Towards Trust in Digital Rights Management Systems

Size: px

Start display at page:

Download "Towards Trust in Digital Rights Management Systems"

Dustin Harper
7 years ago
Views:

1 Towards Trust in Digital Rights Management Systems 4FriendsOnly.com Internet Technologies AG PD Dr.-Ing. habil. Jürgen Nützel, CEO, 4FriendsOnly.com AG Anja Beyer Technische Universität Ilmenau And Thanks to TRUSTBUS 2006, Kraków, Poland

Jürgen Nützel, CEO, JN@4FO.de 4FriendsOnly.com AG Anja Beyer Anja.

2 History and Motivation Outline Open Mobile Alliance (OMA) DRM Trust and Security Model of OMA DRM Version 2 Reference Model and OMA DRM 2.0 The role of Trust in DRMS Implementation of OMA DRM Agents Secure Key Store Different Options to Install the Device Private Key OMA DRM and Trusted Computing Trusted Platform Module TCG SKAE Certificates to install multiple OMA DRM Device Certificates Conclusions and Further Work 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 2

0 The role of Trust in DRMS Implementation of OMA DRM Agents Secure Key Store Different Options to Install the Device

3 History: Virtual Good Music [1] About 150 years ago (and before): Artist/Producer Consumer Production and consumption at the same time No possibility to store and forward it It is a service! 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 3

time No possibility to store and forward it It is a service!

4 History: Virtual Good Music [2] In the 20th century: Artist Reproduction and distribution of physical media by the music industry Consumer Bound to physical media Consumption anytime possible (only with the physical media) Production and distribution under control of the industry 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 4

Consumption anytime possible (only with the physical media) Production and distribution

5 History: Virtual Good Music [3] Today: Music download (without DRM) Digital distribution via the Internet Content Server Digital Content: User s device: PC / Mobile phone Consumption using a device Illegal distribution by the consumer Digital Content: The consumer is also able to distribute the virtual good The content owners are afraid about their business models (Free-Rider-Problem) 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 5

the consumer Digital Content: 0101101 The consumer is also able to distribute the virtual good The content owners are

6 Now: Digital Rights Management enables the content owners to define specific usage rights for their digital content. enforce these rights on the user s device using cryptography (content is distributed encrypted) restore the old business models (from 20th century) introduce new business models (like subscription services) restrict the user in forwarding plain content (e.g. via the Internet) making unlimited copies the unlimited consumption (by time or counter) allows the providers to trust their customers if the customer trust the providers DRM systems (DRMS) and their implementations (mutual trust) should be based on open standards (like OMA) 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 6

(like subscription services) restrict the user in forwarding

7 Open Mobile Alliance (OMA) DRM The only open and wide-spread DRM standard OMA is the leading industry forum for developing market driven, interoperable mobile service enablers OMA DRM 1.0 Simple format independent DRM standard Supported by many mobile devices Supports: forward lock, combined and separated delivery of the key Nokia N91 OMA DRM 2.0 Standard was approved in March 2006 Is not limited to mobile devices Nokia released its first device (N91) with OMA DRM September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 7

0 Simple format independent DRM standard Supported by many mobile devices Supports: forward lock, combined and separated delivery of the key

8 Trust and Security Model of OMA DRM 2 Device authentication based on X.509v3 certificates (device certificates) Device certificates issued by a specific OMA CA Device private key is stored hidden/secure in the client device Rights Issuer uses the device public key (in certificate) to encrypt the Content Encryption Key (CEK) in the Rights Objects (RO) RO's only work on the device with the appropriate private key usage rights r cek CEK Device Public Key Device Private Key Rights Object (RO) Device private key has to be kept secure The device public key may become a privacy problem 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 8

Issuer uses the device public key (in certificate) to encrypt the Content Encryption Key (CEK) in the Rights Objects (RO) RO's only work on the device with the

9 Reference Model and OMA DRM 2.0 Consumer s Device with DRM Agent Provides encrypted content Content Server 1st: Download Content (DCF) Device Public Key Device Private Key 2nd 6th Before: CEK exchange 3rd: RO Request DRM Agent 7th Decoder Generates ROs. Encrypts the CEK using user s Device Public Key Rights Issuer (RI) 4th: RO Transfer usage rights r 5th cek CEK 7th usage counter Rights Object (RO) 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 9

Key Device Private Key 2nd 6th Before: CEK exchange 3rd: RO Request DRM Agent 7th Decoder Generates ROs.

