Media Security Thwarts Temptation, Permits Prosecution

techtrends By Brian Dipert, Technical Editor

RAMPANT PIRACY OF UNPROTECTED DIGITAL MEDIA HAS CONTENT DEVELOPERS AND DISTRIBUTORS SCRAMBLING TO CONSTRAIN, REDEFINE, AND EXPLOIT THIS “NEW WORLD ORDER.” IN DEVELOPING YOUR MEDIA-RECORDING AND -PLAYBACK DEVICES, BEWARE OF CREEPING SECURITY ELE- GANCE THAT, LEFT UNCHECKED, WILL GIVE RISE TO GADGETS NOBODY WANTS—OR CAN FIGURE OUT HOW—TO USE. Media security thwarts temptation, permits prosecution

umerous lawsuits, some of which have already returned ver-

Illustration by Daniel Guidera Ndicts against the defendants, attempt to curtail the illegal distribution of copyright-protected digital media, such as electronic books, still images, audio files, and video movies. Rock band Metal- lica and rap artist Dr Dre have even taken the unusual step of pur- suing legal action not only against a software company whose prod- uct supposedly promotes such content-sharing, but also against

several universities whose students swap because its servers don’t host the files, it’s files using the school-supplied comput- not responsible for illegal use of its soft- er networks. Consortiums such as the ware. Gnutella is a similar program de- Recording Industry Association of Amer- veloped by Justin Frankel, the originator At a glance ...... 102 ica (RIAA) and Motion Picture Associa- of the popular Nullsoft WinAmp MP3 Back to basics ...... 104 tion (MPA) are frantically developing se- player. Gnutella extends access and ex- curity standards to protect their tra- change to any type of file (including, un- Belatedly closing ditional revenue streams as e-stores re- fortunately, pornography); uses a direct Pandora’s box ...... 106 place brick-and-mortar and as electrons peer-to-peer network connection instead Securing—and circum- replace paper, plastic, magnetic tape, and of a central director server; was released venting—at high speed ...... 108 silver-halide film. What’s all the fuss in open source this spring (to the con- For more information ...... 116 about? sternation of Nullsoft’s purchaser,Amer- Napster, which lets Internet-connect- ica Online); and has spread throughout ed users view and download MP3 files the Internet in dozens of mutations. stored on other computers, boasts mil- Scour.net’s Scour Exchange and pro- lions of registered users and claims that grams such as CuteMX, FreeNet, iMesh,

www.ednmag.com June 22, 2000 | edn 101 techtrends Digital-media security and VBGnutella offer similar features. images, portable MP3 and MiniDisc College students, who historically pur- AT A GLANCE players are obsoleting analog tape, and chase a significant percentage of audio ୴ Burgeoning digital text, audio, and digital speakers and high-definition-TV CDs and videotapes, have enjoyed speedy video media combine with high-speed displays are establishing footholds in broadband Internet access for years, Internet access, high-performance com- homes. thanks to their university accounts.With puters, and cheaper and denser storage In attempting to stem the flood of il- ADSL (asymmetrical-digital-subscriber- to create a piracy potential that gives legal media sharing, the content creators line) and cable modems now entering Hollywood nightmares. and distributors and you, their equip- homes in a big way, even more traditional ment-manufacturer partners, must walk music and video consumers can quickly ୴ When evaluating security algorithms a thin line. On the one hand, you’re en- download and stream multimegabyte for incorporation within your systems, be forcing the valid copyright claims of files. sure to balance robustness with ease of those who developed the material. How- Where are these files coming from? To- use and performance. ever, you can’t excessively constrain cus- day’s high-powered PCs can achieve bit- tomers who are exercising their legal accurate extraction of CD audio content ୴ Don’t let the content developers’ and rights to make copies for their own use of and compress it to one-twelfth (MP3) or distributors’ fear and greed lead you to media they own and to transfer owner- even one-twenty-fourth (MS Audio) its implement features that circumvent privacy ship of that purchased media to others. original size with little-to-no discernible or restrictions that violate consumers’ Media-security, or DRM (digital-rights- quality loss (Reference 1). Both extrac- duplication and transfer rights for their management) systems should be invisi- tion and compression occur several times legally obtained media. ble to honest users (this invisibilty is faster than ordinary playback speeds, and called “eliminating false positives”), while digital copies retain much higher quali- ୴ An ideal security system combines the acting as strong deterrents to pirates. ty than bootlegs made in the analog past. concepts of authentication, encryption, and And, to simplify your implementation, Multigigabyte hard drives are now per- renewability. one or only a few DRM systems are de- vasive, as are fast-writing CD-recordable sirable, though recent trends point to an drives. Rapid encoding and transcoding DVD, albeit with some audio- and video- explosion of alternatives. The IEC (In- of video streams are now within the quality loss, can fit onto a CD. Large- ternational Electrotechnical Commis- reach of computer users. Courtesy of screen, high-resolution computer mon- sion) is attempting to standardize a programs such as DeCSS, a transcoded itors can easily display high-definition means of coping with this diversity of op-

Figure 1

ADSL, CABLE MODEM, SATELLITE

DVI S/PDIF, USB

BLUETOOTH, ETHERNET, HOMEPNA, HOMERF, IEEE 1394, IEEE 802.11, POWERLINE, S/PDIF, USB

High-speed digital interconnections both to and within homes transform into reality The Jetsons creators’ cartoon vision of the future, but they also raise serious security concerns.

