Is secure DRM actually possible?

[Rainsford]

Given my overall interest in cryptography, and my more recent coursework involving crypto, I've been thinking about whether or not it is actually possible to create a truly secure DRM solution. Having recently seen that the DRM for iTunes has been cracked, I've been leaning more and more towards "No" as the answer to my question.

Think about it. Since you have to be able to decrypt the song/movie/whatever in question to actually view or listen to it, you must already have all the information necessary to actually do the decryption. So the entire security of DRM must rely on hiding the process of actually doing the decryption from you.

As I understand all the current systems, your key plus the encrypted file go into a black box and the song or movie plays as it is decrypted. They make the program unable to actually save the output so you have to decrypt it every time, and since you don't know how the decryption process works you can't write a program that decrypts and save the output. This seems fine, in theory.

Except of course that one of the fundamental principals of cryptography is that you cannot create a secure cryptosystem that gets it security from the secrecy of the algorithm. If you have the key, an encrypted input and know what the output should look like, eventually you will find out how the key is used to decrypt the input and then you'll know the algorithm (or at least how to emulate it).

Given all of that, I don't think it's possible to create a secure DRM system. No matter what kind of cryptosystem you use, or how secure it is when you don't know the key, it remains fundamentally true that your copy of the software MUST be able to decrypt the content. So every single secret needed to decrypt the content is already on your computer, you just have to find out how to use it.

I'm not an expert in cryptography, but as far as I know every secure cryptosystem in use today relies on the secrecy of the keys, not the algorithm. A lot of companies try to say their proprietary (and secret) cryptosystem is more secure, and they are generally laughed at by cryptographers. But I'm curious, does anyone else have any thoughts on this? I'd be interested to see if anyone disagrees here, so fire away

 

[Matthias99]

As I understand all the current systems, your key plus the encrypted file go into a black box and the song or movie plays as it is decrypted. They make the program unable to actually save the output so you have to decrypt it every time, and since you don't know how the decryption process works you can't write a program that decrypts and save the output. This seems fine, in theory.

Except of course that one of the fundamental principals of cryptography is that you cannot create a secure cryptosystem that gets it security from the secrecy of the algorithm. If you have the key, an encrypted input and know what the output should look like, eventually you will find out how the key is used to decrypt the input and then you'll know the algorithm (or at least how to emulate it).

This is basically correct. Any system where you have the keys (such as symmetric-key compression) can be broken eventually by figuring out what they do to the data to encrypt it -- then you can just reverse the steps. Asymmetric-key encryption would require you to figure out what *their* key is as well, and if they picked a big enough one, that would be essentially impossible (or at least it would take a long time to do). However, they don't like to use these systems (such as RSA) for DRM, since doing the decryption takes a lot of CPU time (and so cannot always be done in real time for high-density media files like movies). Plus, once they key is broken (and it's just a matter of time), the system is useless. They could change keys every few months, but then key management becomes a problem.

What you *could* do is to use asymmetric encryption and provide each customer with their own set of private key (or set of public/private keys) for the content they download. Thus, even if you crack *your* encryption key(s), that won't let you play anyone else's files. At that point you could then decrypt and distribute anything you had downloaded, though. This would require encrypting files on demand when someone buys them from your service, but is probably the best option. Realistically, the best they can do is to make getting around the DRM enough of a PITA that most people won't bother with it, or so that even if they do get around it, distributed files can be traced back to them. There will always be people getting around the system (look at how many black-market DVDs there are out there), but if a large percentage of the customer base plays by the rules, the content producers still make a profit.

 

[f95toli]

I think the main problem is that you still need to be able to watch the movie/listen to the song eventually which usually means that you have to convert it into an analog signal, and then it is always possible to record that signal. I you use a good ADC you can make very good "copies" and most people would not notice the difference. "Copy proteced CDs" is just nonsense, if you have a good soundcard you can still sample what comes out of your CD-player.

You can of course try to use an encryptet digital signal for as long as possible, I think both HDMI and the Firewire-standard used by for example Pioneer to transfer sound are copy protected. But again I think it is quite easy to crack.

 

[cquark]

The only hope for secure DRM is to remove the PC or other hardware from the control of the end user. That's what Microsoft attempted to do with the Xbox, but mod chips and software buffer overflows in some games have shown that's what possible in theory may be extremely difficult to achieve in practice. However, they're going to try to do the same for the PC: check the Trusted Computing FAQ for more information about how Microsoft is working with hardware manufacturers to take control of the PC away from the end user to enable DRM. The FAQ is maintained by security expert Ross Anderson, who also wrote the well-known paper "Why Cryptosystems Fail", analyzing failures in the British ATM network.

 

[helpme]

What you *could* do is to use asymmetric encryption and provide each customer with their own set of private key (or set of public/private keys) for the content they download. Thus, even if you crack *your* encryption key(s), that won't let you play anyone else's files. At that point you could then decrypt and distribute anything you had downloaded, though. This would require encrypting files on demand when someone buys them from your service, but is probably the best option. Realistically, the best they can do is to make getting around the DRM enough of a PITA that most people won't bother with it, or so that even if they do get around it, distributed files can be traced back to them. There will always be people getting around the system (look at how many black-market DVDs there are out there), but if a large percentage of the customer base plays by the rules, the content producers still make a profit.

