Qiong Liu, Reihaneh Safavi Naini and Nicholas Paul Sheppard Australasian Information Security Workshop Presented by An In seok

Transcription

1 Digital Rights Management for Content Distribution Qiong Liu, Reihaneh Safavi Naini and Nicholas Paul Sheppard Australasian Information Security Workshop 2003 Presented by An In seok

2 Contents Introduction System Overview Markets for DRM Security in DRM Legal Issues Consumer Concerns Standards Conclusion 2

3 Introduction Digital contents Music, Image, Video, Books, and Games Motivation of DRM Many digital service providers sell their digital content over computer networks ( internet ) Without protection and management of digital rights, digital content can be easily copied and distributed to a large number of recipients We need a system that prevents unauthorized access to digital content and manages content usage right 3

4 Introduction Flexibility of DRM Manage usage rights for different kinds of digital content across different platforms e.g.) PCs, laptops, PDAs, mobile phones Control access to content delivered on physical media or other distribution method E.g.) g) CD ROMs, DVDs, flash memory 4

5 System Overview Core concepts in DRM The use of digital licenses Purchases a license granting certain rights License : a digital data file that specifies certain usage rules for the digital content Usage rule defined by a range of criteria Frequency of access Expiration date Restriction of transfer to other devices Copy permission 5

6 System Overview Supported business model Rental Subscription Try before buy Pay per use Etc.. Digital content distribution methods Client / server Super distribution Digital audio / video broadcasting CDs 6

7 System Overview Typical DRM Model 7

8 System Overview Plug ins Most DRM providers extend existing viewers without DRM functionalities through the use of plug ins Usually use a special file extension in a specific DRM system The content viewer open & decrypts the digital content based on the usage rules in the license Problem No interoperability Digital content protected by one DRM system cannot be accessed by the client application in another DRM system Consumer has to install different plug ins and vender specific application to access various digital content provided by multiple DRM systems 8

9 Markets for DRM Get a market overview for the current deployment of DRM Existing commercial systems Microsoft WMRM InterTrust Rights System IBM EMMS RealNetworks RMCS Potential DRM markets Protection of patient s privacy in e health Online learning Corporate intranet security 9

10 Markets for DRM Microsoft WMRM Windows Media Right Management ( 2002 ) File format Only supports WMA, WMV Both server and client SDKs are available Supported business models dl Subscription, sales, counted operation, secure transfer Used by PressPlay ( 2001 ) Can burn music CD ( main difference from other music service providers ) The main advantage Widely used on the Internet Windows media player has already incorporated DRM support 10

11 Markets for DRM InterTrust Rights System Offers a solution for content packaging, distribution, right management ( 2002 ) Provides toolkits for independent software vendors and media player developers Supported business models dl Pay per use, rentals, sales and try before buy Used in Nokia mobile phones for the mobile content distribution Intertrust announces patent licensing agreement with Nokia ( 2008 ) System clients are not only for PCs, but also for mobile phones, set top top boxes, and music players 11

12 Markets for DRM IBM EMMS Electronic Media Management System ( 2002 ) Supports Windows Supported business models Pay per use, pay per time, subscription, controlled printing, and transferring to portable devices Madison Player 1.0 EMMS enabled player ( Aug ) SDK is available Mainly used in Japan for online music distribution IBM has strong ties with Sony for mobile content distribution DoCoMo s M stage music service 12

13 Markets for DRM RealNetworks RMCS RealSystems Media Commerce Suite Plug in for RealPlayer Provides Windows and UNIX solutions Supported business models Subscription, video on demand, etc Used by MusicNet ( 2001 ) AOL Time Warner, BMG, EMI, RealNetworks 13

14 Markets for DRM Potential DRM markets Protection of patient s privacy in e health To securely store and transfer personal medical information e.g.) Doctors, pharmacists and nurses are required to have different rights to access and modify information Online learning Education material distribution and exchange Corporate intranet security To guarantee that only authorized people can access certain information 14

15 Security in DRM General Requirement Persistent content protection Protection has to stay with the content For example If the recipient can save and copy the content in an unrestricted form and put the digital copy onto the Internet, Many people p in the world can download the movie without reduction in quality Essential security requirements Data protection to protect against unauthorized interception and modification Unique identification of recipients To enable access control for the digital content Effective tamper resistant resistant mechanism To process protected data and enforce content usage rights 15