102 edn | June 22, 2000 www.ednmag.com techtrends Digital-media security

BACK TO BASICS People often use the terms speed encoding and decoding, the key-generation, encryption, libraries) and ActiveX controls; and “encryption” and “watermarking” which occurs because the algo- and decryption algorithms, com- an ANSI-standard C library for interchangeably. In truth, the rithms employ relatively simple monly based on prime-number embedded systems. Tested com- terms refer to different technolo- transposition and substitution techniques, require multiplication pilers include Visual C++, Borland gies, although both are important steps. The Achilles’ heel of the operations that are time-consum- C++, and Gnu/g++. One other aspects of a comprehensive digi- approach, though, is the common ing and performance-intensive. unique attribute of the tal-rights-management system, key, which the source must trans- Asymmetric encryption examples Encryptonite approach is RPK’s and you can sometimes use mit to the destination via a secure include the RSA (Rivest, Shamir, assertion that, aside from greater watermarking to implement channel or a trusted third party. If and Adelman) and Diffie-Helman initial latency analogous to a FIFO- encryption. something intercepts the bit algorithms. buffer fill, increased key length Two main types of encryption stream and the unintended recipi- Hybrid schemes that combine does not degrade performance. exist. Symmetrical, or synchro- ent figures out the key, the media asymmetric and symmetric en- The company is developing hard- nous, encryption uses the same is vulnerable. On the other hand, cryption, such as a combination of ware-based encryption and security key to “lock” and scram- clever encryption can result in the RSA and DES, are also possible. decryption accelerators to supple- ble an outgoing file and to recover delivery of a legitimate-appearing Consider, for example, the ment its software offerings. a bit-exact copy of the original but incorrect piece of media, such approach that HDCP (High-band- PassEdge’s StreamAccess en- content at the destination. Exam- as a bogus memo, to a recipient width Digital Copy Protection) cryption algorithms take advan- ples of symmetrical encryption using an invalid key. takes. Asymmetric encryption tage of any hardware-accelerated include the now-broken DES Asymmetric, or asynchronous, establishes the initial authorization integer arithmetic logic within a (Data Encryption Standard); its encryption employs dual keys between host and display, as well microprocessor, such as Intel’s interim replacement, triple-DES, (Figure A). The sender encrypts as the periodic reauthorization. MMX (multimedia-extensions) which, as the name implies, runs the media with the recipient’s Faster symmetric compression instruction set. The company tar- each data packet through DES public key, and the recipient handles the content transfer. Any geted a 166-MHz Pentium CPU for encryption three times; next-gen- decrypts it with his or her private performance-critical application its client-side security software and eration AES (Advanced Encryption key. Exchange of public keys can incorporate a similar estimates that with a less-than-1- Standard); and RC (Rivest’s requires no secure channel, and approach. DTCP (Digital Trans- Mbyte memory footprint, includ- Cipher). The primary advantage of the recipient can ensure authenti- mission Copy Protection) compre- ing a graphical user interface, the symmetrical encryption is its high- cation of a valid sender. However, hends support for both asymmet- device will consume no more than ric and symmetric protocols. It 3% of a 450-MHz Pentium II CPU Figure A supports symmetric protocols for while decrypting an incoming 1.5- SENDER RECEIVER their supposed lower value, single- Mbps stream. Note, though, that and free-copy material. these performance claims are only Streaming delivery is the key for access security. Should you SECRET KEY SECRET KEY target of RPK SecureMedia, a New also want to incorporate the com- ? ? Zealand (therefore not subject to pany’s BeyondAccess copy-protec- US export restrictions) cryptogra- tion algorithms, they’ll take up phy company funded by, among more system resources. Although CIPHER CIPHER TEXT TEXT others, streaming-media pioneer most of PassEdge’s work has cen-

PLAIN TEXT PLAIN TEXT RealNetworks. RPK claims that its tered on Wintel-based systems, (a) proprietary approach combines the company’s products don’t the benefits of public/private-key have operating-system-specific MESSAGE systems, such as authentication, links, such as Windows COM calls, SENDER RECEIVER digital signatures, certificates, and improving portability. Client-side key management, with the speed software is free; PassEdge makes of symmetric systems in one its money from server-side sales. RECEIVER'S RECEIVER'S PUBLIC KEY PRIVATE KEY encryption and decryption engine. Now for watermarking, or The Encryptonite Tookit offers a steganography (from the Greek choice of 80 levels of security words for “covered writing”) CIPHER CIPHER using 127- to 2281-bit-long keys. (Reference A). Your first exposure TEXT TEXT Detractors point to the fact that no to this technique may have been PLAIN TEXT PLAIN TEXT one knows how robust RPK’s pro- when you held a piece of paper prietary encryption algorithms are, up to a strong light and saw a REPLY because they haven’t been sub- faint, normally invisible, manufac- RECEIVER'S RECEIVER'S PUBLIC KEY PRIVATE KEY jected to the same intense scruti- turer or publisher logo. Digital ny as standards-based alternatives, “fingerprinting” applies the same such as those from Intel spin-off concept to electronic media. CIPHER CIPHER PassEdge. Watermarking might find use as a TEXT TEXT RPK supports a variety of plat- means of hiding the secure key in PLAIN TEXT PLAIN TEXT forms, including C and C++ symmetrical encryption. More (b) libraries for Windows 9x and NT; commonly, however, content dis- Symmetrical encryption’s key benefit is its speed (a), whereas asymmet- HP/UX, Solaris, Linux, Java, and tributors use watermarking to rical encryption is more robust and offers a full set of capabilities (b). Delphi; DLLs (dynamically linked encode copyright and other media

