Digital Rights Management and Trusted Computing

1. Digital Rights Management and Trusted Computing Kari Kostiainen T-110.7200 Special Course in Operating System Security April 13th 2007

2. First paper: Enabling fair use with trusted computing(unpublished draft)

3. Motivation • Good DRM system should enable various use cases • Listening a song three times before purchase • Renting a movie so that it can be watched only once • Moving a purchased song from one device to another • Enforcing this kind of stateful licensesis difficult in open platforms • Reverting the system to a previous state is easy  the movie can be watched again • Existing solutions are not satisfactory • Obfuscation and rootkits • Online solutions • Dongles and smardcards • This paper presents an architecture that enables enforcement of stateful licenses on open platforms using trusted computing

4. Security objectives • License integrity and enforcement • All parties must enforce licenses and unauthorized alteration must be infeasible • Freshness • Replay-attacks must be infeasible • License availability • Usage without online connectivity must be possible • Privacy • The system should preserve users’ privacy

5. System model • Strong isolation between compartments • Trusted channels bound to configurations of compartments • In principle all compartments could be located on different machines

6. Implementation • Hardware layer: normal PC hardware with TPM • Virtualization layer: based on L4-family microkernels (Xen could be used as well) • Trusted software layer: based on PERSEUS security architecture • Application layer: legacy operating system (para-virtualized Linux) and security critical applications

7. System startup • Normal TPM-based boot sequence • BIOS measures master boot record (MBR) before giving control to it • MBR measures kernel before giving control to it • and so on… • Uses modified GRUB boot loader • The Compartment Manager (CM) measures other compartments, legacy operating systems and applications before executing them

8. Establishing trusted channels TPM creates PKBIND and SKBIND Verify signature using AIK RC compares to known comp_confLC and TCB_conf TPM creates certBIND using AIK RC creates a secret key sk TM verifies that comp_confLC is same TPM verifies that TCB_conf is same

9. Secure storage overview • Storage Manager maintains metadata indexthat logs usage of securely stored items • To maintain freshness the index also manages a software counter that is incremented synchronously with TPM 1.2 monotonic hardware counter  Provides protection against attacks that try to revert into previous state

10. Using secure storage Sealed against TCB configuration Same TCB configuration TPM counter check missing?

11. Second paper:Enabling advanced mobile DRM scenarios N. Asokan and Jan-Erik Ekberg

12. Example use case • Timo has purchased a song using his mobile device • Anna would like to listen the song as well • Timo transfers the song to Anna’s device for limited free listening • If Anna wants to continue listening she must commit to purchasing the song for herself • Constant online connectivity should not be needed • How to implement a system like this that provides flexible and fair use of purchased content without allowing unauthorized use?

13. Conceptual architecture • DRM device is a tamper-resistant module • Protocol engine contains the actual DRM enforcement logic • Different payment methods can be plugged into this architecture

14. Types of rights and transfers • Each piece of content has two types of rights • Usage rights that govern local use • Transfer rights that specify how new rights can be created for different devices • Different kind of transfers are possible: • Give: once the right is transferred the original device cannot use the content anymore • Copy: a new right is created for the new device

15. Vouchers determine rights • Each piece of content is encrypted with a content key • Rights for a piece are embodied in a voucher that contains • Description of content • Description of rights • Content key encrypted using public key of target device • Sequence number for freshness • MAC for integrity • When rights are transferred the sending device creates a new voucher for the target device • Sending device must check that target device is compliant

16. Metering and reporting new rights • Creation of new rights must be metered and reported • Otherwise, unauthorized copying could take place • New created right can be either sender-reported or receiver-reported • Preview vouchers are special case of receiver-reported voucher • Unreported voucher is marked as report-pending • When a proof of reporting is inserted into device, the report-pending voucher is converted into an unconstrained one • If the number of report-pending vouchers exceeds a certain limit, the device could be disabled in some fashion

17. Lifecycle of vouchers

18. Rights transfer protocol

19. Requirements from platform • The user cannot make modifications in the OS kernel • OS processes cannot access each other’s memory areas • Small tamper-resistant secure storage for kernel which can be used to bootstrap larger secure storage • Process claiming to be DRM engine must be authenticated • Integrity checks could be used

20. Implementation

21. Own thoughts about these paper and DRM in general:

22. Own thoughts • The DRM system should be flexible, so that users can consume legally purchased content on all of their devices • This means that all devices should be compliant  all devices should have TPM or something similar • Will device manufacturers put TPM to 20 € MP3 player? • I don’t think so • Thus, these schemes do not seem promising for music • If TPMs get very popular in PCs use cases like enforcement of software license or video rental might work • But even then it would be difficult to get all audio and video device drivers accepted

23. Thank you!