1

Anonymous Trust: Digital Rights Management Using Broadcast Encryption

Proceedings of the IEEE, Vol. 92, No. 6, June 2004

2

Outline

Introduction Broadcast encryption Content binding Server side binding

-the anonymous trust system XCP cluster protocol and the home

network Download to the home network Conclusion

3

Introduction

Cryptography in DRM system The attacker has the keys Providing a hook to force compliance

Public-key based system Both the client and server have public-key

certificates Using the handshake protocol Expensive The dependency on an online handshake protocol

makes it unsuitable for physical media or broadcast-based distribution

→Broadcast encryption

4

Broadcast encryption

Fiat & Naor, 1993find a key management scheme with revocation, but without the handshake protocol →called broadcast encryption to emphasize its one-way nature

Size/performance tradeoff Much larger amount of data should be tran

sferred Require less time for calculations

5

Broadcast encryption

Matrix-based schemes Content protection for recordable media (C

PRM) Content protection for prerecorded media

(CPPM) Media key block Device keys Drawbacks:

the size of the matrix Sensitive to insider attacks

6

Broadcast encryption

The media key block is prerecorded on blank media at manufacturing time

The key matrix is generated by the CPRM licensing agency and is preembossed in the lead-in area on the disk

The media key block is the encryption of the media using different device key

7

Broadcast encryption

•CPRM key matrix

8

Broadcast encryption

Tree-based schemes Wallner, 1997 and Wong, 1997

→ Logical key hierarchy (LKH) trees IBM, 2001

→ subset-difference approach (NNL trees) More concise than LKH trees The size of the key management block in an

NNL system is literally of the same order as the size of a public-key certificate revocation list

9

Broadcast encryption

10

Broadcast encryption

11

Broadcast encryption

Tricks in NNL Revoke more than one device How does it store the billions of keys?

→ the lower level keys are one-way functions of the higher level keys

NNL trees is the strongest known key management block technology in terms of number of revocations for a given size

12

Content binding in CPRM

The unique media key calculationKmu=H(Km,IDm)

→ the binding step Encryption

Di=eKmu(KtiH[CCIi])CCI : copy control informationDi is then stored on the media(the unique media key encrypts the title keys, and the title keys encrypt the content)

13

Server side binding

CPRM enables a simple DRM system The client software would read the media

key block and the media ID on the blank recordable DVD, and upload it to a DRM server.

The server have a set of device keys to process the media key block, perform the binding calculation, and prepare a disk image

The client software burns the DVD

14

Server side binding

Advantages of this system The client software contains no secrets The question of when to charge the

consumer for the download does not occur(before or after the acknowledge of the client?)→ The content has been customized to one particular piece of media, so it can be downloaded over and over again without the extra downloads counting as extra copies

15

Server side binding

Advantages for the consumer The content is designed to be consumed in

the user’s normal electronic devices (e.g. TV, DVD player)

Supporting the concept of “doctrine of first sale” (only payable on the first sale)

The content owners are confident that the content will not be misused, even if they do not know who they have given to it→ the anonymous part of anonymous trust

16

XCP cluster protocol and the home network

Next-generation entertainment devices are increasingly incorporating home networking technologies that allow easier access to content

The approach proposed in this paper is the only system that uses broadcast encryption, all other systems rely on public-key cryptography

17

XCP cluster protocol and the home network

A cluster of devices agree on a common key for content encryption

18

XCP cluster protocol and the home network The devices in the xCP cluster have agreed upo

n three things: A common key management block The binding identifier (the network id) The authorization table

Binding key Kb=H(Km,IDbH[Auth table])

All content in the home is protected by the binding key (the binding key encrypts the title keys for each piece of content, and the title keys are used to actually encrypt the content)

19

XCP cluster protocol and the home network

Devices can calculate the binding key without having to have a conversation with any other device on the network

Devices are compliant and will not perform the forbidden action

20

XCP cluster protocol and the home network Device join

21

XCP cluster protocol and the home network New binding

22

XCP cluster protocol and the home network Device removal

23

Download to the home network The xCP cluster protocol supports the DRM do

wnload function by having the DRM server actually join the cluster

The DRM server can deliver and bind content to an entire home, not just a single piece of media

The server learns the cluster ID and can calculate the cluster’s binding key

Instead of a pay-for-download service, it uses the broadcast encryption

24

Conclusion

Many DRM systems use public-key cryptography but this approach has several drawbacks Computationally demanding Bidirection connection The end user’s privacy can be compromised easily

A new approach: broadcast encryption Suited for integration in low-cost consumer devices Providing a much higher level of consumer privacy Supporting disconnected distribution

DRM systems based on Broadcast encryption has high potential