Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

USC CSci599Trusted ComputingLecture Seven – Digital Rights ManagementFebruary 23, 2007

Dr. Clifford Neuman

University of Southern California

Information Sciences Institute

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Applications

• Trusted computing is there to support specific applications with specific policies that might be hard to enforce on machines outside of the control of the entity needing the policies enforced.

• The first of the applications we will discuss is the one most closely tied to trusted computing.– Digital rights management (DRM)

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

TC Applications and Policy

• The issues that are addressed by most applications are issues of policy.

• TC is able to better support many of these policies than can be supported without TC.

• DRM is all about policy– Who can access protected content.– What they can do with protected content.– How long they can do it for.– TC is what protects the content from being

accessible to applications that will not enforce the policies.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Protected Interests • DRM primarily protects the content provider or

content owner.– That content will not be accessible to

applications that do not enforce content provider specified restrictions on access.

• Typical DRM does not consider protection for other interests that SHOULD be protected:– That the users private data is not disclosed or

used for other than purposes agreed to.– That added software to which the user does

not agree is not installed on their system.– That the user should be able to access content

to which they have legitimate access even if the provider changes their mind.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Negotiation of Interests • User’s can choose to relinquish some right in

exchange for others:– Reduced cost– Ability to access needed data.

• Such negotiation should be based on informed acceptance.

• It should be based on balanced interests, though often it will not.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

DRM Today • Software– Usually through code obfuscation– Licensing keys– Hardware dongles

• Media (audio / video)– Encryption▪ Embedded keys (obfuscated or hardware)

– Programs or devices enforce policy• Problems with approaches– Often cracked– Special program embed extra behavior– Lack of portability across devices

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

DRM Problems

• Often cracked• Special program embed extra

behavior• Lack of portability across

devices• The Analog hole

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

DRM Problems • Cracking of DRM– Often just a matter of de-obfuscation– Find keys embedded in software– Find keys embedded in hardware and

distributed among others– Inability to distribute new keys means it is

hard to revoke the keys that have been stolen– Inability to change encryption on existing

instance of objects causes similar problem.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Blu-Ray and HD-DVD Crack • The keys were discovered– Initially, just the keys for individual titles,

which allowed decryption of the disks and dissemination of content.

– More recently, the processing key discovered, that which enables decryption of all the disks made.

– Determined by recording changes to certain parts of memory during startup.

– Example of de-obfuscation.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Bonus Code • DRM enabling application often– Collect usage information, sometimes for

marketing purposes.– Slow down your system.– Like to stay resident when not using the

protected content.– Report back about what else is installed.– Enable automatic updates (downloading of

new versions).– Have been known to open your system to

other malicious activities – whether intentionally or through carelessness.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

No Portability

• Each content distributor has its own stack that works with its own content.

–Doesn’t allow integrated management by users.

–Requires lots of extra software.

• But this is a standards issue, and isn’t necessary fixed by TC.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

The Analog Hole

• Once content is “scanned” outside the protected devices, it can no longer be controlled.

–Protections are removed.

• Industry wants to make everything DRM enabling.

–Whether for access to content or not.

– Imposes costs on others.

–No longer “negotiated”.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

User perceived DRM Problems • From Wired– Region coding – even though fair use, forces

one to breach technical measures.– Disabling functionality in Verizon phones.– Subsequent changes to ability to access that

which one has paid for.

Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

How TC can help

• Reduce reliance on obfuscation.

• Base policies can be enforced in common by OTS software, not different policies for each content stack.

• Possibility to raise the point of commonality of policies to provide better portability.

–But it is a hard human problem and might not be possible.