1 Florian Pestoni IBM Research [email protected] IBM xCP Cluster Protocol IBM Presentation to Copy...
-
date post
18-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of 1 Florian Pestoni IBM Research [email protected] IBM xCP Cluster Protocol IBM Presentation to Copy...
1
Florian Pestoni
IBM Research
IBM
xCP Cluster Protocol
IBM Presentation to Copy Protection Technical Working GroupJuly 18th, 2002
2
Key points Designed specifically for home networks
Implements notion of “authorized domain” Devices with different capabilities, protocol-
independent, support for intermittent connectivity
Compliant with CPSA Chain of solutions based on licensing, usage rules
Peer-to-peer, based on broadcast encryption More efficient and secure
3
Content Lifecycle
Content Creation
Content Management
BroadbandDistribution
DigitalBroadcast
PhysicalMedia
PlaybackDevice
PlaybackDevice
PlaybackDevice
PlaybackDevice
HomeGateway
Portable/CarMP3 player
Set-Top Box
EntertainmentSystem
4
Key Management
Content Protection Lifecycle
Content Creation
Content Management
BroadbandDistribution
DigitalBroadcast
PhysicalMedia
Forensics
PlaybackDevice
PlaybackDevice
PlaybackDevice
HomeGateway
Encrypted content
Tamper-resistentenvironment
Watermarking
5
Usage scenarios Home entertainment network
Distributed storage, remote playback Portable
Connect, download, disconnect Summer home
Multiple physical clusters Party
Content temporarily available Marriage
6
Flexible model Vision
“Make it easy for a consumer to access all her licensed content from all her devices, but make it hard for her neighbor.”
Virtual device Think of a network of (physical) devices as
making up a single (virtual) device Must limit size
Avoid the “million-device cluster”
7
Broadcast Encryption Algorithmic Lineage
Broadcast encryption - Fiat and Naor, Crypto ’93
Tracing traitors - Chor et al., Crypto ’94 Alternative to Public Key Encryption
2 or 3 orders of magnitude less overhead One-way protocols lead to more robust
implementations Supports key revocation
Unlike global secret schemes in which a single hacking event breaks the whole system
8
Broadcast Encryption Basics Device keys
Each device is assigned a unique combination of keys
Key Management Block Any device with valid device keys can
process KMB to obtain key-encrypting key. Binding Key
Key-encrypting key is combined with binding identifier, (hash of) usage rules, etc.
Skip details
9
Key Management Blocks Scheme is large matrix of random keys Each device assigned one key from each column
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
EKi,j(Km)
Device A
Device B
KMB is data structure w/multiple ciphers of same media key under different device keys
10
Tree algorithm
Significantly more efficient 12 bytes per revocation
Single device or group of devices
Internet Research Task Force Subset-Difference based Key Management for Secure
Multicast
11
Binding Media
CPRM/CPPM Physical media playable on any compliant device,
content cannot be copied to other media unless authorized
Device PVR time-shifting/pause live broadcast
Content can only be played on the device that recorded it originally
User xCP
All devices in a cluster can play all content recorded within the cluster
12
xCP Model Initialization
Devices in a household form a “cluster” by agreeing on common KMB, cluster ID (secret)
Binding Content is cryptographically bound to this cluster,
including usage conditions Compliance
Only compliant devices can join the cluster Renewability
As new KMBs are released, they are adopted by the cluster, updating the local revocation list
Skip protocol
13
Cluster modelkmbserver
authorizer
client
KMB
authTable
Content +usage rules
Content +usage rules
KMB
authTable
14
Local Authorization ModelStep 1
Who’s there?RSVP: myURL
15
Local Authorization ModelStep 2
I’m here!
I’m here!
16
Local Authorization ModelStep 3
Authorize me?My Player ID is:0xCAFEBABE and here is a MAC computed with your KMB
17
Local Authorization ModelStep 4
Ok, you’re in.Here’s the cluster ID, encrypted just for you
Must remember cluster
ID
There’s only 2 of us so far, we can have 1 more
I verified the MAC, I know the new
device is compliant
18
Central Authorization ModelStep 1
Who’s there?RSVP: myURL
19
Central Authorization ModelStep 2
I’m here!
