrypt the content Circumvention Adobe s system was beaten by an individual named Dimitri Skylarov who worked for a Russian based company known as Elcomsoft. Adobe s Reader used Rot13, FileOpen and SoftLock security handlers. Dimtri Skylarov identified that these plug-ins contained fundamental flaws that allowed the security of e-books to be compromised; he was put in jail for his efforts. Below is a list of the flaws he found The standard security handler uses RC4 stream cipher encrypting file content with a unique encryption key. The encryption key is encrypted and stored in the PDF file s encryption dictionary. Either the user password or owner password can recover the encryption key and decrypt the file content. The passwords can be found by enumerating all possible combinations. 30 Rot13 security handler is very weak. It encrypts all documents with a fixed key. The key is stored in the plug-in and can be found easily. 31 FileOpen security handler uses variant keys, but all the keying materials are contained in the encrypted document. Attackers can easily reconstruct the keys. 32 E-Book Pro Compiler inserted constant bytes within bytes of the text 33. The Engineering Manager for e-book Development Group at Adobe Systems Incorporated highlighted another recent pitfall. He advised that it is possible to back up a collection of e-books from one computer and restore them to a different machine by making use of a back up feature built into the Adobe e-book Reader 34 This process worked as follows. 1. Make a copy of the 'Data' folder (including 'Vouchers' subfolder) 2. Install Adobe e-book Reader on another machine 3. Restore the 'Data' folder over the corresponding 'Data' folder in your freshly installed Adobe Acrobat e-book Reader 4. Open Adobe Acrobat e-book Reader and attempt to open one of the e-books. You will receive the following message: Update Reader 29 Details of the son.dat and the mor.dat file could not be obtained 30 Source: Analysis of ebook Security by Guoyou He 31 Source: Analysis of ebook Security by Guoyou He 32 Source: Analysis of ebook Security by Guoyou He 33 Source of Information: 34 Process Info and Quote from: 16

19 Voucher Update Required (Version 2.2 Build 203) You will not be able to read your e-books until you update your installation of Acrobat e-book Reader. Please contact Adobe Systems Customer Support at for assistance in completing this update. Challenge: E7P6 4K2D 7MU3 VUDT 5. Ring Adobe, quoting the Challenge code, then receive an Activation code. e-books can now be reopened. The activation code can be easily obtained for any given Challenge without calling Adobe. Here is how Adobe Acrobat e-book Reader verifies the Activation code: 1. The 'Challenge' is being encrypted using popular symmetric block cipher; the encryption key (actually, there are two keys: one in Reader 2.1 and older, and another in Reader 2.2) is constant and stored inside the Adobe e-book Reader executable. 2. Encrypted 'Challenge' is being hashed using another popular algorithm. 3. First 10 bytes of the hash value (converted from binary to text using MIME-like encoding) is the proper Activation code -- the Reader just compares it with the one entered to the Reader. The details (the names of the ciphers, and the encryption keys) are not provided here for security reasons. There are no known fixes for this at present. 6 DRM through Trusted Computing If we refer back to the initial conceptual model that encompassed DRM objectives, it can be agreed that the model architecture is based on sound principles, but it is the implementations of the architecture such as FairPlay and Adobe EBX that have proven to be comprised. These weaknesses are mainly being identified in the Content Management area of the model. If the content is not secure enough, and if weak security mechanisms (encryption methods) are being employed to maintain integrity then it will be possible for individuals to obtain the content and remove any restrictions placed upon it. If the content can be retrieved then it can also be distributed freely to other parties over file-sharing mechanisms. It is felt that true integrity can only be achieved through Trusted Computing. This concept could solve the problems related to current methodologies. 6.1 Introduction This section of the report will focus on the technologies proposed by the TCG (Trusted Computing Group). The TCG is an initiative spearheaded by Microsoft, Intel, AMD, etc. in an attempt to make computers more secure, there are currently two hundred companies involved. This approach utilises both hardware and software technologies. The architecture makes inroads to solve the DRM dilemma. Open source is very different consideration, "Making DRM in Linux secure would be like winning a hand of poker against someone who can change all the playing cards at will," 35 HP are developing a commercial version of Linux that would be trusted computing compliant to the existing Linux platform. This version would however not be strictly Open Source. This section outlines the failures of the existing models before describing the Trusted Computing architecture. Specifically the NGSCB (Next Generation Secure Computing Base) implementation of TC will be outlined

