Felten on DRM and Security through Obscurity

by on April 13, 2007 · 14 comments

Ed Felten describes the latest phase of the cat-and-mouse game between the HD-DVD/Blu-Ray cartel and hackers trying to crack their AACS encryption scheme:

To reduce the harm to law-abiding customers, the authority apparently required the affected programs to issue free online updates, where the updates contain new software along with new decryptions keys. This way, customers who download the update will be able to keep playing discs, even though the the software’s old keys won’t work any more.

The attackers’ response is obvious: they’ll try to analyze the new software and extract the new keys. If the software updates changed only the decryption keys, the attackers could just repeat their previous analysis exactly, to get the new keys. To prevent this, the updates will have to restructure the software significantly, in the hope that the attackers will have to start their analysis from scratch.

The need to restructure the software explains why several months expired between the attacks and this response. New keys can be issued quickly, but restructuring software takes time. The studios reportedly postponed some planned disc releases to wait for the software reissue.

It seems inevitable that the attackers will succeed, within a month or so, in extracting keys from the new software. Even if the guts of the new software are totally unlike the old, this time the attackers will be better organized and will know more about how AACS works and how implementations tend to store and manage keys. In short, the attackers’ advantage will be greater than it was last time.

This illustrates a point I’ve made before: “open” DRM is a contradiction in terms. The encryption keys have to be on the user’s computer, which means (at least on general purpose hardware) that they can always be extracted by an attacker, if the attacker knows where to look. To stop that, the programmer has to use obfuscation to make it difficult for the attacker to figure out where it’s located.

This is completely opposite the usual way computer security is done. Normally, computer security is based on public algorithms and a small number of private secrets. This allows security researchers to examine the algorithm and prove (or at least fail to disprove after much effort) that the algorithms are reasonably secure provided that the relevant secrets are kept secret. But because DRM schemes involve storing the secrets on the attacker’s computer, they’re inherently brittle. They’ll always fail to withstand serious scrutiny, which means it’s a waste of time to even try to design algorithms that could be evaluated by serious security researchers. Instead, the goal is to make the algorithm as difficult to evaluate as possible, in the hopes that attackers will find it too tedious to figure out how it works and where the keys are hidden. Obviously, this approach doesn’t scale, because the more high-profile your DRM scheme is, the bigger the payoff (in reputation, media attention, etc) for cracking it. When it’s as prominent as AACS, no amount of obfuscation is likely to stop determined attackers or even slow them down for more than a couple of weeks.

  • http://bjimba.blogspot.com Jim Russell

    Exactly. To boil it down to an aphorism: You cannot encrypt past the intended recipient. I wrote about that here.

  • http://linuxworld.com/community/ Don Marti

    A DRM scheme doesn’t have to be effective against users making copies — it only needs to be good enough to deter investors from funding a company that makes a compatible product or service. The DRM only needs to be effective enough against users that the copyright holders prefer it to competing schemes.

    If you patent a media format, you get 20 years before someone can make a generic player. If you DRM-infect the format, you get unlimited control over the market for players. The original DVD DRM has been cracked for years, but DVD CCA can still prevent the import of unlicensed DVD players.

  • http://bjimba.blogspot.com Jim Russell

    Exactly. To boil it down to an aphorism: You cannot encrypt past the intended recipient. I wrote about that here.

  • http://linuxworld.com/community/ Don Marti

    A DRM scheme doesn’t have to be effective against users making copies — it only needs to be good enough to deter investors from funding a company that makes a compatible product or service. The DRM only needs to be effective enough against users that the copyright holders prefer it to competing schemes.

    If you patent a media format, you get 20 years before someone can make a generic player. If you DRM-infect the format, you get unlimited control over the market for players. The original DVD DRM has been cracked for years, but DVD CCA can still prevent the import of unlicensed DVD players.

  • http://blog.actonline.org Mark Blafkin

    Ah, but it seems you’ve stumbled onto one of the biggest misconceptions about DRM: that is designed to be unbreakable.

    You’re right, it’s inherently unprotectable when it is up against professional researchers and hackers. But, that isn’t the point of DRM.

