Скачать презентацию Anonymous Trust Digital Rights Management Using Broadcast Encryption Скачать презентацию Anonymous Trust Digital Rights Management Using Broadcast Encryption

2a13505944a641ce93e05c4e7a40e0e1.ppt

  • Количество слайдов: 24

Anonymous Trust: Digital Rights Management Using Broadcast Encryption Proceedings of the IEEE, Vol. 92, Anonymous Trust: Digital Rights Management Using Broadcast Encryption Proceedings of the IEEE, Vol. 92, No. 6, June 2004 1

Outline o Introduction o Broadcast encryption o Content binding o Server side binding -the Outline o Introduction o Broadcast encryption o Content binding o Server side binding -the anonymous trust system o XCP cluster protocol and the home network o Download to the home network o Conclusion 2

Introduction o Cryptography in DRM system n The attacker has the keys n Providing Introduction o Cryptography in DRM system n The attacker has the keys n Providing a hook to force compliance o Public-key based system n Both the client and server have public-key certificates n Using the handshake protocol n Expensive n The dependency on an online handshake protocol makes it unsuitable for physical media or broadcast -based distribution →Broadcast encryption 3

Broadcast encryption o Fiat & Naor, 1993 find a key management scheme with revocation, Broadcast encryption o Fiat & Naor, 1993 find a key management scheme with revocation, but without the handshake protocol →called broadcast encryption to emphasize its one-way nature o Size/performance tradeoff n n Much larger amount of data should be transferred Require less time for calculations 4

Broadcast encryption o Matrix-based schemes n Content protection for recordable media (CPRM) n Content Broadcast encryption o Matrix-based schemes n Content protection for recordable media (CPRM) n Content protection for prerecorded media (CPPM) n Media key block n Device keys n Drawbacks: p the size of the matrix p Sensitive to insider attacks 5

Broadcast encryption o The media key block is prerecorded on blank media at manufacturing Broadcast encryption o The media key block is prerecorded on blank media at manufacturing time o The key matrix is generated by the CPRM licensing agency and is preembossed in the lead-in area on the disk o The media key block is the encryption of the media using different device key 6

Broadcast encryption • CPRM key matrix 7 Broadcast encryption • CPRM key matrix 7

Broadcast encryption o Tree-based schemes n n Wallner, 1997 and Wong, 1997 → Logical Broadcast encryption o Tree-based schemes n n Wallner, 1997 and Wong, 1997 → Logical key hierarchy (LKH) trees IBM, 2001 → subset-difference approach (NNL trees) p More concise than LKH trees p The size of the key management block in an NNL system is literally of the same order as the size of a public-key certificate revocation list 8

Broadcast encryption 9 Broadcast encryption 9

Broadcast encryption 10 Broadcast encryption 10

Broadcast encryption o Tricks in NNL n n Revoke more than one device How Broadcast encryption o Tricks in NNL n n Revoke more than one device How does it store the billions of keys? → the lower level keys are one-way functions of the higher level keys o NNL trees is the strongest known key management block technology in terms of number of revocations for a given size 11

Content binding in CPRM o The unique media key calculation Kmu=H(Km, IDm) → the Content binding in CPRM o The unique media key calculation Kmu=H(Km, IDm) → the binding step o Encryption Di=e. Kmu(Kti H[CCIi]) CCI : copy control information Di is then stored on the media (the unique media key encrypts the title keys, and the title keys encrypt the content) 12

Server side binding o CPRM enables a simple DRM system n The client software Server side binding o CPRM enables a simple DRM system n The client software would read the media key block and the media ID on the blank recordable DVD, and upload it to a DRM server. n The server have a set of device keys to process the media key block, perform the binding calculation, and prepare a disk image n The client software burns the DVD 13

Server side binding o Advantages of this system n The client software contains no Server side binding o Advantages of this system n The client software contains no secrets n The question of when to charge the consumer for the download does not occur (before or after the acknowledge of the client? ) → The content has been customized to one particular piece of media, so it can be downloaded over and over again without the extra downloads counting as extra copies 14

Server side binding o Advantages for the consumer n The content is designed to Server side binding o Advantages for the consumer n The content is designed to be consumed in the user’s normal electronic devices (e. g. TV, DVD player) n Supporting the concept of “doctrine of first sale” (only payable on the first sale) n The content owners are confident that the content will not be misused, even if they do not know who they have given to it → the anonymous part of anonymous trust 15

XCP cluster protocol and the home network o Next-generation entertainment devices are increasingly incorporating XCP cluster protocol and the home network o Next-generation entertainment devices are increasingly incorporating home networking technologies that allow easier access to content o The approach proposed in this paper is the only system that uses broadcast encryption, all other systems rely on public-key cryptography 16

XCP cluster protocol and the home network o A cluster of devices agree on XCP cluster protocol and the home network o A cluster of devices agree on a common key for content encryption 17

XCP cluster protocol and the home network o The devices in the x. CP XCP cluster protocol and the home network o The devices in the x. CP cluster have agreed upon three things: n n n A common key management block The binding identifier (the network id) The authorization table o Binding key Kb=H(Km, IDb H[Auth table]) o All content in the home is protected by the binding key (the binding key encrypts the title keys for each piece of content, and the title keys are used to actually encrypt the content) 18

XCP cluster protocol and the home network o Devices can calculate the binding key XCP cluster protocol and the home network o Devices can calculate the binding key without having to have a conversation with any other device on the network o Devices are compliant and will not perform the forbidden action 19

XCP cluster protocol and the home network o Device join 20 XCP cluster protocol and the home network o Device join 20

XCP cluster protocol and the home network o New binding 21 XCP cluster protocol and the home network o New binding 21

XCP cluster protocol and the home network o Device removal 22 XCP cluster protocol and the home network o Device removal 22

Download to the home network o The x. CP cluster protocol supports the DRM Download to the home network o The x. CP cluster protocol supports the DRM download function by having the DRM server actually join the cluster o The DRM server can deliver and bind content to an entire home, not just a single piece of media o The server learns the cluster ID and can calculate the cluster’s binding key o Instead of a pay-for-download service, it uses the broadcast encryption 23

Conclusion o Many DRM systems use public-key cryptography but this approach has several drawbacks Conclusion o Many DRM systems use public-key cryptography but this approach has several drawbacks n n n Computationally demanding Bidirection connection The end user’s privacy can be compromised easily o A new approach: broadcast encryption n Suited for integration in low-cost consumer devices n Providing a much higher level of consumer privacy n Supporting disconnected distribution o DRM systems based on Broadcast encryption has high potential 24