104 edn | June 22, 2000 www.ednmag.com source information, and to docu- you’d like additional information. ment usage regulations. These You could extend Digimarc’s tech- PERCEPTUAL Figure B rules include duration of access, niques to the video domain, but MODEL the number of times a user can frame-by-frame watermarking AUDIO access the media under certain would probably be overkill as well INPUT ANALYSIS- QUANTIZATION purchase conditions, duplication as too time-consuming and FILTER BANK capability (or lack thereof), and expensive. geography-based access rights One common technique avail- BIT STREAM BIT-STREAM CODING SCRAMBLING (such as a movie that you can able to those wishing to water- MULTIPLEXER play in the United States but not mark digital audio involves injec- in Europe). Internet search “spi- tion of low-level broadband and (a) KEY ders” can then use all of this time-independent noise. As with embedded data to detect illegal still images, you need to balance media distribution and to sub- transparency—the inability to KEY sequently prosecute the perpe- hear the watermark, particularly BIT-STREAM trators. at critical “sweet-spot” frequen- edn00062ttfigs2a DIANE INPUT BIT-STREAM INVERSE INVERSE Think about it for a minute, and cies—with robustness—the ability DEMULTIPLEXER CODING SCRAMBLING you’ll realize how challenging for the watermark to withstand (DESCRAMBLING) watermarking is to implement. multiple generations of compres- AUDIO The watermark must be durable sion and transcoding. Another OUTPUT SYNTHESIS- INVERSE enough to withstand repeated more sophisticated audio-water- FILTER BANK QUANTIZATION media degradation due to marking approach, echo hiding, (b) transcoding (such as WAV conver- exploits the fact that, although sion to MP3, TIFF translation to reverberation itself is perceptual- By embedding the encryption process within the encoding algorithm JPEG or DV encoding to MPEG). ly important, some reverberation (a), you can create an audio file that’s playable (at degraded quality) However, the watermarking must details are perceptually irrele- using any decoder and easily unlocked (b) for full fidelity reproduction be invisible or inaudible under vant. Watermarking information normal usage conditions. It can’t hides in echo timing and ampli- (courtesy Fraunhofer Institute). inject so much additional random- tude data, including using physi- resynthesis (Figure B). Embed- Neubauer, “Digital watermarking ness into the source media that it cally “impossible” echoes that ding encryption within encoding and its influence on audio quali- increases the compressed file size the human auditory system allows the encryption algorithm ty,” 105th Audio Engineering necessary for a given quality level ignores. to selectively place its manipula- Society Convention, Sept 26 to (or degrade the quality level at an The Fraunhofer Institute, which tions in certain frequency bands. 29, 1998, San Francisco, CA. application-defined greater file developed much of the technolo- This flexibility means that you can C. Herre, Jurgen, and Christian size or bit rate). It also must toler- gy behind the MPEG audio (most create an encrypted file that an Neubauer, “Audio watermarking ate transmission errors; a water- notably MP3) and newer AAC audio decoder without access to of MPEG-2 AAC bit streams,” mark can’t be voided by dropped (advanced audio codec) algo- the proper key can still play, 108th Audio Engineering Society packets during a streaming trans- rithms, has also spent much time albeit with an adjustable amount Convention, Feb 19 to 22, 2000, mission or circumvented by selec- and effort on audio encryption of distortion. Applying this con- Paris. tive deletion of portions of a pic- and watermarking. The company’s cept to e-commerce means that a D. Allamanche, Eric, and Jurgen ture or sound clip. watermarking approach is high- customer could preview entire Herre, “Compatible scrambling of Digimarc is perhaps the best- performance, which is important songs versus today’s short clips compressed audio,” Proceeds of known image-watermarking com- when companies must generate and then purchase a key to the 1999 IEEE Workshop on pany. Photo steganography works license-specific versions of media. enable access to them at their full Applications of Signal Processing by slightly shifting the color values The approach also can operate on quality. to Audio and Acoustics, Oct 17 to of random pixels to whose wave- already-compressed audio files For more information on 20, 1999, New Paltz, NY. lengths the human eye is insensi- (references B and C). It either encryption, check out references F E. Allamanche, Eric, and Jurgen tive and therefore from which the slightly increases the bit rate to and G. Good Web sites to contin- Herre “Secure delivery of com- alteration is comparatively unno- hold quality constant or partially ue your media-security research pressed audio by compatible bit- ticeable. Beginning with Version decodes, then more aggressively include Cryptography Research stream scrambling,” 108th Audio 4.0 of PhotoShop, Adobe began quantizes and adds watermarking (www.cryptography.com), Engineering Society Convention, distributing a plug-in that detects bits to, perceptually irrelevant fre- Counterpane Labs (www. Feb 19 to 22, 2000, Paris. Digimarc watermarks, such as quency bands. counterpane.com/labs.html), and F. Cravotta, Nicholas, “Encryp- photographer copyright informa- Fraunhofer’s encryption tech- Francis Litterio’s cryptography tion: more than just complex tion, in images. nique is equally interesting (refer- page (world.std.com/~franl/ algorithms,” EDN, March 18, 1999, Digimarc has recently part- ences D and E). The company crypto.html). pg 105. nered with a number of PC-teth- encrypts each group of audio G. Schneier, Bruce, Applied ered videocamera manufacturers samples within the encoding References Cryptography: Protocols, to distribute software, which, if processes of spectral decomposi- A. Jajodia, Sushil, and Neil F Algorithms and Source Code in you hold a magazine advertise- tion, temporal and frequency Johnson, “Exploring steganogra- C, Second Edition, ISBN ment up to the camera, detects its masking, and quantization and phy: seeing the unseen,” IEEE # 0471117099, John Wiley & Sons, watermark and sends notification then descrambles before inverse Computer, February 1998, pg 26. 1995. to the advertiser indicating that quantization and filter-bank B. Herre, Jurgen, and Christian www.ednmag.com June 22, 2000 | edn 105 techtrends Digital-media security tions via the Commission’s OPIMA such as concerts, music videos, and in- ed the systems become, increasing the po- (Open Platform Initiative for Multime- terviews. tential for end users’frustration.And, be- dia Access). Ultimately, the content developers are cause compliance with industry consor- Ideally, the content should be decou- free to put whatever restrictions they tiums such as the (SDMI) Secure Digital pled from its access rights, so that if a choose on their media. They can prohib- Music Initiative is voluntary, not manda- consumer upgrades or replaces equip- it decoded audio from passing over a dig- tory, the first major content developer or ment, to which the access rights fre- ital connection to speakers or digital- distributor that loosens its restrictions in quently link, he or she need not obsolete video streams from passing to a monitor. response to predicted or actual consumer an existing media-library collection. If They can restrict the playback rate over confusion, lowers the bar for everyone. the security system benefits only the con- these digital channels to prevent high- tent creators and distributors, con- speed duplication. They can embed “wa- ONLY AS STRONG AS ITS WEAKEST LINK sumers’ lukewarm response shouldn’t be termarks”—copyright and usage-rights Figure 1 shows one possible digital- surprising. If, however, security safe- information—that obstruct playback or media-distribution system of today for guards pacify content developers’ con- otherwise restrict usage with noncompli- technologically savvy users or of the near cerns and therefore enable consumers to ant systems (see sidebar“Back to basics”). future for everyone else. The first point of access a broader and richer set of media They can even attempt to retrofit media digital-media downloading will probably than they’ve been able to enjoy in the to prohibit copying and use creative dif- be a PC using a cable modem or an ADSL past, the consumers’ acceptance will be ferentiation between the terms “can du- connection. However, it could also be a more enthusiastic. Examples of richer plicate”and “are able to duplicate”to tip- cable, terrestrial or satellite digital set-top media include higher resolution images; toe around legal issues (see sidebar box, a media server, an Internet-enabled high-fidelity, multichannel surround “Belatedly closing Pandora’s box”). But digital audio or video player, or even an sound; smaller files for a given quality the more restrictions they and, therefore, advanced cellular phone or personal dig- level; and otherwise-unavailable clips, you place on usage, the more complicat- ital assistant.

