1

Florian Pestoni

IBM Research

fpestoni@us.ibm.com

IBM

xCP Cluster Protocol

IBM Presentation to Copy Protection Technical Working GroupJuly 18th, 2002

2

Key points Designed specifically for home networks

Implements notion of “authorized domain” Devices with different capabilities, protocol-

independent, support for intermittent connectivity

Compliant with CPSA Chain of solutions based on licensing, usage rules

Peer-to-peer, based on broadcast encryption More efficient and secure

3

Content Lifecycle

Content Creation

Content Management

BroadbandDistribution

DigitalBroadcast

PhysicalMedia

PlaybackDevice

PlaybackDevice

PlaybackDevice

PlaybackDevice

HomeGateway

Portable/CarMP3 player

Set-Top Box

EntertainmentSystem

4

Key Management

Content Protection Lifecycle

Content Creation

Content Management

BroadbandDistribution

DigitalBroadcast

PhysicalMedia

Forensics

PlaybackDevice

PlaybackDevice

PlaybackDevice

HomeGateway

Encrypted content

Tamper-resistentenvironment

Watermarking

5

Usage scenarios Home entertainment network

Distributed storage, remote playback Portable

Connect, download, disconnect Summer home

Multiple physical clusters Party

Content temporarily available Marriage

6

Flexible model Vision

“Make it easy for a consumer to access all her licensed content from all her devices, but make it hard for her neighbor.”

Virtual device Think of a network of (physical) devices as

making up a single (virtual) device Must limit size

Avoid the “million-device cluster”

7

Broadcast Encryption Algorithmic Lineage

Broadcast encryption - Fiat and Naor, Crypto ’93

Tracing traitors - Chor et al., Crypto ’94 Alternative to Public Key Encryption

2 or 3 orders of magnitude less overhead One-way protocols lead to more robust

implementations Supports key revocation

Unlike global secret schemes in which a single hacking event breaks the whole system

8

Broadcast Encryption Basics Device keys

Each device is assigned a unique combination of keys

Key Management Block Any device with valid device keys can

process KMB to obtain key-encrypting key. Binding Key

Key-encrypting key is combined with binding identifier, (hash of) usage rules, etc.

Skip details

9

Key Management Blocks Scheme is large matrix of random keys Each device assigned one key from each column

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

EKi,j(Km)

Device A

Device B

KMB is data structure w/multiple ciphers of same media key under different device keys

10

Tree algorithm

Significantly more efficient 12 bytes per revocation

Single device or group of devices

Internet Research Task Force Subset-Difference based Key Management for Secure

Multicast

11

Binding Media

CPRM/CPPM Physical media playable on any compliant device,

content cannot be copied to other media unless authorized

Device PVR time-shifting/pause live broadcast

Content can only be played on the device that recorded it originally

User xCP

All devices in a cluster can play all content recorded within the cluster

12

xCP Model Initialization

Devices in a household form a “cluster” by agreeing on common KMB, cluster ID (secret)

Binding Content is cryptographically bound to this cluster,

including usage conditions Compliance

Only compliant devices can join the cluster Renewability

As new KMBs are released, they are adopted by the cluster, updating the local revocation list

Skip protocol

13

Cluster modelkmbserver

authorizer

client

KMB

authTable

Content +usage rules

Content +usage rules

KMB

authTable

14

Local Authorization ModelStep 1

Who’s there?RSVP: myURL

15

Local Authorization ModelStep 2

I’m here!

I’m here!

16

Local Authorization ModelStep 3

Authorize me?My Player ID is:0xCAFEBABE and here is a MAC computed with your KMB

17

Local Authorization ModelStep 4

Ok, you’re in.Here’s the cluster ID, encrypted just for you

Must remember cluster

ID

There’s only 2 of us so far, we can have 1 more

I verified the MAC, I know the new

device is compliant

18

Central Authorization ModelStep 1

Who’s there?RSVP: myURL

19

Central Authorization ModelStep 2

I’m here!