    As even the AA’s admit, DRM is about keeping honest people honest. It doesn’t have to be perfect, it just has to create a speedbump that will limit the amount of copying and distribution done by everyday consumers. It won’t stop professional hackers or criminals, because it isn’t designed to stop them.

  • http://www.techliberation.com/ Tim Lee

    If DRM is only designed to be a speedbump, then why are the DMCA’s draconian criminal penalties against the creators of circumvention tools necessary? Most users won’t go out of their way to download a circumvention tool even if it’s legal. And most reputable companies won’t distribute piracy software even if doing so is legal (both because it will damage their relationships with content creators and because of possible liability under Grokster). So why not allow the creation of circumvention tools, some of which have legitimate uses that have nothing to do with piracy? If DRM is strictly a matter of making copying inconvenient, won’t the inconvenience of having to download a cracking program be enough of a deterrent to keep honest users honest?

  • http://blog.actonline.org Mark Blafkin

    Ah, but it seems you’ve stumbled onto one of the biggest misconceptions about DRM: that is designed to be unbreakable.

    You’re right, it’s inherently unprotectable when it is up against professional researchers and hackers. But, that isn’t the point of DRM.

    As even the AA’s admit, DRM is about keeping honest people honest. It doesn’t have to be perfect, it just has to create a speedbump that will limit the amount of copying and distribution done by everyday consumers. It won’t stop professional hackers or criminals, because it isn’t designed to stop them.

  • http://www.techliberation.com/ Tim Lee

    If DRM is only designed to be a speedbump, then why are the DMCA’s draconian criminal penalties against the creators of circumvention tools necessary? Most users won’t go out of their way to download a circumvention tool even if it’s legal. And most reputable companies won’t distribute piracy software even if doing so is legal (both because it will damage their relationships with content creators and because of possible liability under Grokster). So why not allow the creation of circumvention tools, some of which have legitimate uses that have nothing to do with piracy? If DRM is strictly a matter of making copying inconvenient, won’t the inconvenience of having to download a cracking program be enough of a deterrent to keep honest users honest?

  • http://bjimba.blogspot.com Jim Russell

    If DRM cannot be made unbreakable, then it will never be a speedbump to the casual copier. The casual copier does not break the DRM, but instead waits for the experts at Doom9 or elsewhere to do so, and then picks up the cleartext media at the Pirate Bay.

  • http://bjimba.blogspot.com Jim Russell

    If DRM cannot be made unbreakable, then it will never be a speedbump to the casual copier. The casual copier does not break the DRM, but instead waits for the experts at Doom9 or elsewhere to do so, and then picks up the cleartext media at the Pirate Bay.

  • http://linuxworld.com/community/ Don Marti

    Anticircumvention actually makes honest users dishonest. If a user has to break the law to do something that he or she believes is a legitimate use (switching brands of media player, snipping a line of movie dialog for the answering machine) then the user loses respect for legitimate copyright law too.

    The DMCA is like the 55mph speed limit of the 21st century.

  • http://enigmafoundry.wordpress.com/ enigma_foundry

    “If DRM is only designed to be a speedbump, then why are the DMCA’s draconian criminal penalties against the creators of circumvention tools necessary?”

    Because the more important goal was to subvert the First amendment. Establish the precedent through cases such as Skylarov that corporate profits matter more than our freedoms.

    What’s wrong with you anyway Tim, are you anti-jobs?

  • http://linuxworld.com/community/ Don Marti

    Anticircumvention actually makes honest users dishonest. If a user has to break the law to do something that he or she believes is a legitimate use (switching brands of media player, snipping a line of movie dialog for the answering machine) then the user loses respect for legitimate copyright law too.

    The DMCA is like the 55mph speed limit of the 21st century.

  • http://enigmafoundry.wordpress.com eee_eff

    “If DRM is only designed to be a speedbump, then why are the DMCA’s draconian criminal penalties against the creators of circumvention tools necessary?”

    Because the more important goal was to subvert the First amendment. Establish the precedent through cases such as Skylarov that corporate profits matter more than our freedoms.

    What’s wrong with you anyway Tim, are you anti-jobs?

Previous post:

Next post: