Digital Rights Management
OWASP – 09/2007
Session Overview

Digital Right Management (DRM) systems are
commonly used for protecting digital assets in the
wild.

A form of extended/enterprise RBAC, DRM systems
have been in the news a lot lately. Some are being
hacked, others are being legislated against.
Content distributors are issuing manifestos.

Should you be concerned? This presentation is an
overview of the objectives, terminology, and
security issues of DRM system.
DRM – What is it?

“Digital Rights" - the right of a user or entity to perform an
action with respect to content (an object)

Content - e.g. audio (songs), video (movies), documents
(Office files, etc.), online collaborative content (chat sessions)

“Management" - implementation and enforcement of policies
–
implies that the policies have to be defined
–
user authentication, if any, to be able to participate
–
node/system authentication, to participate
–
specific policies w.r.t. actions: play/re-play/storage/stream/expiration
–
Admin: user and/or node revocation/code refresh
Digital Content Delivery
Terrestrial
Content
Satellite
Legacy
TV
Analog
TCP/IP
DVI
TCP/IP
HDTV
Cable
Interne
t
Set-top Box
802.11
CE Devices
TCP/IP
Home
Networ
k
TCP/IP
TCP/IP
Ethernet
Telco
TCP/IP
USB
Pre-recorded
Media
Personal
DVD, HD-DVD, Computer
Blu-Ray, CD
Flash, MMC, SD Card
USB
Portable
Devices
Key Drivers

Digital Content explosion in the home
–
Consumer are now comfortable with digital content


DRM market has consolidated
–
–

Hollywood wants all the security right, before releasing it
A motivator for consumers to upgrade
Blurring of Broadcast, streaming and downloaded content
–

Microsoft DRM running on Linux!
HD content and Digital TV increasing
–
–

Windows Media DRM and OMA DRM are two forerunners
Other include SonyMG, Real, SVP, SmartRight
Even Microsoft has acknowledged the need for “open” standards for
broad consumer adoption & proliferation
–

Digital pictures, ripped MP3s, Digital Video Recorders, DVDs, etc
VOD vs. DVR time-shifting vs. Persistent download vs. Subscription
Consolidation to IP networks
Three Influencing Industries
Hollywood
(Disney, Sony, Universal, WB)
DRM Specification
License
Compliance Rules
Robustness Rules
CE
IT
(Matshushita, Toshiba, Sony)
(Microsoft, Intel, IBM)
What are Robustness Rules?




All DRM initiatives are using “robustness rules” similar to those
developed by 4C (www.4centity.com) with the Hollywood studios
–
Improved by others but essentially the same (e.g. DTCP, HDCP, DFAST,
WMDRM, OMA, CPRM/CPPM, AACS)
–
Specifies what must be secure, what techniques are required and the level of
resistance from attack
Robustness differentiates between software, hardware and
hybrid implementations
The application enforcing the copy policies must also meet
“Compliance Requirements”
Penalties and/or revocation if the implementation is not robust or
non-compliant
Onus on Implementer
Robustness Overview

Construction
–

Defines the data and functions that must be made robust
 Device keys, algorithms, etc
Methods for Robustness
–
Defines some minimum techniques required for robustness
 Obfuscation, code encryption, signing, self-verification
– Architecture choices:




Trusted vs. untrusted endpoints
Tethered vs. untethered
Content: staged vs. streaming
Transcription: end-point conversion of content from one DRM scheme to
another
Robustness – Still More

Levels of Robustness
–
Different data and functions must be resistant to different tools:

“Widely Available Tools” - general-purpose tools…
file editors

“Specialized Tools” - widely available at a reasonable price,
such as memory readers and writers, debuggers, decompilers,
or similar software development products

“Professional Tools” – logic analyzers, chip disassembly
systems, or in circuit emulators
Example Robustness Requirements
Prevent defeat or circumvention by
Widely Available
Tools
Specialized
Tools
Professional Tools
Device Secrets


Yes with difficulty
Content Key

Yes with
difficulty
Yes with difficulty
Serial Number

Yes with
difficulty
Yes with difficulty
Secure Clock

Yes with
difficulty
Yes with difficulty
Confidential
Information
Security Functions
Yes with difficulty


Yes with difficulty
Robustness – Security Challenges

Key Hiding (BIG issue… White Box Crypto is emerging std).

Device Finger-printing, Node-locking

Over The Air (OTA) provisioning or Re-establishing of Trust

Manufacturing “assembly line” of security components
(Robustness liability rests with Intermediate or Final Licensee)
–
–
–
–
–
Chip foundry/IP
ODM (Original Design Mfg.) Reference Implementation
OEM (Original Equipment Mfg.)
Device Manufacturer
Carrier/Operator
The Wild Wild West of
Digital Content Delivery
Terrestrial
Content
Satellite
Legacy
TV
Downloaded
Content
Analog
TCP/IP
HDCP
DVI
TCP/IP
HDTV
Cable
Interne
t
Set-top Box
802.11
CE Devices
DTCP/IP
Home
TiVo
Networ
k
WMDRM
TCP/IP
TCP/IP
TCP/IP
Ethernet
Telco
TCP/IP
USB
Pre-recorded
Media
Personal
DVD, HD-DVD, Computer
Blu-Ray, CD
Flash, MMC, SD Card
OMA DRM2
Real
USB
Portable
Devices
Alphabet Soup

DTCP – Digital Transmission Licensing Authority
–

HDCP – High-Bandwidth Digital Content Protection
–

Content Management License Administrator (www.cm-la.com)
WMDRM – Windows Media Digital Rights Management
–

4C Entity LLC (www.4centity.com) (Founded by IBM, Matsushita, Intel, Toshiba)
OMA DRM – Open Mobile Alliance Digital Right Management
–

CableLabs (www.cablelabs.com)
CPRM/CPPM – Content Protection for Recordable/Pre-recorded Media
–

Digital Content Protection, LLC (www.digital-cp.com)
DFAST – Dynamic Feedback Arrangement Scrambling Technique
–

Digital Transmission Licensing Authority (www.dtcp.com) (Founded by Hitachi, Sony, Toshiba, Intel,
Matsushita)
Microsoft (www.microsoft.com)
AACS – Advanced Access Content System
–
AACS Licensing Authority (www.aacsla.com) (Founded by IBM, Intel, Sony, Microsoft, Matsushita,
Toshiba, Disney, Warner Bros.)
James W. Stibbards
Sr. Director – Cloakware Federal
james.stibbards@cloakware.com
(571) 232-7210