overview: - content protection, DRM - example application: DVD (CSS) - information hiding, steganography, watermarking - next week: computing on untrusted platforms, gaming, tamper-resistance DVD: - Want copyright protection for DVD movies - Encrypt movie with CSS - Clearly movie is not intended to be secret! So why encrypt? - Answer: Provides a means of access control. Only those with the keys can view the movie. - Distribute players, with CSS keys embedded in them - Title key: per-movie, used to encrypt the movie - Player key: per-player-manufacturer, used to encrypt title key - On each DVD, you encrypt the title key under each possible player key; players can then decrypt to obtain title key, then decrypt the movie. - Special rules for player manufacturers - Players can't output movie in digital form - Analog output has to be protected with Macrovision (prevents you from making copies with Macrovision-compliant VCR's) - Players have to be reasonably "tamperproof" - Crypto is the "hook" with which manufacturers are enticed to play by the rules; you only get the keys (and the CSS algorithm) if your players are compliant - CSS - A secret, homebrew algorithm - Had to be fast enough to run on both hardware and software players - Had to be patented to provide an extra "hook" to ensure manufacturers don't build non-compliant players - Had to be exportable => 40-bit keys - That special sector that is physically set to all-zeros on consumer-grade discs - Content control - Movie carries a watermark saying whether the movie can be copied or not (almost always, you're not allowed to copy it) - Region coding: producer can set bits saying what regions the disk can be played in; if bits don't match, player won't play it - All compliant players required to implement these policies faithfully Attacks: - Hacking a player to learn a key - Countermeasure: If a player gets reverse-engineered, the player key gets "revoked", in the sense that it is no longer used for encrypting title keys on any DVD's produced in the future - Exhaustive keysearch for 40-bit CSS keys - "Yeah, but CSS is secret, so we don't need to worry about that" => malarky - Bit-for-bit copies - Made more difficult, because consumer-grade writable DVD disks come with their key sector zeroed out - Also, cost of a blank consumer-grade disk is greater than the cost of pre-recorded DVD movies! So home copying would not be economical today, even if it were possible. (But bulk copying is still probably far cheaper) - But still possible, and fundamentally absolutely impossible to prevent - Hacking software players - Can re-direct and re-encode output of a software player - Can reverse-engineer algorithms and CSS keys - Fundamentally impossible to defend against, and Hollywood was crazy to support software players -- they should have known better! - Breaking the crypto - Someone reverse-engineered a player, re-implemented the CSS algorithm in a program called DeCSS, and posted the source of their re-implementation (so that Linux developers could build a DVD player for Linux); within _days_ a cryptographer found devastating attacks on the whole scheme. Made it trivial to derive player keys (folks on the list decrypted about a 100 player keys, then got bored and stopped). DVD-CCA sued over DeCSS. - Result: DVD protection can be easily bypassed with simple software; once one person writes the software and distributes it, anyone can use it without needing to know anything about crypto. - Lesson: Don't use home-brew crypto; more importantly, don't use software players; finally, copy prevention is fundamentally impossible. watermarking - applications - low-grade security: copier escrow - high-grade security: how do we prevent ripping MP3's, DVD's? - a simple scheme: put a watermark in the LSB's - why this is not sufficient for security information hiding - need a way to insert "marks": - historically: invisible ink, microdots, burst transmissions, spread-spectrum and frequency hopping, meteor scatter radio, CIA camera with a keystream generator to select a few pixels in the image to overwrite with data - harder in the digital domain: - e.g., left/right camera in a movie - low bits of an image - for still images, spread-spectrum techniques - use a pseudorandom sequence to select places to modify (either in location, or in frequency domain) - insert marks into the frequency domain (Fourier transform) what can you do with "marking"? - add a "no copying" bit - Q: Is it better to add a "no copying" watermark, or to add a "copy-able" watermark? - personalize content with identity of customer, so you can trace "traitors" - prove possessesion of the image - steganography, i.e., communicating covertly attacks on copyright-prevention schemes (a single "no copying" bit) - crop, rotate, shrink, blur, D/A -> A/D conversion, print->fax->scan, lossy compression, deletion of a row/column of pixels, color adjustment, ... - insert more watermarks on top of the existing one - split image up into many pieces, have web page show them tiled next to each other (looks like one big image, but web spiders won't find it) - legal attack: if you rely on the presence of the watermark as evidence, once they prosecute a single bad guy, they'll probably have to reveal the secret key used to generate the watermark (if you're using a keyed watermarking scheme) => allows everyone to remove watermarks thereafter - think of this as a one-bit communication channel (from marker, to himself, delayed in time!) that must survive denial of service attacks: we have to be sure the one bit gets through, no matter what. it's a hard problem because DoS is hard - why is watermarking hard? - attacker can apply any perceptually-preserving transformation; watermark must survive all of these - attacker may know in advance how the watermarking scheme works - many attacker might collude attacks on traitor tracing - all the above, plus: - "averaging" attacks: many traitors collude, them combine their personalized copies of the content in some clever way to erase the watermark attacks on proving possession - example: tamperproof camera, when you take a picture, it records time, date, and who took the picture, (possibly all signed) as a watermark - security? - now attackers need to _add_ watermarks, not _remove_ them - this allows to get very strong security; watermark can be a hint, an untrusted communication channel, and all security comes from a public-key signature on the message - note: security of tamperproof camera relies on tamperresistance, and that in turn depends heavily on whether the person in physical possession of the device has an incentive to break the tamperproofing. if the person has an incentive for the system to work correctly (e.g., first person to timestamp the picture gets copyright protection), it's probably secure. if person has an incentive to break it (e.g., camera inserts identity information into camera without consent of the owner), then it's probably very insecure. this is a general principle about tamper-resistance, not about marking. attacks on communicating covertly (stego) - statistical attacks: recognize the covert communications - much more powerful: active attacks - WWII anecdote: Once, a cable from Germany to the USA saying "Aunt Matilda is dead" was changed to "Aunt Matilda is deceased", which prompted a panicky reply "Say again, is Aunt Matilda dead or deceased?" ...pretty clearly there was some stego here. theme: these are all cases where it is difficult to get very high level of security, so one must closely match the desired level of security to the required level (unlike in crypto, where you can just apply overkill by many orders of magnitude -- e.g., 256-bit keys). the downside is that this creates most dangerous and delicate of all circumstances, for three reasons: (1) most obviously, if you miscalculate, you can lose a lot; (2) threat models change over time, and especially so if your system is successful (so you are most likely to get broken exactly when you most need it -- your very success can be your own downfall); and (3) most subtly, you risk training and funding your adversaries (like in the pay TV world).