20

Central Authorization ModelStep 3

Authorize me?My Player ID is:0xCAFEBABE and here is a MAC

21

Central Authorization ModelStep 4

I need to talk to the central

authorization server

Please authorize player 0xCAFEBABE for cluster 0xDEADBEEF

22

Central Authorization ModelStep 5

Ok, you’re in.Here’s the cluster ID, encrypted just for you

Player 0xCAFEBABE authorized

Add a device to cluster ID

0xDEADBEEF

Must remember cluster ID

23

Attack 1 Internet-delivered software clone

Five lines of Perl… Solution: update MKB

Send MKB with content Physical media, broadcast

Require periodic connection Download updated MKB during reprovisioning

Cluster adopts new MKB MKB revokes clone(s)

24

Attack 2 Block MKB update

Disconnect cluster Solution: no more content

Since MKBs are delivered with content, blocking MKBs means blocking content

No more content can be compromised

25

Attack 3 Roll back

(Re-)Introduce MKB that does not revoke clone

Solution: MKB merge When new MKB is proposed, it is merged

with previous MKB Revocation list is union of both MKBs

26

Attack 4 Bridge to “launder” content

Make a compliant device participate in multiple clusters

Keep clusters separated Solution: Authorization table

Peers are added to authTable All share the same authTable Content is bound to hash of authTable

27

A Scenario (I) Movie distribution to a home network

Studio obtains KMB, device keys, chooses usage rules, encrypts content

Content is distributed over existing channels (e.g. cable, satellite, PPV), possibly with different usage rules

Additional protection may be layered, e.g. conditional access

(Alternatively, free-to-air content may be transmitted in the clear, with broadcast flag set)

STB receives content, (re-)encrypts, binding to local cluster

Content downloaded over wireless network to minivan storage for playback on road trip

28

A Scenario (II) Export to legacy media

A device on the cluster supports both xCP and CPRM (similarly DTCP, etc.)

Device checks usage rules, determines export is allowed (e.g. copy once)

Content is re-encrypted, bound to media (i.e using MKB on media, media id) with appropriate usage rules (e.g. copy no more)

Content on media now plays on any CPRM compliant device, not just those in the cluster

The different binding models are complementary This chain of content protection solutions is the

principle behind CPSA.

29

A Scenario (III) Forensics and renewability

A clone is detected (typically, Internet-distributed software)

Device keys used by the clone are determined using forensic examination

A new KMB is released that revokes that set of keys KMB is propagated to the cluster, e.g. new content is

protected by this new KMB Any device on the cluster can propose a new KMB KMB is merged with old one, devices revoked in

either KMB are left out Other techniques (outside the scope of xCP)

Tracing traitors – identify leaks from bootleg content

30

Conclusion

Flexible model for end-to-end protection Independent of transmission mechanism Intermittently connected devices supported No handshakes required Fault tolerant, easy backup Licensing for legal enforcement Compatible with CPSA-compliant technologies Balance between consumers’ and content

owner’s rights and expectations

31

Q & A

32

Thank you

Florian PestoniIBM Almaden Research Center

San Jose, CAfpestoni@us.ibm.com

33

Where can I learn more about this?

IBM Submission to DVB“DVB-CPT Call for Proposals for Content Protection & Copy Management”ftp://dvbftp:dvb2000@ftp.dvb.org/dvb-cpt/DVB-CPT-716.pdf

IETF draft“Subset-Difference based Key Management for Secure Multicast”http://search.ietf.org/internet-drafts/draft-irtf-smug-subsetdifference-00.txt

Crypto 2001“Revocation and Tracing Schemes for Stateless Receivers”Dalit Naor, Moni Naor, Jeff Lotspiechhttp://eprint.iacr.org/curr (Go to paper 2001/059)

Computer Magazine cover feature“Broadcast encryption’s bright future”Jeff Lotspiech, Stefan Nusser, Florian Pestoni(to be published August 2002)