160 likes | 173 Vues
Learn about essential laws, examples, and strategies in content security, from pirates finding loopholes to protecting against theft, leakage, and insider threats. Explore best practices and tools for enforcing content security effectively.
E N D
Content securityEcole d’été RESCOM 2006 DIEHL Eric Technology, Corporate Research, Security Domain Manager 12 June 2006
What is content security about? Identify source of leakage Mitigate theft Protect content
Eight laws to rule I III V VII II IV VI VIII
Law 1: Pirates will always find a way • Examples • DeCSS unprotected DVD since 1999 • Sony Key2Audio and the lethal pen • Pay TV cards have always been broken • Design with mandatory renewability • Smart card • Find the hole • Track illegal activity • Watermark CP
Law 2: Know the assets to protect • Examples • Wrong asset • Useless protection • Threat analysis • What to protect • Who are the attackers • Identify the attacks, the consequences and the risk
Law 3: No security through obscurity • Example • Walmart’s cart • Selection process of AES • Sound cryptography • Kerckoff’s law • Security should rely on the secrecy of keys and not on secrecy of algorithms
Law 4: Trust no one • Example • ATT report • 2/3 of content leakage done by insiders! • Simplify the trust model • The less you need to trust, the more secure you are BYERS S., et al., Analysis of security vulnerabilities in the movie production and distribution process, ATT Labs, September 2003 available at http://lorrie.cranor.org/pubs/drm03.html
Law 5: Si vis pacem, para bellum If you want peace, prepare war • Example • DirecTV counter attacks • Know your enemy • Change the target • Multiple defenses • Combination of encryption and watermark • Physical security and encryption
Law 6: You are the weakest link • Examples: • Password jeopardy • Phishing • Social Engineering • MITNICK K., The art of deception, WILEY, 2002 • Security must be transparent A2783E67BFA39C60DF234E79FD45E93F A2783E67BFA39C60DF234E7BFD45E93F
Law 7: Security is not stronger than the weakest link • Example • High robustness security locks on a thin wooden door • Constant failure of Copy Protection for CD-A • Side Channel Attacks • Design of security from the start • Strengthen the weakest element
Law 8: Security is a process, not a product • Examples • Day-to-day patching process • Best firewall with default admin password • Security is global • Secure system A + secure system B is not a secure system • Security policy is mandatory • Certainty is a weakness
An example: NexGuard™ Encrypt content Decrypt & watermark content Create & encrypt licence Decrypt licence
An example: NexGuard • Si vis pacem, para bellum • Encryption, and watermark • Possible revocation of every element • You are the weakest link • Transparent for user • No security through obscurity • Use of proven cryptography (AES, RSA) • Keys are stored in secure cards • Trust no one • A very limited set of assumptions
An example: NexGuard • Pirates will always find a way • Smart card allows renewability • Know the assets to protect • Only protect content • Security is not stronger than the weakest link • Special effort in the design of the product • Security is a process, not a product • Help the customer to design its security policy • Best practices, guidelines, …
Conclusions • Piracy is a reality • BUT • A toolbox already exists • Many fields open for academic/industrial research • Cryptography • Watermark • Fingerprint • Smart cards • Policy enforcement and definition • Formal proof of security • …
Thank you for your attention This document is for background informational purposes only. Some points may, for example, be simplified. No guarantees, implied or otherwise, are intended