20
Central Authorization ModelStep 3
Authorize me?My Player ID is:0xCAFEBABE and here is a MAC
21
Central Authorization ModelStep 4
I need to talk to the central
authorization server
Please authorize player 0xCAFEBABE for cluster 0xDEADBEEF
22
Central Authorization ModelStep 5
Ok, you’re in.Here’s the cluster ID, encrypted just for you
Player 0xCAFEBABE authorized
Add a device to cluster ID
0xDEADBEEF
Must remember cluster ID
23
Attack 1 Internet-delivered software clone
Five lines of Perl… Solution: update MKB
Send MKB with content Physical media, broadcast
Require periodic connection Download updated MKB during reprovisioning
Cluster adopts new MKB MKB revokes clone(s)
24
Attack 2 Block MKB update
Disconnect cluster Solution: no more content
Since MKBs are delivered with content, blocking MKBs means blocking content
No more content can be compromised
25
Attack 3 Roll back
(Re-)Introduce MKB that does not revoke clone
Solution: MKB merge When new MKB is proposed, it is merged
with previous MKB Revocation list is union of both MKBs
26
Attack 4 Bridge to “launder” content
Make a compliant device participate in multiple clusters
Keep clusters separated Solution: Authorization table
Peers are added to authTable All share the same authTable Content is bound to hash of authTable
27
A Scenario (I) Movie distribution to a home network
Studio obtains KMB, device keys, chooses usage rules, encrypts content
Content is distributed over existing channels (e.g. cable, satellite, PPV), possibly with different usage rules
Additional protection may be layered, e.g. conditional access
(Alternatively, free-to-air content may be transmitted in the clear, with broadcast flag set)
STB receives content, (re-)encrypts, binding to local cluster
Content downloaded over wireless network to minivan storage for playback on road trip
28
A Scenario (II) Export to legacy media
A device on the cluster supports both xCP and CPRM (similarly DTCP, etc.)
Device checks usage rules, determines export is allowed (e.g. copy once)
Content is re-encrypted, bound to media (i.e using MKB on media, media id) with appropriate usage rules (e.g. copy no more)
Content on media now plays on any CPRM compliant device, not just those in the cluster
The different binding models are complementary This chain of content protection solutions is the
principle behind CPSA.
29
A Scenario (III) Forensics and renewability
A clone is detected (typically, Internet-distributed software)
Device keys used by the clone are determined using forensic examination
A new KMB is released that revokes that set of keys KMB is propagated to the cluster, e.g. new content is
protected by this new KMB Any device on the cluster can propose a new KMB KMB is merged with old one, devices revoked in
either KMB are left out Other techniques (outside the scope of xCP)
Tracing traitors – identify leaks from bootleg content
30
Conclusion
Flexible model for end-to-end protection Independent of transmission mechanism Intermittently connected devices supported No handshakes required Fault tolerant, easy backup Licensing for legal enforcement Compatible with CPSA-compliant technologies Balance between consumers’ and content
owner’s rights and expectations
31
Q & A
33
Where can I learn more about this?
IBM Submission to DVB“DVB-CPT Call for Proposals for Content Protection & Copy Management”ftp://dvbftp:[email protected]/dvb-cpt/DVB-CPT-716.pdf
IETF draft“Subset-Difference based Key Management for Secure Multicast”http://search.ietf.org/internet-drafts/draft-irtf-smug-subsetdifference-00.txt
Crypto 2001“Revocation and Tracing Schemes for Stateless Receivers”Dalit Naor, Moni Naor, Jeff Lotspiechhttp://eprint.iacr.org/curr (Go to paper 2001/059)
Computer Magazine cover feature“Broadcast encryption’s bright future”Jeff Lotspiech, Stefan Nusser, Florian Pestoni(to be published August 2002)