10 The role of Trust in DRMS OMA DRM 2.0 trust model is based on a Public Key Infrastructure (PKI) include mutual authentication relies on a central root CA for all certificates A Rights Issuer trusts a DRM Agent to behave correctly if the DRM Agent's certificate is verifiable by the Rights Issuer and not revoked A DRM Agent trusts a Rights Issuer to behave correctly if the RI's certificate is verifiable by the DRM Agent and not revoked Is Trusted Computing needed? Trusted Platform Module may become a security anchor of the DRMS? 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 10

Issuer trusts a DRM Agent to behave correctly if the DRM Agent's certificate is verifiable by the Rights Issuer and not revoked A DRM Agent trusts a

11 We started implementing OMA DRM 2 Two major problems we had to solve: 1st: Secure storage of the device private key No secure storage on a PC platform We use platform specific hardware parameters We do not want to modify the operating system (trust!) 2nd: Installation of the device private key PC platforms have no preinstalled OMA device private key OMA standard has no answer for this problem Today we can not rely on Trusted Computing Not yet supported by operating systems PC boards with TPM not widely spread 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 11

) 2nd: Installation of the device private key PC platforms have no preinstalled OMA device private key OMA standard has no answer for this problem

12 1st: Secure Key Store Implementation for PC based platform Device private key encrypted with hardware parameters Client Device with (n=4) different hardware parameters: p1,p2,p3,p4 HWK1(p2,p3,p4): HWK2(p1,p3,p4): HWK3(p1,p2,p4): HWK4(p1,p2,p3): random key random key random key random key Key Store File dprivk 4 different hardware keys (HWK) are derived from 4 different subsets of the hardware parameters The random key (RK) is encrypted 4 times Device Private Key In the final implementation for Fraunhofer IIS 8 hardware parameters (MAC, graphic card ) have been used Two hardware parameters may fail Random key is encrypted 56 times 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 12

derived from 4 different subsets of the hardware parameters The random key (RK) is encrypted 4 times Device Private Key In the final implementation for Fraunhofer IIS 8 hardware

13 2nd: Hidden Key Download Client PC DRM Agent, sw_id, mk1, mk2 Device CA mk1, mk2 (master key) Install DRM Agent mk1 mk2 sw_id, session1, time1 (obfuscated in the DRM Agent) mac1=hash(sw_id+session1+time1+mk1) Mutual Authentication Request new Key pair Verify mac2 & adjust clock mac2=hash(sw_id+session1+time2+mk2), time2 sw_id, session2, time3, mac3=hash(sw_id+session2+time3+mk1) encrypt(dprivk,mk2), certificate Verify mac1 & time1 Verify mac3 & time3 Create Device Key Pair and Certificate dprivk Download of Software certificate with dpubk dprivk certificate with dpubk Store dprivk & certificate 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 13

session2, time3, mac3=hash(sw_id+session2+time3+mk1) encrypt(dprivk,mk2), certificate Verify mac1 & time1 Verify mac3 & time3 Create Device Key Pair and Certificate

14 Trusted Computing Trusted Platform Module (TPM) Cryptographic coprocessor on PC motherboard RSA operations and private key storage on chip Each TPM has a unique identity (pre-installed Endorsement Certificates) TPM is able to generate further RSA key pairs. Private key remains bound to the TPM Attestation Identity Keys (AIK) Attestation Identity Keys (RSA key pair) allow to report (attestation) the trustworthiness of the own platform to an external communication partner Because of privacy reasons the TPM generates for different communication partners different AIKs. All AIKs are based on the unique Endorsement Key AIKs represent an anonymous identity (alias) 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 14

Private key remains bound to the TPM Attestation Identity Keys (AIK) Attestation Identity Keys (RSA key pair) allow to report (attestation) the trustworthiness of the own platform to

15 Creation of an OMA Device Certificate Note: SKAE (Subject Key Attestation Evidence): Standard mechanism to represent a Certified Credential in X509 certificates. TPM Client Privacy CA Device CA AIK priv AIK pub Create Attestation Identity Key (AIK) Pair Request AIK credentials, AIK pub Credentials signed by Privacy CA Validates request and provides credentials credentials with AIK pub dprivk dpubk Activate AIK Create Device Key Pair Certify that Device Key uses AIK Create SKAE extension certificate with dpubk and SKAE extension Certificate Request (PKCS#10), dpubk, SKAE extension Device Certificate Create Device Certificate with SKAE extension certificate with dpubk and SKAE extension 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 15

credentials credentials with AIK pub dprivk dpubk Activate AIK Create Device Key Pair Certify that Device Key uses AIK Create SKAE extension certificate with dpubk and SKAE extension

16 Conclusions and Further Work Success of DRM systems depends on mutual trust OMA DRM standard for mobile devices implies a trust model based on PKI Our solution provides an expanded approach adopts the standard to untrustworthy platforms like Windows Trusted Computing provides a root of trust is qualified for enforcing the providers rights Trust as an advantage in competition 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 16

untrustworthy platforms like Windows Trusted Computing provides a root of trust is qualified for enforcing the

17 Many thanks to 4FriendsOnly.com Internet Technologies AG Jürgen Nützel and Anja Beyer 07 September 2006 TRUSTBUS 06 Kraków Poland, Jürgen Nützel, Anja Beyer 17

How to Increase the Security of Digital Rights Management Systems without Affecting Consumer s Security

How to Increase the Security of Digital Rights Management Systems without Affecting Consumer s Security 4FriendsOnly.com Internet Technologies AG PD Dr.-Ing. habil. Jürgen Nützel, CEO, JN@4FO.de 4FriendsOnly.com