Cours Introduction à la Psychologie Pr BARAKAT Session d’été
Content security Ecole d’été RESCOM 2006
description
Transcript of Content security Ecole d’été RESCOM 2006
Content securityEcole d’été RESCOM 2006
DIEHL EricTechnology, Corporate Research, Security Domain Manager12 June 2006
What is content security about?
Protect contentIdentify
source of leakage
Mitigate theft
Eight laws to rule
II
IIIIII
VV
VIIVII
IIII
IVIV
VIVI
VIIIVIII
Law 1: Pirates will always find a way
Examples– DeCSS unprotected DVD since 1999
– Sony Key2Audio and the lethal pen
– Pay TV cards have always been brokenDesign with mandatory renewability
– Smart cardFind the hole
– Track illegal activity
– Watermark
CPCP
Law 2: Know the assets to protect
Examples– Wrong asset
– Useless protectionThreat analysis
– What to protect
– Who are the attackers
– Identify the attacks, the consequences and the risk
Law 3: No security through obscurity
Example– Walmart’s cart
– Selection process of AESSound cryptographyKerckoff’s law
– Security should rely on the secrecy of keys and not on secrecy of algorithms
Law 4: Trust no one
Example– ATT report
2/3 of content leakage done by insiders!
Simplify the trust model– The less you need to trust, the more secure you are
BYERS S., et al., Analysis of security vulnerabilities in the movie production and distribution process, ATT Labs, September 2003 available at http://lorrie.cranor.org/pubs/drm03.html
Law 5: Si vis pacem, para bellum
Example– DirecTV counter attacks
Know your enemyChange the targetMultiple defenses
– Combination of encryption and watermark
– Physical security and encryption
If you want peace, prepare
war
Law 6: You are the weakest link
Examples:– Password jeopardy
– PhishingSocial Engineering
– MITNICK K., The art of deception, WILEY, 2002 Security must be transparent
A2783E67BFA39C60DF234E79FD45E93F
A2783E67BFA39C60DF234E7BFD45E93F
Law 7: Security is not stronger than the weakest link
Example– High robustness security locks on a thin wooden
door
– Constant failure of Copy Protection for CD-A
– Side Channel AttacksDesign of security from the startStrengthen the weakest element
Law 8: Security is a process, not a product
Examples– Day-to-day patching process
– Best firewall with default admin passwordSecurity is global
– Secure system A + secure system B is not a secure system
Security policy is mandatoryCertainty is a weakness
An example: NexGuard™
Encryptcontent
Create & encryptlicence
Decryptlicence
Decrypt & watermark
content
An example: NexGuard
Si vis pacem, para bellum– Encryption, and watermark– Possible revocation of every element
You are the weakest link– Transparent for user
No security through obscurity – Use of proven cryptography (AES, RSA)– Keys are stored in secure cards
Trust no one– A very limited set of assumptions
An example: NexGuard
Pirates will always find a way– Smart card allows renewability
Know the assets to protect– Only protect content
Security is not stronger than the weakest link– Special effort in the design of the product
Security is a process, not a product– Help the customer to design its security policy
Best practices, guidelines, …
Conclusions
Piracy is a reality BUT
A toolbox already exists
Many fields open for academic/industrial research– Cryptography– Watermark– Fingerprint– Smart cards– Policy enforcement and definition– Formal proof of security– …
Thank you for your attention
This document is for background informational purposes only. Some points may, for example, be simplified. No guarantees, implied or otherwise, are
intended