16 Security in DRM Simple cryptographic model Two trusted parties who own a shared secret key are exchanging gencrypted information and an attacker sitting in between tries to intercept and recover the data In DRM One communication party ( consumer ) can not be trusted with a shared secret key or even unencrypted data Internet provides an open distribution channel for consumers who wish to share their digital content with their friends. It is not possible to separate honest and dishonest user Malicious user Cracker may break the security system to make a profit through selling cracked software and digital assets An attacker has a chance to break the system with unlimited time and resource 16

17 Security in DRM Cryptographic p mechanisms Symmetric key encryption Use same key in encrypting/decrypting messages Security through obscurity Keep encryption process and algorithm details confidential Kerckhoffs s Principle A cryptosystem should be secure even if everything about the system, except the key, is public knowledge A number of companies employ well known cryptographic algorithms Asymmetric key encryption Use a pair of keys public / private Mathematically related One key can only be decrypted with the other key 17

18 Security in DRM Digital Signature and Certificate Digital signature The clearinghouse digitally signs licenses then the player can verify the correctness of the usage right and keep the signature as a proof of right purchase Used to identify one s identity Usually combined with one way has function One way has function : a function whose reverse function actually does not exist For integrity checking Digital certificate To ensure that the packaged digital content is from the genuine authorized content distributor 18

19 Security in DRM Individualization Unique identification for user devices The license stored in one device cannot be transferred or used by another device Example WMRM Generates a unique DLL containing its hardware ID ( client computer ) A public / private key pair is generated Private key is stored in the DLL Public key is used as the player s identifier Clearinghouse will encrypt the license using this key Problem The portability of rights When the user wants to watch the movie at his friend s place Solution Allow users to move licenses a fixed number of times 19

20 Security in DRM Digital Watermarking Imperceptible signal that can be inserted into digital content For captioning, copyright control Content owner, buyer, and payment information Robustness to common signal transformations ( filtering, compression, tampering ) Can be used to Trace digital pirates ( web spider ) Annotation watermark and access control ( the allowable number of secondary copies and playbacks ) Try before buy business model Problem No standard Vulnerable to attacks Applying watermarking to the DRM may not be secure enough to meet the commercial requirement 20

21 Security in DRM Tamper resistance Software based technologies Code obfuscation Software is transformed into a functionally equivalent form which is difficult to understand and analyze e.g.) cloakware OS level protection To disable unauthorized attempts e.g.) screen capture ( capturing unencrypted data on the screen ) Hardware based d technologies To provide the execution space protected from external software attacks eg) e.g.) MS Palladium architecture Every machine has a unique embedded private key in hardware 21

22 Legal Issues The US Digital Millennium Copyright Act ( DMCA ) ( 1998 ) Any attempt for the creation and distribution of DRM circumvention tools even for legal reasons may violate federal law under DMCA Claim that DMCA stifles innovation and academic freedom and is a threat to open source software development The US Security Systems Standards and Certification Act ( SSSCA ) (2001) Must use built in in DRM No modification, no capture European Union Copyright Directive ( EUCD ) Break or attempt to break DRM is a criminal Prohibit academic research Prevent teachers copying materials for their students Australian Copyright Amendment ( Digital Agenda ) Act The intentional removal and alteration of electronic rights management information is criminal 22

23 Consumer Concerns Privacy and anonymity User identity, profiling user s s preferences Fair use rights Some exceptional usages should be approved Researching, teaching, learning, criticism, review, news, reporting etc Usability Platform restrictions on usage and plug in requirements for users Caused by the deployment of non standardized protection mechanisms 23

24 Standards Some organizations for standardization Open Digital Right Language Initiative : World Wide Consortium : Secure Digital Music Initiative : Moving Picture Expert Group : Proposals for a Rights Expression Language ( REL ) and Rights Data Dictionary ( RDD ) XML ( extensible Markup Language ) from Content Guard was selected 24

25 Conclusion DRM Describe the architectures, underlying security technologies and implementations, laws and standards Will the consumer be willing to play by the rules? Should solve DRM s inconveniences, incompatible platforms Need to invent an attractive business model Changing law 25