CS 265
Lecture Summary- Nov 6th
Digital Rights Management
CS 265
Cryptography and Network Security
Submitted To
Dr. Mark Stamp
Submitted By
Lakshmi Vempati
Tuesday, 11th November 2003
Page 1 of 4
CS 265
Lecture Summary- Nov 6th
“DRM is recognized as a complex and critical aspect of the lifecycle of a digital object.” [2]
Introduction
“DRM represents a fundamental agreement between the content provider and content user.”
[2] Digital rights Management technologies allow the owners to control their intellectual
property assets such as digital documents. They provide remote control on the digital
objects. DRM systems provide persistent protection, which means protection against
duplication of the object will be maintained even after the object has been delivered. [1]
The protection can be summarized into the following four levels.
 Honor System
Charge for the content on a pay-per-view basis: This did not prove to be a good
solution as the percentage of paid viewers decreased drastically. These systems
rely on the people who honor them.
 Minimal Software based Protection
Restrict the content from the people who can not break the minimal protection:
Though most DRM systems provide this kind of protection, even this did not
prove to be a good solution. Screen capturing could break the security here.
These systems rely on naïve users.
 Maximal Software-based Protection
Achieve controlled execution: This is a higher level of protection where
breaking a security is very complex. Though this is a better solution, there are a
very few such software-based DRM systems available. Implementation of such
a system is very complex.
 Tamper-resistant Hardware
Bury the key in Hardware: This is the highest level of security which can not
be broken easily. Even this system has a problem of users not having access to
what they want to do with their system. [1]
Cryptography alone doesn’t solve the problem of DRM. The cryptosystems work well if
the key can be protected. In the case of DRM, the underlying cryptosystem needs to
transmit everything to the intended recipient that is the algorithm, the cipher text, and the
key. The basic problem here is the communication of key between the sender and receiver.
Once the key is compromised, the security is broken. Also, reverse engineering the
software that contains the key could get the attacker to access the key. For persistent
protection, the reverse engineering process should be very difficult to implement. [1]
Current State of DRM:
Security by Obscurity:
“The strongest security measures currently available for DRM rely on “security by
obscurity” as opposed to any sound theoretical basis.”[1] Some systems entirely depend on
honor system by giving a false sense of security to those who rely on the system to protect
valuable content. [1]
Page 2 of 4
CS 265
Lecture Summary- Nov 6th
Secret Design:
“Perhaps due to their reliance on weak or nonexistent security measures, DRM companies
are reluctant to make details of their systems public. In DRM there is, as yet, no such
imperative to make the workings of systems, even in a general form, available for scrutiny.
At the very least, this tends to suggest that the level of security actually provided by current
DRM systems is suspect, since those making the security claims have a financial interest in
boosting their perceived level of security.” [1]
MediaSnap’s DRM System:
This system was designed to protect PDF documents, though the same principles can be
applied to the protection of other digital objects. With a SDS (secure document server) and
a PDF-plugin, this system achieves the intended security. This system implements the
security measures that prevent attack at all levels. The sender sends the document
encrypted with the session key to SDS and the server applies desired level of persistent
protection and sends the secured document to the intended recipient. The receiver can open
the secured document with the help of a plugin. [1]
At a high level, the DRM system can be viewed as consisting of two layers of
protection, with various other security features built around these layers. At the
outermost layer, the compiled code is encrypted and an anti-debugging technique is
employed. While not invincible, the combination of these two features provides
significant protection against all but dedicated attackers. [1]
The second layer of protection includes a variety of security mechanisms, including
standard encryption, proprietary key management techniques and non-standard
scrambling of the data. These combine to make a challenging reverse-engineering
problem once the outer layer of protection has been penetrated. [1]
Mediasnap’s DRM system also provides the following security features:
 Sophisticated tamper checking of software modules: This ensures that only the
expected code is actually running.
 A low level anti-screen capture technique: This is to prevent the most obvious attack
on digital documents.
 Watermarking: This is to give some chance of post-theft prosecution.
 Make each version of the software unique: This is to prevent the breaking of entire
system if one system has been compromised.
Conclusion:
“DRM represents a fundamental agreement between the content creator and the content
user. Development of a successful DRM model to meet R&E (Research and Education)
requires the active engagement of R&E community - content creators,
publishers/distributors, repositories and content users.” [2]
Page 3 of 4
CS 265
Lecture Summary- Nov 6th
“If DRM is to be successful in software-based systems, perhaps the best hope lies in the
realm of software uniqueness. If each instance of a particular DRM software product
includes some degree of uniqueness then an attack that succeeds against one will not
necessarily succeed against.” [1]
References:
[1] Digital Rights Management: The Technology Behind The Hype, Mark Stamp,
Journal of Electronic Commerce Research, Vol. 4, No. 3, 2003
http://www.csulb.edu/web/journals/jecr/issues/20033/paper3.pdf
[2] Federated Digital Rights Management - A Proposed DRM Solution for Research and
Education, Mairead Martin, Grace Agnew, David L. Kuhlman,
John H. McNair, William A. Rhodes, Ron Tipton, July/August 2002
http://www.dlib.org/dlib/july02/martin/07martin.html
Page 4 of 4