20 6.2 Existing software There are a number of key flaws in the current state of security when attempting to enforce DRM. These flaws can essentially be narrowed down to the existing operating systems. Mandatory Access Control (MAC) is not enforced. This is a mechanism that restricts the access of user programs to some predetermined policies, which cannot be altered. These policies are issued by an entity known as a reference monitor. At present hackers are able to execute malicious device drivers at the kernel level, which allows them can access all resources, such as memory locations of other processes. Signed codes and cryptographic solutions based on this current architecture will not work, this has been portrayed in the previous examples. Current OS do not enforce the least privilege security principle, which is essentially where a minimal amount of access rights are required to complete a task. Windows currently issues access rights based on ID of which there are two types of users; super-users and normal-users. Processes that are executed in memory at present are not isolated from others. Hackers currently exploit this flaw, to compromise cryptographic keys and program data. 6.3 Existing hardware Currently hardware devices in PCs do not place any restrictions, as regards to restricting access to resources. Hackers exploit this flaw, using methods such as bus mastering 36 and buffer overflow attacks 37. Applications OS Device Kernel Drivers Extensions Figure 10: The Ring architecture employed by the Intel 0x86 processor 38 From the CPU perspective Intel had designed and implemented their CPU with security in mind. This architecture is MAC enabled, however the previous Windows OS have not utilised this. They only utilise ring 0 and ring 3. As mentioned before this gives rise to two types of user, one which can work on the kernel level and the other on the applications level. As a result Intel is extending their architecture in line with the trusted computing model, which is known as the Lagrande project. 36 Attackers exploit the bus architecture in which controllers can communicate with devices without using the CPU. 37 This is where an attacker exploits program code space in memory to overwrite the memory with arbitrary code. 38 Adapted from: eprints.qut.edu.au/archive/ / 01/Reid2005-AISW-DRM-TrustedComputing.pdf 18

21 6.4 Trusted Computing Architecture A brief outline of the key elements within this architecture is described. The protocols specifically implemented by the NGSCB are then illustrated, to show how the infrastructure works Trusted Platform Module (TPM) a.k.a Fritz Chip Figure 11: A component level diagram of the TPM 39 The TPM is hardware that will be attached to each PC, PDA, etc. The TPM is the end point of communication and thus will be designed with security in mind. The TPM will be made tamperresistant. The primary function of the TPM is to provide cryptographic operations. The TPM holds a unique Endorsement Key which is installed at the time of manufacturing. This key provides a mechanism to identify a particular TPM. There are a number of components within the TPM which will be discussed in this report. These will ensure that DRM will be viable. The Platform Configuration Register (PCR) generates, a chain of trust for any platform. It has been designed to use the secure SHA-1 hashing algorithm. Its workings are as follows: PCR[i] = PCR[i] + SHA1(measured data) It takes some arbitrary data measure regarding the systems state, such as program code and extends the hash of its registers. This information is stored in the Stored Measurement Log (SML) and used when the system is challenged for integrity. This will guarantee the integrity of state information for a system. The RSA Engine is used for signing and performing encryption/decryption. It utilises the Endorsement Key (private key) for decryption. The proposed key size is 2048-bit, this falls in line with current recommendations, rendering brute force attacks with current technology intractable. The TPM will support both symmetric and asymmetric communication. There are many keys, which are used in this model, (Endorsement Key, Attestation Identity Key, Storage Root Key and more) these are generated using a hardware-based method, conforming to the FIP 186 standard 40. This protocol ensures that keys that are generated are pseudo-random and relies on the intractability of the underlying number theory problem. 39 Adapted from: downloads/tcg_1_0_architecture_overview.pdf

22 6.4.2 Attestation Protocol The attestation protocol is a multi-tier process, which involves both hardware and software. The OS, applications etc. are all attested to create a platform of trust. Figure 12: Sequence Diagram which shows the attestation process 41 For the purposes of this report and how the TC model relates to DRM, the high level diagram in Figure 12 will suffice. Essentially the process provides the information which reside in the PCR, the SML and platform credentials to a remote challenger. This information is signed by the TPM to ensure only that particular platform can use it. A private Certificate Authority is used to certify communicating parties as authentic. The remote server can then analyse the information to verify system integrity to allow for any subsequent communications Sealed storage The concept of sealed or protected storage is to provide data confidentiality. This mechanism makes use of the Storage Root Key, which is stored in the TPM. This key is non-migratable and locked to each TPM. This key will primarily bind other cryptographic keys (session, signature) to given system state configurations and only releases the keys if configurations remain intact. BLOBs 42 are used to ensure keys are bound to a particular TPM. This mechanism is to be used to protect keys which are used by TPM, but not necessarily stored locally. This mechanism is to be used only to seal keys, due to the slowness and low cost considerations of the TPM. These keys can then be used to protect large files. This would alleviate the TPM from becoming a bottleneck. Also this mechanism can enforce the TPM s cooperation to access data. This could be utilised to only allow access to data if the system in a certain state as mentioned. Objects stored using Protected Storage can have authorisation information. Objects can be used and/or migrated. The details of this mechanism were not available at the time of writing. It is the functionality itself, which is of interest to the authors because it has implications for DRM. Application vendors could set data to be usable only effectively stopping content distribution. 41 Adpated from: downloads/tcg_1_0_architecture_overview.pdf 42 Binary Large OBject, the keys will be stored in an encrypted database using the TPM private key. 20