Isn't this the way that apple's DRM worked and was cracked? I was under the impression that you could only use 'fairplay' to decrypt your own purchased songs.

 

[Matthias99]

I haven't been following ITunes and decryption efforts thereof real closely, so it's entirely possible.

 

[beatle]

DVD-Audio's copy protection scheme (CPPM) is still secure, unfortunately. It uses 56-bit keys instead of CSS' 40-bit keys. These are still crackable, but it takes quite a bit longer. It also uses MKBs (media key blocks) on the playback devices. In the case of someone compromising the key out of, say, Creative's DVD-audio player, the key authority could revoke the keys issued and make all playback of future DVD-audio discs incompatible with that player. This could be a real mess if they actually started revoking keys that had been compromised from a popular player. The manufactuer would have to replace the offending device / software. I have a feeling this would make a lot of people angry.

 

[CTho9305]

Originally posted by: beatle
DVD-Audio's copy protection scheme (CPPM) is still secure, unfortunately. It uses 56-bit keys instead of CSS' 40-bit keys. These are still crackable, but it takes quite a bit longer. It also uses MKBs (media key blocks) on the playback devices. In the case of someone compromising the key out of, say, Creative's DVD-audio player, the key authority could revoke the keys issued and make all playback of future DVD-audio discs incompatible with that player. This could be a real mess if they actually started revoking keys that had been compromised from a popular player. The manufactuer would have to replace the offending device / software. I have a feeling this would make a lot of people angry.

Still, you can tap the decrypted data before the DAC if you have to, unless the DAC also does the decoding.

 

[Mday]

it is very possible. but how long it can remain "secure" is the problem. any encryption that exists can be broken.. some just longer than others. the industry has to consider how long the content is profitable, then apply an appropriate DRM to it since the weaker the crypto, the cheaper it is.

encryption is very much secure as long as no one knows what type of crypto it is. there is so much information about WEP, that it's flaws were found immediately. if you make certain key aspects of the DRM implementation secret (choosing the wrong parts to reveal is detremental), the implementation will last longer. consider CSS which is used on DVDs. a programmer screwed up and allowed the "de" CSS algorithms\steps\codes to be revealed. The programmer worked for a company that Real Networks acquired. This is where DeCSS came from.

this also leads to another point. hardware implementations can be somewhat more secure than software implementations. the Xbox uses a hardware system to do it's DRM, although it has already been broken (somewhat).

 

[Rainsford]

...
encryption is very much secure as long as no one knows what type of crypto it is
...

That's what I was saying, that is the approach most modern DRM seems to use, but as far as I know, this goes against prevailing cryptographic wisdom. The best cryptographic systems out there right now (AES, RSA, etc) are good because their inner workings are open and reviewed by anyone who cares to do so.

The idea that security through obscurity can be successful does not have a great track record simply because anything a person can design, another person can reverse-engineer. Open cryptographic standards, on the other hand, are very secure because no matter how well you know how the AES algorithm works, unless you know the key I used to encrypt my data, you can't read it. I could have used any possible keys, and assuming there is no big weakness in AES, there is no way for you to discover what key I used without trying them all, a process that is time consuming enough not to worry me.

Obviously DRM can't use something like AES or RSA if it wants to prevent you from writing another application that can also decrypt, so they use that whole security through obscurity thing. I wanted to know if maybe I was the only one who couldn't come up with a "better" DRM.

 

[Rainsford]

Originally posted by: helpme

What you *could* do is to use asymmetric encryption and provide each customer with their own set of private key (or set of public/private keys) for the content they download. Thus, even if you crack *your* encryption key(s), that won't let you play anyone else's files. At that point you could then decrypt and distribute anything you had downloaded, though. This would require encrypting files on demand when someone buys them from your service, but is probably the best option. Realistically, the best they can do is to make getting around the DRM enough of a PITA that most people won't bother with it, or so that even if they do get around it, distributed files can be traced back to them. There will always be people getting around the system (look at how many black-market DVDs there are out there), but if a large percentage of the customer base plays by the rules, the content producers still make a profit.

Isn't this the way that apple's DRM worked and was cracked? I was under the impression that you could only use 'fairplay' to decrypt your own purchased songs.

Yeah, that's right. You need your key to decrypt your songs, so obviously you must have purchased them at some point.

However, this is really a failure of Apple's DRM because once you buy the song and crack the encryption on it, you can do whatever you want with it. And that is exactly what DRM tries to prevent.

 

[beatle]

Originally posted by: CTho9305

Originally posted by: beatle
DVD-Audio's copy protection scheme (CPPM) is still secure, unfortunately. It uses 56-bit keys instead of CSS' 40-bit keys. These are still crackable, but it takes quite a bit longer. It also uses MKBs (media key blocks) on the playback devices. In the case of someone compromising the key out of, say, Creative's DVD-audio player, the key authority could revoke the keys issued and make all playback of future DVD-audio discs incompatible with that player. This could be a real mess if they actually started revoking keys that had been compromised from a popular player. The manufactuer would have to replace the offending device / software. I have a feeling this would make a lot of people angry.

Still, you can tap the decrypted data before the DAC if you have to, unless the DAC also does the decoding.

Sadly, that's hardly feasible to do, or I would have re-recorded my DVD-Audio stuff already for convenience and backup's sake.