Todays Show:

Cryptography, DRM and You

We talk about DRM quite often. Technically it stands for Digital Rights Management, but we did have a listener recommend we try to change that to Digitally Restricted Media. The point of DRM is to protect digital media files from piracy. The actual result of DRM is a lot of frustration for those who just want to watch movies and listen to music.

We recently read about a vulnerability discovered in OpenSSL that could have an impact on DRM in consumer electronics. OpenSSL is a freely available software package used in countless different products to protect sensitive information, which could include movies and songs that the content owners dont want to have freely available on the Internet.

Before we get into the actual vulnerability, the flaw in the OpenSSL software, we need to provide a little background on Cryptography and how it applies to DRM. Weve talked about how plasma TVs and LCD TVs work in the past. So along those lines, were going to get a little geeky on how DRM works.

What is Cryptography?
So in a nutshell, cryptography is a big umbrella that describes many different ways to protect information or keep a secret. Remember Ralphies decoder ring in A Christmas Story? Yep, that was cryptography. The secret there was the phrase Be sure to drink your Ovaltine. The secret in DRM is the actual audio or video file that is useless unless you know how to decode it so you can play it back.

Keys
Imagine cryptography as a box. You have to have a key to lock something inside the box so you can keep it secret. You also need a key to open the box to reveal the secret. There are two ways to do this. With symmetric key cryptography, you use the same key to lock and unlock the box. With asymmetric cryptography, one key can lock the box, but a different one must be used to unlock it.

Asymmetric key algorithms are more secure. Everyone keeps their private key safe, and provides only their public key to the world. If I want to send you a message, I can lock it with your public key because I know that youre the only one who can open it, because youre the one one with your private key. These algorithms are more secure, but they also require a lot more processing power, making them less than ideal for audio and video playback.

When youre playing an audio or video file, you have to decode it quickly so that you dont get any stuttering or delays in the content. Symmetric key algorithms require less processing horsepower and are easier to implement on-the-fly. Thats why the DRM scheme chosen for Blu-ray, called Advanced Access Content System (AACS), chose a symmetric encryption algorithm (they use AES, Advanced Encryption Standard).

You can pretty quickly realize that its not the encryption or the algorithm or anything else that really matters. What really matters is protecting your keys. If a key gets published on the Internet, anyone can use it to decrypt any Blu-ray movie and essentially post DRM-free copies of full quality content. Without getting into too much detail, AACS has a way to create unique keys for devices that can be turned off if theyre compromised, but that still doesnt solve the problem.

The Vulnerability
So what exactly was this vulnerability in OpenSSL? When you hear it, you may get a little chuckle. Evidently scientists from the University of Michigan found a way to read tiny pieces of a private key by injecting slight fluctuations in a devices power supply as it was processing encrypted messages. It took a little over 100 hours, but eventually they were able to get the entire 1024-bit key.

This may not really impact you all that much, if you see a bunch of people around your Blu-ray player with lasers and a rack of servers, ask them politely to leave. And, to be honest, it isnt even the easiest way to crack Blu-ray. The tried an true method is to use a software based Blu-ray player on any computer and simply examine whats in memory while the player is running. At some point the software player will need to put the key in memory to use it, and you can grab it.

But what it shows is that no matter what you do to protect your digital content, someone with enough determination can find a way to break it. In this case an $80 Blu-ray player and a little over 4 days of Jolt cola and power fluctuations cracks every Blu-ray disc on the market. So even if you push Blu-ray decryption to hardware on a PC, it can still be cracked.

Why does it matter?
So the real question is, why does any of this matter to any of us? Bottom line, those of us who follow the rules dont spend 4 days shining a laser on our Blu-ray player so we can crack it and distribute pirated movies. Those who dont care about the legalities of content protection are going to do it no matter what the rules say.

So piracy still happens, DRM or not, there will always be pirated copies of movies and music available on the Internet. But for those of us who dont pirate content, we get the shaft trying to figure out why the movie we just bought wont play on our laptop or the TV show we just bought wont stream to our media center extender.

The only people who get punished are the ones who follow the rules. We think DRM should simply be a thing of the past. If content owners want to charge for content, provide a service worth charging for. Make it super easy to find what we want. Make the downloads or streams incredibly reliable. Make the service something worth coming back to. It worked for iTunes. Despite every song available there being available for free elsewhere on the Internet, people still buy songs from iTunes.

Abolish DRM, free the content, stop punishing everybody for the transgressions of a few. Besides, you arent even stopping those few, so whats the point?

Download Episode #416