BELATEDLY CLOSING PANDORA’S BOX As Hollywood and the con- prohibiting subsequent duplica- vent any copyright-protection out how to render CDs and sumer-electronics companies tion of first-generation digital scheme. DVDs unplayable after a certain drag their feet in finalizing the copies in conjunction with the Both Ç-Dilla Labs with time span or number of view- Secure Digital Music Initiative Serial Copy Management System AudioLok and Midbar Tech with ings. Spectra Science, one of the specification, they ironically exac- (SCMS). Cactus Data Shield have devel- leading restricted-playback pro- erbate the copyright-infringe- Production of any system that oped copy-protection schemes ponents, claims to have figured ment problem by continuing to circumvents SCMS is illegal, but that, by inserting small amounts out how to ensure that, once a churn out audio CDs without so too is any approach that of error data, block playback consumer opens any optical any security whatsoever and doesn’t allow consumers to and, therefore, “ripping” of media’s packaging, the disk will DVD videos with already-com- make first-generation copies of audio CDs on computer CD- play only for a content-distribu- promised illegal-access safe- their legally obtained digital ROM drives. According to the tor-specified period of time. A guards. Efforts under way by a music. Some of the copy-restrict- manufacturers, dedicated audio- touted environmentally friendly number of vendors strive to ing products now under devel- CD players, because of their chemical that the company retrofit digital media with opment, although perhaps greater tolerance of media applies to the disk is the secret, encryption and watermarking acceptable outside the United errors, can still play altered and the last step in the produc- capabilities, but legal restrictions States, come close to violating or audio CDs (Reference A). tion process sets the decay dura- and potential hardware and soft- blatantly violate consumer rights However, consumer feedback tion. Unlike Divx, Spectra ware incompatibilities limit their under the Home Audio suggests that reality falls short of Science’s approach requires nei- success. Recording Act. And this discus- this goal. Both systems can ther an expensive, custom DVD The Copyright Act of 1976 sion concerns only audio. The optionally disable a CD player’s player, nor that the player con- allows consumers to make as Macrovision copy protection digital output, an infringement of nect via phone line to a server many copies of media for their embedded within the analog consumer rights under the for authentication and, some own use as they want and to output of DVD video players, as Home Audio Recording Act and feared, Big Brother snooping of transfer all of these copies to well as encoded in some video- of the Red Book CD standard. consumer viewing habits. another person. (Sharing with cassettes and videodisks, reflects Undeterred, TTR Technologies, others, however, is not allowed, the fact that even analog dupli- whose MusicGuard technology References except in academic settings.) cation of video content is illegal. also blocks duplication of audio A. Starrett, Robert A, “Record- The act’s 1992 amendment The 1998 Digital Millennium content on CDs, is working on ing at the speed of sound,” (commonly known as the Audio Copyright Act, whose legality the extending its technology to eMedia, May 2000, pg 28. Home Recording Act) somewhat US Supreme Court has yet to DVDs. restricted this consumer free- determine, goes one step further Divx may be dead, but com- dom for digital-audio media, in outlawing attempts to circum- panies are still trying to figure

106 edn | June 22, 2000 www.ednmag.com techtrends Digital-media security

Once consumers access a copy of the paying a monthly subscription fee to a tional fee for archiving capability. In gen- content, they might want to stream, copy, record label and, in exchange, being able eral, you should anticipate some resist- or move it to other media peripherals in to access any song from any album in that ance if you provide no ability to record their home or office. A variety of distri- label’s catalog 24 hours a day, seven days digital broadcasts, given that analog- bution mechanisms is possible, including a week. This scenario maintains maxi- broadcast archiving is possible. And, just Ethernet cable, IEEE 1394, and USB 2.0, mum distributor control over the con- as individuals rent or even buy DVDs and home-phone-line networking, power- tent, but it doesn’t let a user listen to the video tapes so that they can start, pause, line-network connections, or even wire- music on a non-Internet-tethered device. and finish viewing the content at their less.And, to play the file, why bother with Consumers are also familiar and com- leisure, there’ll most likely be a demand the multiple analog-to-digital and digi- fortable with going to record stores and for similar capabilities in the digital age. tal-to-analog conversions, resolution purchasing tapes and CDs; the e-com- Digital-video-capture capability at de- limitations, and noise coupling, all of merce analogy is a digital music file. So, graded quality levels is one possible com- which degrade quality, of traditional au- a DMX (Digital Music Express)-like dis- promise. dio and video cable? Instead, your cus- tribution system for music will probably In differentiating between streaming tomers will probably want to run a pure- supplement but not replace download- and downloading-and-playing usage digital connection to their speakers over ing and archiving, though streaming models, it’s also important to distinguish S/PDIF (Sony/Philips Digital Interface) within the home, such as from a PC to an between the ability to view material and or USB and to a display over a DVI (Dig- audio receiver via a Turtle Beach Au- the ability to capture or copy it. This dis- ital Visual Interface). At no point in this dioTron or an equivalent, is feasible. tinction is key to resolving the miscon- process, however, can unprotected digi- Streaming-only delivery of video ma- ception regarding the infamous DeCSS tal data be “in the clear” (also called terial is a more likely scenario, replicat- (content-scrambling system) utility, “plaintext”) so that people can copy it. ing today’s pay-per-view and cable-chan- which circumvented the encryption for Regarding downloading versus nel subscriptions and partially driven by DVDs. Duplication of DVD media has streaming, the content distributors the huge sizes of video files even after always been technically possible, though would probably prefer to transmit only MPEG-2 and other lossy-compression the high cost of writable DVDs and a temporary, quickly discarded bit stream schemes. However, some consumers will drives currently makes it economically to each customer. Imagine, for example, undoubtedly be willing to pay an addi- unfeasible. DeCSS simply lets you view

