1 / 16

Content security Ecole d’été RESCOM 2006

Content security Ecole d’été RESCOM 2006. DIEHL Eric Technology, Corporate Research, Security Domain Manager 12 June 2006. What is content security about?. Identify source of leakage. Mitigate theft. Protect content. Eight laws to rule. I III V VII. II IV VI VIII.

len
Télécharger la présentation

Content security Ecole d’été RESCOM 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Content securityEcole d’été RESCOM 2006 DIEHL Eric Technology, Corporate Research, Security Domain Manager 12 June 2006

  2. What is content security about? Identify source of leakage Mitigate theft Protect content

  3. Eight laws to rule I III V VII II IV VI VIII

  4. Law 1: Pirates will always find a way • Examples • DeCSS unprotected DVD since 1999 • Sony Key2Audio and the lethal pen • Pay TV cards have always been broken • Design with mandatory renewability • Smart card • Find the hole • Track illegal activity • Watermark CP

  5. Law 2: Know the assets to protect • Examples • Wrong asset • Useless protection • Threat analysis • What to protect • Who are the attackers • Identify the attacks, the consequences and the risk

  6. Law 3: No security through obscurity • Example • Walmart’s cart • Selection process of AES • Sound cryptography • Kerckoff’s law • Security should rely on the secrecy of keys and not on secrecy of algorithms

  7. Law 4: Trust no one • Example • ATT report • 2/3 of content leakage done by insiders! • Simplify the trust model • The less you need to trust, the more secure you are BYERS S., et al., Analysis of security vulnerabilities in the movie production and distribution process, ATT Labs, September 2003 available at http://lorrie.cranor.org/pubs/drm03.html

  8. Law 5: Si vis pacem, para bellum If you want peace, prepare war • Example • DirecTV counter attacks • Know your enemy • Change the target • Multiple defenses • Combination of encryption and watermark • Physical security and encryption

  9. Law 6: You are the weakest link • Examples: • Password jeopardy • Phishing • Social Engineering • MITNICK K., The art of deception, WILEY, 2002 • Security must be transparent A2783E67BFA39C60DF234E79FD45E93F A2783E67BFA39C60DF234E7BFD45E93F

  10. Law 7: Security is not stronger than the weakest link • Example • High robustness security locks on a thin wooden door • Constant failure of Copy Protection for CD-A • Side Channel Attacks • Design of security from the start • Strengthen the weakest element

  11. Law 8: Security is a process, not a product • Examples • Day-to-day patching process • Best firewall with default admin password • Security is global • Secure system A + secure system B is not a secure system • Security policy is mandatory • Certainty is a weakness

  12. An example: NexGuard™ Encrypt content Decrypt & watermark content Create & encrypt licence Decrypt licence

  13. An example: NexGuard • Si vis pacem, para bellum • Encryption, and watermark • Possible revocation of every element • You are the weakest link • Transparent for user • No security through obscurity • Use of proven cryptography (AES, RSA) • Keys are stored in secure cards • Trust no one • A very limited set of assumptions

  14. An example: NexGuard • Pirates will always find a way • Smart card allows renewability • Know the assets to protect • Only protect content • Security is not stronger than the weakest link • Special effort in the design of the product • Security is a process, not a product • Help the customer to design its security policy • Best practices, guidelines, …

  15. Conclusions • Piracy is a reality • BUT • A toolbox already exists • Many fields open for academic/industrial research • Cryptography • Watermark • Fingerprint • Smart cards • Policy enforcement and definition • Formal proof of security • …

  16. Thank you for your attention This document is for background informational purposes only. Some points may, for example, be simplified. No guarantees, implied or otherwise, are intended

More Related