Today’s Show:

Cryptography, DRM and You

We talk about DRM quite often.  Technically it stands for Digital Rights Management, but we did have a listener recommend we try to change that to Digitally Restricted Media.  The point of DRM is to protect digital media files from piracy.  The actual result of DRM is a lot of frustration for those who just want to watch movies and listen to music.

We recently read about a vulnerability discovered in OpenSSL that could have an impact on DRM in consumer electronics.  OpenSSL is a freely available software package used in countless different products to protect sensitive information, which could include movies and songs that the content owners don’t want to have freely available on the Internet.

Before we get into the actual vulnerability, the flaw in the OpenSSL software, we need to provide a little background on Cryptography and how it applies to DRM.  We’ve talked about how plasma TVs and LCD TVs work in the past.  So along those lines, we’re going to get a little geeky on how DRM works.

What is Cryptography?
So in a nutshell, cryptography is a big umbrella that describes many different ways to protect information or keep a secret.  Remember Ralphie’s decoder ring in A Christmas Story?  Yep, that was cryptography.  The secret there was the phrase “Be sure to drink your Ovaltine.”  The secret in DRM is the actual audio or video file that is useless unless you know how to decode it so you can play it back.

Keys
Imagine cryptography as a box.  You have to have a key to lock something inside the box so you can keep it secret.  You also need a key to open the box to reveal the secret.  There are two ways to do this.  With symmetric key cryptography, you use the same key to lock and unlock the box.  With asymmetric cryptography, one key can lock the box, but a different one must be used to unlock it.

Asymmetric key algorithms are more secure.  Everyone keeps their ‘private’ key safe, and provides only their ‘public’ key to the world.  If I want to send you a message, I can lock it with your public key because I know that you’re the only one who can open it, because you’re the one one with your private key.  These algorithms are more secure, but they also require a lot more processing power, making them less than ideal for audio and video playback.

When you’re playing an audio or video file, you have to decode it quickly so that you don’t get any stuttering or delays in the content.  Symmetric key algorithms require less processing horsepower and are easier to implement on-the-fly.  That’s why the DRM scheme chosen for Blu-ray, called Advanced Access Content System (AACS), chose a symmetric encryption algorithm (they use AES, Advanced Encryption Standard).

You can pretty quickly realize that it’s not the encryption or the algorithm or anything else that really matters.  What really matters is protecting your keys.  If a key gets published on the Internet, anyone can use it to decrypt any Blu-ray movie and essentially post DRM-free copies of full quality content.  Without getting into too much detail, AACS has a way to create unique keys for devices that can be turned off if they’re compromised, but that still doesn’t solve the problem.

The Vulnerability
So what exactly was this vulnerability in OpenSSL?  When you hear it, you may get a little chuckle.  Evidently scientists from the University of Michigan found a way to read tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. It took a little over 100 hours, but eventually they were able to get the entire 1024-bit key.

This may not really impact you all that much, if you see a bunch of people around your Blu-ray player with lasers and a rack of servers, ask them politely to leave.  And, to be honest, it isn’t even the easiest way to crack Blu-ray.  The tried an true method is to use a software based Blu-ray player on any computer and simply examine what’s in memory while the player is running.  At some point the software player will need to put the key in memory to use it, and you can grab it.

But what it shows is that no matter what you do to protect your digital content, someone with enough determination can find a way to break it.  In this case an $80 Blu-ray player and a little over 4 days of Jolt cola and power fluctuations cracks every Blu-ray disc on the market.  So even if you push Blu-ray decryption to hardware on a PC, it can still be cracked.

Why does it matter?
So the real question is, why does any of this matter to any of us?  Bottom line, those of us who follow the rules don’t spend 4 days shining a laser on our Blu-ray player so we can crack it and distribute pirated movies.  Those who don’t care about the legalities of content protection are going to do it no matter what the rules say.

So piracy still happens, DRM or not, there will always be pirated copies of movies and music available on the Internet.  But for those of us who don’t pirate content, we get the shaft trying to figure out why the movie we just bought won’t play on our laptop or the TV show we just bought won’t stream to our media center extender.

The only people who get punished are the ones who follow the rules.  We think DRM should simply be a thing of the past.  If content owners want to charge for content, provide a service worth charging for.  Make it super easy to find what we want.  Make the downloads or streams incredibly reliable.  Make the service something worth coming back to.  It worked for iTunes.  Despite every song available there being available for free elsewhere on the Internet, people still buy songs from iTunes.

Abolish DRM, free the content, stop punishing everybody for the transgressions of a few.  Besides, you aren’t even stopping those few, so what’s the point?

Download Episode #416

Posted by The HT Guys, March 12, 2010 12:07 AM