SECURING—AND CIRCUMVENTING—AT HIGH SPEED A key part of the reason that (Reference A). In a four-FPGA FPGA 2000, representatives from based dynamic partial-reconfigu- your chosen encryption system design running at 16 MHz, they the Worcester Polytechnic ration techniques, Xilinx engi- should be upgradable, aside ran sieve-factoring operations 28 Institute (Worcester, MA) used neers achieved 10.7-Gbps from the potential for cracking times faster than similar calcula- Xilinx XCV1000s to implement encryption performance using due to inadvertent disclosure of tions in software on an the Serpent block cipher (one of the DES (Data Encryption keys, is the ever-increasing per- UltraSPARC workstation. By mov- the Advanced Encryption Standard) algorithm. formance of stand-alone and ing from 70- to 8-nsec SRAMs, Standard candidates) at encryp- multiple networked computers. they estimate, they can boost the tion rates beyond 4 Gbps References Moore’s Law dictates that FPGA design to 100-MHz opera- (Reference B). The researchers A. Kim, Hea Joung, and William today’s computer hardware, tion and achieve a 160-times evaluated four design approach- H Mangione-Smith, “Factoring using brute-force techniques, speed increase over the es with varying gate counts and large numbers with programma- takes much longer than next- UltraSPARC alternative. With this speeds. ble hardware,” ACM/SIGDA Inter- generation hardware will to cal- level of performance, the presen- The 2.44- to 37.97-MHz, national Symposium on Field Pro- culate a key of given bit length. ters estimated, they would FPGA-resident alternatives were grammable Gate Arrays, Feb 10 to This acceleration is especially require only two months to break 30 to 952 times more efficient 11, 2000, Monterey, CA. true when dedicated logic gates RSA (Rivest, Shamir, and in number of clock cycles than a B. Elbirt, AJ and C Paar, “An rather than a general-purpose Adelman)-129. software-based implementation FPGA implementation and per- CPU executing software runs the To combat fast hardware- of the same algorithm running formance evaluation of the Ser- key-exposing algorithms. based cracking, you might want on a 200-MHz Pentium Pro pent block cipher,” ACM/SIGDA For example, at this February’s to embrace your enemy and workstation. The FPGA approach International Symposium on Field ACM/SIGDA International consider using FPGAs. They also outperformed the software Programmable Gate Arrays, Feb Symposium on Field combine the in-system upgrad- implementation by two to 180 10 to11, 2000, Monterey, CA. Programmable Gate Arrays ability of software-based ap- times. Xilinx reported the results C. Patterson, Cameron, “High (FPGA 2000), representatives proaches with the high perform- of a similar study at April’s IEEE performance DES encryption in from the University of California— ance of a hard-wired ASIC, and Symposium on Field-program- Virtex FPGAs using JBits,” IEEE Los Angeles disclosed the results the logic block structures are mable Custom Computing Symposium on Field-Program- of work they’d done with several- ideal for implementing the types Machines (FCCM 2000) mable Custom Computing Ma- year-old FPGA technology, specif- of arithmetic functions common (Reference C). Using the com- chines, April 17 to 19, 2000, Napa, ically Xilinx 4085XLA devices in encryption and decryption. At pany’s XCV150 FPGAs with Java- CA.

108 edn | June 22, 2000 www.ednmag.com techtrends Digital-media security

DVD content as well as defeat region coding. It’s also important to note that AUDIO CD ANALOG the developers of DeCSS didn’t break the CD RIPPING AUDIO CSS algorithm itself. In attempting to create a Linux-based DVD player pro- LICENSED WEB COMPLIANT PORTABLE gram, they stumbled across an unpro- MP3 BROWSER MODULE DEVICE tected access key in the Xing Technology SECURE DVD player they were reverse-engineer- AUTHENTICATED ing and, from that 40-bit key, deduced CHANNEL more than 100 other valid keys. SDMI SOUND ELECTRONIC CARD “Cracking an algorithm is far less com- DISTRIBUTION mon than cracking an implementation HOST of that algorithm,” says Mark Ashida, MICROPHONE president and CEO of media-security- INPUT software company and Intel spin- Figure 2 off PassEdge. Streaming media, in light of its imper- The SDMI protocol contains multiple software levels that both isolate application software from manent nature, can tolerate a less robust low-level hardware details and ensure secure decryption, decoding, and transcoding of digital encryption scheme than downloading- media (courtesy Creative Technology). and-playing media, which is fortunate because the near-immediate-response Lack of renewability is a key limitation manufacturer ID or 128-bit random expectations of streaming viewers don’t of many of today’s security systems, such number to generate security keys.Where allow for complex encryption and de- as the smart-card-based techniques that does this identifier come from? One pos- cryption calculations. However, the en- satellite receivers, CSS for DVDs, and the sible source is a data pattern embedded cryption must be distributed throughout analog-video-based Macrovision system within a smart card, parallel-port “don- the media, not just in the file header, so use. Macrovision modifies the video sig- gle,”or flash-memory card (Reference 2). that illegal tapping into the bit stream nal to overwhelm the fast-reacting AGC Because the decryption key is tied to a partway through the broadcast is impos- (automatic-gain-control) circuits of removable device, not the player itself, a sible. Typically, you want to reauthorize VCRs but not the slower reacting AGCs user can move that media among multi- the connection using a new key pattern in TVs. An Internet search using the ple players. (For example, you can take every fraction of a second to few seconds. word “Macrovision,” however, will un- your songs over to your friend’s house to Any evaluation of encryption-algorithm cover a number of “video stabilizers”and listen to them.) However, this approach alternatives must also consider that the software programs that can disable has downsides, too. If the media is lost low cost expectations of consumer-elec- Macrovision or otherwise restore the or irreparably damaged, the rights to the tronics equipment are at odds with the original video signal. Also, secure deliv- media disappear. Media portability also high processing power, memory, and ery of media to customers is only half the raises the specter of illegal duplication, a gate-count requirements of robust secu- task. Content distributors would like to scenario that can only be detected if, for rity protocols. track their customers’ usage patterns, example, two people attempt to listen to Given enough time and processing both for planning future products and the same music file at the same time us- horsepower, a power can use brute force for targeting consumers for advertising ing the same key. to crack any encrypted data set (see side- on related products.You need to balance The other alternative is to generate se- bar “Securing—and circumventing—at these suppliers’ desires with your cus- curity keys from an embedded ID locat- high speed”). Repeatedly tossing data tomers’ rights to privacy. Not everyone ed within the playback system itself. This patterns at an encrypted packet until you would like others to know what types of identifier could be a code inside the mi- stumble across a key that works, though, books they read, pictures or movies they croprocessor, such as in Cirrus Logic’s is not the same thing as finding a hole in look at, or music they listen to. Maverick products or Intel’s Pentium III the algorithm itself. Your job is to come CPU.You might also tie the security keys up with an approach that takes at least IDENTIFYING THE RECIPIENT to the volume ID of a hard drive or to the as long to circumvent as the time beyond Even if a user can download a file, the MAC (media-access-control) address of which media’s worth becomes negligible. media it contains is often an altered ver- a network card, or to a dedicated securi- Particularly for downloading-and-play- sion of the original. It’s not only en- ty chip as IBM has done with its 300PL ing scenarios, an upgradable algorithm is crypted but also watermarked. The plat- PC. The downside here, aside from the valuable so that, when someone does form containing the downloaded file lack of media portability, is that should crack it, you can reinforce it via a longer then becomes in effect a security server the user replace the ID-sourced compo- key set or other techniques. An ideal al- of its own, distributing further media nent in the future, the previously gener- gorithm also encompasses renewability: variants. ated keys will become invalid. Regardless the ability to detect and block access by To better understand this concept, of the key generation “seed” source, the a compromised platform, such as a play- consider the SDMI scheme (Figure 2). process of generating keys must be as er attempting to use a key that the con- SDMI requires that any device storing random as possible. For example, the tent developer has voided. digital audio contain a 32-bit predefined firmware hub of Intel’s i810, i815, i820,

