Digital Rights Management OWASP – 09/2007 Session Overview Digital Right Management (DRM) systems are commonly used for protecting digital assets in the wild. A form of extended/enterprise RBAC, DRM systems have been in the news a lot lately. Some are being hacked, others are being legislated against. Content distributors are issuing manifestos. Should you be concerned? This presentation is an overview of the objectives, terminology, and security issues of DRM system. DRM – What is it? “Digital Rights" - the right of a user or entity to perform an action with respect to content (an object) Content - e.g. audio (songs), video (movies), documents (Office files, etc.), online collaborative content (chat sessions) “Management" - implementation and enforcement of policies – implies that the policies have to be defined – user authentication, if any, to be able to participate – node/system authentication, to participate – specific policies w.r.t. actions: play/re-play/storage/stream/expiration – Admin: user and/or node revocation/code refresh Digital Content Delivery Terrestrial Content Satellite Legacy TV Analog TCP/IP DVI TCP/IP HDTV Cable Interne t Set-top Box 802.11 CE Devices TCP/IP Home Networ k TCP/IP TCP/IP Ethernet Telco TCP/IP USB Pre-recorded Media Personal DVD, HD-DVD, Computer Blu-Ray, CD Flash, MMC, SD Card USB Portable Devices Key Drivers Digital Content explosion in the home – Consumer are now comfortable with digital content DRM market has consolidated – – Hollywood wants all the security right, before releasing it A motivator for consumers to upgrade Blurring of Broadcast, streaming and downloaded content – Microsoft DRM running on Linux! HD content and Digital TV increasing – – Windows Media DRM and OMA DRM are two forerunners Other include SonyMG, Real, SVP, SmartRight Even Microsoft has acknowledged the need for “open” standards for broad consumer adoption & proliferation – Digital pictures, ripped MP3s, Digital Video Recorders, DVDs, etc VOD vs. DVR time-shifting vs. Persistent download vs. Subscription Consolidation to IP networks Three Influencing Industries Hollywood (Disney, Sony, Universal, WB) DRM Specification License Compliance Rules Robustness Rules CE IT (Matshushita, Toshiba, Sony) (Microsoft, Intel, IBM) What are Robustness Rules? All DRM initiatives are using “robustness rules” similar to those developed by 4C (www.4centity.com) with the Hollywood studios – Improved by others but essentially the same (e.g. DTCP, HDCP, DFAST, WMDRM, OMA, CPRM/CPPM, AACS) – Specifies what must be secure, what techniques are required and the level of resistance from attack Robustness differentiates between software, hardware and hybrid implementations The application enforcing the copy policies must also meet “Compliance Requirements” Penalties and/or revocation if the implementation is not robust or non-compliant Onus on Implementer Robustness Overview Construction – Defines the data and functions that must be made robust Device keys, algorithms, etc Methods for Robustness – Defines some minimum techniques required for robustness Obfuscation, code encryption, signing, self-verification – Architecture choices: Trusted vs. untrusted endpoints Tethered vs. untethered Content: staged vs. streaming Transcription: end-point conversion of content from one DRM scheme to another Robustness – Still More Levels of Robustness – Different data and functions must be resistant to different tools: “Widely Available Tools” - general-purpose tools… file editors “Specialized Tools” - widely available at a reasonable price, such as memory readers and writers, debuggers, decompilers, or similar software development products “Professional Tools” – logic analyzers, chip disassembly systems, or in circuit emulators Example Robustness Requirements Prevent defeat or circumvention by Widely Available Tools Specialized Tools Professional Tools Device Secrets Yes with difficulty Content Key Yes with difficulty Yes with difficulty Serial Number Yes with difficulty Yes with difficulty Secure Clock Yes with difficulty Yes with difficulty Confidential Information Security Functions Yes with difficulty Yes with difficulty Robustness – Security Challenges Key Hiding (BIG issue… White Box Crypto is emerging std). Device Finger-printing, Node-locking Over The Air (OTA) provisioning or Re-establishing of Trust Manufacturing “assembly line” of security components (Robustness liability rests with Intermediate or Final Licensee) – – – – – Chip foundry/IP ODM (Original Design Mfg.) Reference Implementation OEM (Original Equipment Mfg.) Device Manufacturer Carrier/Operator The Wild Wild West of Digital Content Delivery Terrestrial Content Satellite Legacy TV Downloaded Content Analog TCP/IP HDCP DVI TCP/IP HDTV Cable Interne t Set-top Box 802.11 CE Devices DTCP/IP Home TiVo Networ k WMDRM TCP/IP TCP/IP TCP/IP Ethernet Telco TCP/IP USB Pre-recorded Media Personal DVD, HD-DVD, Computer Blu-Ray, CD Flash, MMC, SD Card OMA DRM2 Real USB Portable Devices Alphabet Soup DTCP – Digital Transmission Licensing Authority – HDCP – High-Bandwidth Digital Content Protection – Content Management License Administrator (www.cm-la.com) WMDRM – Windows Media Digital Rights Management – 4C Entity LLC (www.4centity.com) (Founded by IBM, Matsushita, Intel, Toshiba) OMA DRM – Open Mobile Alliance Digital Right Management – CableLabs (www.cablelabs.com) CPRM/CPPM – Content Protection for Recordable/Pre-recorded Media – Digital Content Protection, LLC (www.digital-cp.com) DFAST – Dynamic Feedback Arrangement Scrambling Technique – Digital Transmission Licensing Authority (www.dtcp.com) (Founded by Hitachi, Sony, Toshiba, Intel, Matsushita) Microsoft (www.microsoft.com) AACS – Advanced Access Content System – AACS Licensing Authority (www.aacsla.com) (Founded by IBM, Intel, Sony, Microsoft, Matsushita, Toshiba, Disney, Warner Bros.) James W. Stibbards Sr. Director – Cloakware Federal james.stibbards@cloakware.com (571) 232-7210