110 edn | June 22, 2000 www.ednmag.com techtrends Digital-media security

and i840 core logic chip capability of CPRM has sets creates random enabled SD deployment Figure 3 numbers through to proceed. sensing and amplifying PROTECTED PARTITION Current encryption thermal noise patterns COPY-CONTROL INFORMATION technologies as well as across undriven resistors, those now under develop- READ-ONLY PARTITION SECURE DIGITAL and a secure communica- MEDIA-KEY BLOCK MEMORY ment promise to enable tion channel links the PARTITIONS high-speed and easy in- firmware hub to the I/O terchange of digital media OPEN PARTITION hub. ENCRYPTED DATA within homes and offices. From an encryption Standards bodies have yet standpoint, SDMI doesn’t to endorse an official ap- care which of a multitude proach for IEEE 1394, but of possible encryption Secure Digital cards store not only encrypted digital media files, but also a card- the emerging de facto and decryption and com- specific identifier and a table of IDs for trusted playback devices (courtesy standard appears to be pression algorithms you Sandisk). the Digital Transmission choose. As Matt Perry, Copy Protection algo- vice president and general manager of measures will likely trigger a consumer rithm that the 5C (five-company) Enti- the Embedded Processor Division at Cir- uproar like the one that the “millennium ty—Hitachi, Intel, Matsushita, Sony, and rus Logic, describes it, the encryption trigger” caused during the early drafts of Toshiba—developed. Encryption over portion of the SMDI protocol is only a the SDMI 1.0 specification. TCP/IP (Transmission Control Protocol/ functional specification and, therefore, is SDMI 2.0-compliant firmware isn’t Internet Protocol) has existed in numer- open to numerous encryption and au- the only means by which the consortium ous forms for some time and applies to dio-codec implementations. However, members hope to control consumers’us- traditional Ethernet as well as to Home- DMI’s Version 1.0 specification defines age patterns. If the media that stores the PNA (Home Phone Networking Al- a specific watermark technique that Ver- files can interrogate the player and block liance) and HomePlug Powerline Appli- ance developed and DVD Audio also playback if it detects the presence of a ance network connections. Encryption, plans to incorporate. It lets you make, by compromised unit, additional access authentication, and frequency-hopping default, four copies—adjustable from rights become available. This concept is are integral to the Bluetooth, HomeRF, zero to an infinite number of copies—of central to the definition of the SD (Se- and IEEE 802.11 specifications. Both the downloaded media for distribution cure Digital) card, defined by the so- powerline and wireless networking tech- to and movement among devices such as called 3C (three-company) Entity: Mat- niques must comprehend sufficient safe- other PCs or portable audio players. You sushita, Sandisk, and Toshiba. SD cards guards to ensure that your neighbors must check a copy back in before you can contain a protected media-key block de- can’t illegally access the media. You can make another. SDMI also specifies mul- scribing all valid players (Figure 3). Each also apply the DTCP (Digital Transmis- tiple access levels. SDMI 1.0-compliant time a player containing an SD card con- sion Content Protection) Protocol for devices must search for the Verance wa- nects directly or indirectly to the Inter- IEEE 1394 to USB. termark at least every 15 seconds. SDMI- net, the connection causes an update of compliant hardware will carry the the media-key block contents, if neces- SHUFFLING THE BITS DMAT (Digital Music Access Technolo- sary, to reflect players whose keys have What if your customer wants to con- gy) stamp of approval. been revoked. Vendors should also keep nect a set of digital-interface speakers to The not-yet-finalized SDMI 2.0 spec- media-key-block information up to date his or her audio playback device or hook ification defines another set of water- in the SD-card manufacturing line. up a video-playback unit to a digital flat- marks. They include a “do-not-import- SD cards incorporate the CPRM panel display or CRT? These links also if-previously-compressed” flag that (Content Protection for Recordable Me- must be secure. Most of today’s digital would prevent playback of, for example, dia) Protocol, which, along with the speakers employ S/PDIF connections, MP3 files that users obtained by some CPPM (Content Production for Prere- whose limited SCMS (Serial Copy Man- means other than from their private au- corded Media) Protocol, the 4C (four- agement System) encryption hasn’t stood dio-CD collections using an SDMI-com- company) Entity—IBM, Intel, Matsushi- up to the test of time. Until encryption pliant “ripping” (extracting-to-hard- ta, and Toshiba—developed. CPRM and support becomes pervasive in USB- drive) program (Reference 3). SDMI CPPM derive from the same CSS en- equipped devices, content developers will 1.0-compliant players must search for the cryption scheme that the 4C Entity de- have muted enthusiasm for the concept 2.0-indicating “trigger” and then cannot veloped for DVD video and DVD audio of audio-playback systems with “live” play SDMI-compliant media until the disks. DVD Video’s circumvented securi- digital outputs. user upgrades the player firmware. These ty, which DeCSS exemplifies, has com- IEEE 1394 currently provides insuffi- additional proposed watermarks may in- pelled DVD-audio advocates to delay cient bandwidth to enable the transmis- hibit users’ abilities to play their MP3 li- mass production until they can come up sion of uncompressed high-resolution braries. If implemented in the final spec- with a more robust alternative encryp- video streams. For this purpose, you must ification, these additional security tion approach. However, the revocation turn to the DVI protocol, which Silicon

112 edn | June 22, 2000 www.ednmag.com techtrends Digital-media security

Image developed under stream on the way to the PC’s the name PanelLink tech- sound card. Streambox VCR nology and which is also PROM PROM performs a similar function for "A" KEYS "B" KEYS called TMDS (transition- AKSV BKSV video. And the sound cards in minimized differential some PCs digitally output any DECHANNELS 0, 1, 2 DE signaling). DVI’s secure audio bit stream routed to them PIXEL PIXEL variant, which Intel an- DATA DATA and ignore SCMS copy-protec- nounced and Silicon Im- GRAPHICS tion bits at their digital inputs. age demonstrated in Feb- CONTROLLER CLOCK CHANNEL C CLOCK The emergence of digital-TV ruary at its Developer CP receivers and decoder hardware Forum, is HDCP (High- CONTROL Tx HDCP Rx HDCP and software for PCs exposes 2 EDID bandwidth Digital Copy I C another potential source of du- Protection) (Figure plication. In an approach such 4). Silicon Image is Figure 4 as the one that Ravisent Tech- currently shipping sam- nologies advocates with its ples of first-generation High-speed stream encryption of the display information, plus periodic CinePlayer DTV, a low-cost HDCP-aware DVI Sil 168 block encryption for authentication, come together to form the HDCP add-in card handles the digital- transmitter and Sil 861 scheme for digital displays (courtesy Silicon Image). TV reception and demodula- receiver chips and slates tion tasks and then sends the production of both for the third quarter a certain display device has been com- combined audio, data, and video bit of 2000. promised and the secret device keys are stream across the PCI bus to software Like SDMI for audio, HDCP supports exposed, the administrator places the running on the host CPU for demulti- the concepts of authentication to verify KSV that matches the compromised de- plexing, decoding, and output. A rogue that a display device is licensed to receive vice key on a revocation list. System-re- PCI add-in card could easily intercept protected content, encryption of the newability messages (SRMs), which the this (albeit perhaps encrypted) bit transmitted video to prevent “eaves- host manages, contain this list. The host stream. Even a more hardware-intensive dropping” on the protected content, and must update its revocation list when it re- approach, such as one that TeraLogic ad- renewability to enable the revocation of ceives a valid, newer SRM than that cur- vocates, isn’t immune to piracy. The compromised devices. HDCP’s hybrid- rently held in memory. SRMs can be pre- company’s Janus chip relies on external block/stream-cipher approach encrypts sented to the host in prerecorded or software to handle audio decoding and data at the transmission end of each 1.65- broadcast content, or received from an- passes decoded video data to a graphics Gbps channel and decrypts it at the oth- other compliant device with a newer card over an easily tapped VIP 2.0-com- er side. The approach uses the more ro- SRM. Encryption and decryption logic patible port. bust block cipher during authentication. add approximately 10,000 logic gates to The PC is perhaps the most extreme— Both the authorized host and display de- the transmitter- and receiver-chip de- but not the only—example of an open vice have access to a set of secret keys that signs. architecture. Should the OpenCable ini- the HDCP license administrator sup- tiative turn into real systems, for exam- plies. The secret keys consist of an array UNDER THE HOOD ple, those products will also be, by virtue of 40 56-bit secret device keys and a cor- So much for media that passes be- of their openness, susceptible to hacking. responding 40-bit binary key-selection tween systems. What about security Fortunately, semiconductor-integration vector (KSV). The host initiates authen- within a system? The degree of vulnera- trends are helping to solve the problem. tication by sending an initiation message bility caused by an “in-the-clear” digital Advanced audio-playback chips, such as containing its KSV and a 64-bit value. bit stream passing between chips inside a Cirrus Logic’s Maverick line and Mi- The display device responds by sending system depends on how “open” the sys- cronas’MAS3509F,both decrypt and de- a response message containing its KSV. tem is.A proprietary, nonupgradable set- code an incoming secure bit stream with- The host confirms that the received KSV top box, for example, realistically isn’t a in the same device, never revealing the has not been revoked. point of vulnerability for any but the system-specific key. The Micronas device At this point, the two devices can cal- most hard-core hackers, who would even integrates the D/A converter, so that culate a shared value, which, if both de- think nothing of tapping into a board neither the decrypted nor the decoded vices have a valid set of keys, is equal. The trace or probing a packaged IC’s leads to digital-audio information is ever ex- devices use this shared value in the en- siphon off a digital bit stream. posed. cryption and decryption of the protect- On the opposite end of the spectrum, Future operating-system enhance- ed content.Authentication has now been however, consider PCs. A number of ments, placing system-specific encryp- established, and reauthentication occurs available third-party software packages tion at their core instead of as add-ons, every 2 sec, or each time the connection disable Macrovision protection for DVD will also help boost security while main- is lost for any reason.A faster, bitwise-ex- movies, enabling dubbing to video taining platform openness. Microsoft clusive-OR-based stream cipher handles recorders through a graphics card’s video spent a lot of time at April’s Windows content delivery. If the HDCP license ad- output. High Criteria’s Total Recorder Hardware Engineering Conference ministrator discovers that the security of software intercepts a digital-audio bit (WinHEC) talking about this subject,

114 edn | June 22, 2000 www.ednmag.com techtrends Digital-media security

FOR MORE INFORMATION... For more information on products such as those discussed in this article, enter the appropriate numbers at www.ednmag.com/infoaccess.asp. When you contact any of the following manufacturers directly, please let them know you read about their products in EDN. COMPANIES InterTrust Technologies TTR Technologies Home Phoneline OTHER COMPANIES AT&T’s a2bmusic 1-408-855-0100 972-9-7662394 Networking Alliance MENTIONED IN THIS subsidiary www.intertrust.com www.ttrtech.com www.homepna.org ARTICLE 1-212-583-6800 Enter No. 329 Enter No. 340 Enter No. 351 Adobe Systems www.a2bmusic.com www.adobe.com Enter No. 319 Liquid Audio Verance HomePlug Powerline AMD 1-650-549-2000 1-858-677-6522 Alliance www.amd.com Baltimore Technologies www.liquidaudio.com www.verance.com www.homeplug.org America Online (and GTE CyberTrust Enter No. 330 Enter No. 341 Enter No. 352 www.aol.com subsidiary) Creative Technology 1-781-455 3333 Macrovision and Ç-Dilla ViaTech Home Recording www.creative.com www.baltimore.com Labs subsidiary 1-508-647-0464 Rights Coalition DMX Enter No. 320 1-408-743-8600 www.elicense.com 1-800-282-8273 www.dmxmusic.com www.macrovision.com Enter No. 342 www.iec.ch/opima Gnutella Cirrus Logic www.c-dilla.com Enter No. 353 gnutella.wego.com 1-512-445-7222 Enter No. 331 Wave Systems High Criteria www.cirrus.com 1-413-243-1600 HomeRF Working Group www.highcriteria.com Enter No. 321 Micronas Semiconductors www.wave.com 1-503-291-2563 Hitachi 1-408-526-2080 Enter No. 343 www.homerf.org www.hitachi.com Cognicity www.micronas.com Enter No. 354 Matsushita 1-952-841-7100 Enter No. 332 Xilinx www.matsushita.co.jp www.cognicity.com 1-408-559-7778 International Electrotech- Napster Enter No. 322 Microsoft www.xilinx.com nical Commission www.napster.com 1-425-882-8080 Enter No. 344 ϩ41 22 919 02 50 Nullsoft www.nullsoft.com Destiny Media www.microsoft.com www.iec.ch/opima Technologies Enter No. 333 STANDARDS BODIES Enter No. 355 Ravisent Technologies 1-604-609-7736 AND CONSORTIA www.ravisent.com RealNetworks www.destiny-software.com Midbar Tech 1394 Trade Association Motion Picture Association www.realnetworks.com Enter No. 323 972-3-5186666 1-408-748-9416 1-818-995-6600 Sandisk www.midbartech.com www.1394ta.org www.mpaa.org www.sandisk.com Digimarc Enter No. 334 Enter No. 345 Enter No. 356 Scour.net 1-503-885-9699 www.scour.com www.digimarc.com PassEdge Music Publishers 4C Entity Streambox.com Enter No. 324 1-503-466-8400 Association www.4centity.com www.streambox.com www.passedge.com Enter No. 346 1-212-327-4044 TeraLogic Excalibur Technologies Enter No. 335 www.mpa.org Enter No. 357 www.teralogic-inc.com 1-703-761-3700 Bluetooth Special Interest RPK SecureMedia USA Toshiba www.excalib.com Group www.toshiba.com Enter No. 325 1-415-563-1800 www.bluetooth.com Recording Industry www.rpk.com Association of America Voyetra Turtle Beach Enter No. 347 www.voyetra-turtle- Fraunhofer Institute for Enter No. 336 1-202-775-0101 www.riaa.org beach.com Integrated Circuits Digital Display Working Xing Technology Silicon Image Enter No. 358 +49 (0) 9131 / 776 0 Group (DVI) www.xingtech.com www.iis.fhg.de 1-408-616-4000 www.ddwg.org Enter No. 326 www.siimage.com Enter No. 348 Secure Digital Association Enter No. 337 1-831-623-2107 www.sdcard.org IBM Digital Transmission Copy Enter No. 359 1-914-765-1900 Sony Protection Licensing www.ibm.com 1-201-930-1000 Administrator (5C Entity) SUPER CIRCLE Enter No. 327 www.sony.com www.dtcp.com Secure Digital Music NUMBER Enter No. 338 Enter No. 349 Initiative For more information Intel 1-858-826-2655 www.sdmi.org on the products avail- 1-503-696-8080 Spectra Science Electronic Frontier Enter No. 360 www.intel.com 1-401-274-4700 Foundation able from all of the http://developer.intel.com/ www.spectra-science.com 1-415-436-9333 vendors listed in this ial/security Enter No. 339 www.eff.com USB Implementers Forum box, enter No. 362 at http://developer.intel.com/ Enter No. 350 1-503-296-9892 www.ednmag.com/ software/security www.usb.org infoaccess.asp. Enter No. 328 Enter No. 361

116 edn | June 22, 2000 www.ednmag.com techtrends Digital-media security which is a key feature of the company’s even though such a step might prohibit merce,”IEEE Computer, February 2000, pg follow-on to Windows 2000, code- access to certain content. Third-party 14. named Whistler, and its successor to hardware and software developers will 7. Bell, Alan E, “The dynamic digital Windows 98, code-named Millennium also need to add security hooks to their disk,”IEEE Spectrum, October 1999, pg 28. Edition. These enhancements are by no drivers so that they won’t lose access if a 8. Caloyannides, Michael A, “Encryp- means straightforward to implement. certain media type insists on operating tion wars: early battles,” IEEE Spectrum, They require changes not only to the op- only with secure programs.˿ April, 2000, pg 37. erating system but also to the BIOS, and 9. Drummond, Mike, “The Madison they must incorporate a means of References project,” Stereo Review’s Sound & Vision, uniquely identifying the system. A 1. Dipert, Brian,“Now hear this,” EDN, November 1999, pg 119. unique ID embedded in the processor, Feb 3, 2000, pg 50. 10. Takiff, Jonathan, “Judgement day,” which is the least likely hardware subsys- 2. Dipert, Brian, “Memory cards: de- Stereo Review’s Sound & Vision, May 2000, tem to get replaced, is the most obvious signing with a full deck,” EDN, May 25, pg 90. means of achieving this goal. 2000, pg 69. Intel received much backlash after its 3. Starrett, Robert A, “Ripping off Acknowledgments public disclosure of the Pentium III recordings; extraction do’s, don’ts and In researching this article, I appreciated processor’s serial number, however, and do’ers,”eMedia, July 1999, pg 34. the information and insights I received the company subsequently developed a 4. DeCarmo, Linden,“Pirates of the air- from Wes Brewer and Farshid Sabet of utility that disables the serial number and waves; new technologies for audio copy Sandisk regarding SDMI and the SD card, announced removal of the serial number protection,” eMedia, September 1999, pg from numerous employees of the Fraun- in the follow-on Williamette CPU. Com- 50. hofer Institute via their Audio Engineer- petitor AMD was therefore reluctant to 5. DeCarmo, Linden, “Safety in num- ing Society conference papers and other follow in Intel’s stumbling footsteps. In bers; a look at the Secure Digital Music documentation, and from Dave Rossum, a similar vein, Microsoft pointed out at Initiative,” eMedia, November, 1999, pg chief scientist at Creative Technology, via WinHEC that any user concerned with 48. his excellent presentation at this year’s privacy can disable any identification 6. Lawton, George, “Intellectual prop- WinHEC. scheme the company comes up with, erty protection opens path for e-com-

118 edn | June 22, 2000 www.ednmag.com