Rights Locker

Posted on January 7, 2010 by wunderbarb

CES period is always interesting time because many initiatives are disclosed or present their progress. In the field of DRM, two interesting news:

Disney starts to unveil more about its KeyChest technology. CNBC presented the following spot.

At the same time, DECE made a press release presenting their latest milestones. In a nutshell, DECE has:

defined a common file format In the FAQ, it seems that it is compliant with Microsoft’s PIFF,
selected a company that will host the rights locker,
and announced that five DRMs will support it (Adobe, Marlin, Microsoft PlayReady, OMA and Widevine

Both KeyChest and DECE use the new concept of rights locker. In very simplistic terms, a rights locker is a database that stores the usage rights that a customer purchased. This database should be shared by content distributors. The promise is that if you purchase one piece of content, it may be played back (if you paid as such) on any of your devices (or at least on the devices compliant with this rights locker) independently of the DRM used by the device. In other words, the usage rights will be linked to a customer rather than to his/her devices.

This is a great progress in electronic content distribution. One of the strongest complains of customers is the lack of interoperability of DRMs. This is an answer.

Without doubt, this blog will come back on the topics of rights locker in the future.

An original way to mark text

Posted on December 7, 2009 by wunderbarb

Amazon has filed an interesting patent titled System and method for marking content. The idea is rather simple. Create a dictionary of synonyms. To uniquely mark a piece of textual content, permute a set of defined words by selected synonyms. Of course, the patent explores all the alternatives, but in a nutshell this is the main idea.

For the fun, here is the first claim

1. A system, comprising: a processor; and a memory comprising program instructions, wherein the program instructions are executable by the processor to: receive a request for particular content; extract a copy of the requested particular content from a content collection, wherein the particular content includes textual data; substitute a synonym for each of one or more selected words in the textual data of the copy, wherein to substitute a synonym for each of one or more selected words, the program instructions are further executable by the processor to: access a synonym database comprising a plurality of key words, wherein each key word is associated with one or more synonyms in the synonym database; and select a particular synonym to substitute for a particular selected word in the textual data of the copy from one or more synonyms associated with a key word in the database that matches the particular selected word in the textual data of the copy; and return the copy with the substituted synonyms in response to the request.

Does it work? For watermark, there are typically three parameters to examine:

• Transparency: There are some issues. First of all, it probably is not applicable to literature. Synonyms are rarely perfect and authors may not accept modifications of their text. Nevertheless, for many texts, and for non-purists, it may be rather transparent. Although I’m not sure that there may not be some readable artifacts.
• Robustness: It is obvious that it is easy to detect some substitutions. If the content is not protected in integrity, it is rather easy to wash or forge a new marked content. If the purpose is to fight piracy (such as illegal redistribution), it will not work. The hacker will remove the integrity protection and substitute.
• Payload: This depends of the text’s length and the variety of the used vocabulary.

It is an interesting approach although not robust. In some specific contexts, it may have some interest.

Thanks to JJQ for pointing to this patent. :Happy:

Microsoft’s PIFF

Posted on October 27, 2009 by wunderbarb

Last month, Microsoft announced an important initiative for DRM interoperability. Within a larger announcement, they disclosed the Protected Interoperable File Format (PIFF). The media focused mainly on smooth streaming and SilverLight. But content protection community should be interested by PIFF.

In an nutshell, PIFF defines a file format with a list of supported codecs but above all (at least for security minded people) two mandatory AES based scrambling modes. The basic idea for interoperability is that the PIFF protected essence can use any system of DRM to protect the license. Provided they both have the scrambling key used to protect “Rambo 28”, merchant A and merchant B can sell it using different DRM. PIFF compliant device A with DRM A can play “Rambo 28” sold by merchant B with DRM B. Device A just needs to get license from merchant A. The essence, ie “Rambo 28”, remains the same.

Is it a new revolutionary approach? No. DVB embraced this approach for many years with simulcrypt. In 2004, Thomson proposed to standardize this layer of protection in the IST Medianet project.

Is it a good thing? YES. According to me, it is clearly the right approach. That a giant like Microsoft takes this path is huge. Furthermore, it is royalty free, which is wise from Microsoft to facilitate the adoption. Now, the condition of success is that there will be ONE unique such format. Would there be more than one, then it would decrease its impact.

Of course, we may expect that next generation of Windows DRM and Play Ready will support PIFF. Which DRM technology provider will be the next one?

Will Quantum cryptography become mainstream?

Posted on October 26, 2009 by wunderbarb

Siemens SIS has teamed up with Swiss ID quantique company to propose quantum cryptography protected key exchange over dark fiber. (See id Quantique and Siemens collaborate to commercialize Quantum Key Distribution in the Netherlands)

Quantum cryptography has the intrinsic propriety to be robust against eavesdropping. According to Heisenberg, when observing an electron, you change its spin. This makes (in theory) its interception impossible, thus extremely secure.

It is one of the first large scale commercial initiative. The offer is currently limited to Netherlands and costs about 80,000$ for a pair of boxes. Thus, it is not yet to protect your personal mails.

But, the future is coming nearer.

Is SSL still secure?

Posted on August 5, 2009 by wunderbarb

I know that the title is somewhat provocative. Nevertheless, the current system of certificates and more precisely the way the browsers handle them presents some weaknesses.

In security newsletter N°12, Mohamed Karroumi explained the latest attacks using forged MD5 certificates for mounting a man in the middle attack. The designers of the attack were Alexander SOTIROV and Mike ZUSMAN. At that time, the countermeasure seemed simple: do not use anymore MD5 certificates.

At last Black Hat 2009, the same researchers have disclosed a new attack that bypassed this protection. The Extended Validation (EV)certificates standard has been designed to have more secure certificate attribution (no simple online application…) and also banned RSA1024 and MD5. Thus, we could believe that a site using EV certificate should be safe against the MD5 based man in the middle. They demonstrated that it was wrong. In fact most browsers accept to start a session with an EV certificate and continue with a non EV certificate. Game over. SOTIROV and ZUSMAN showed the actual attack at the conference.

The countermeasure seems not simple if a smooth deployment is expected unless it is possible to ban ALL MD5 certificates. May be some news in our next newsletter.

Consumer Strategies for Deterring Illegal File-Sharing Using Digital Serial Numbers

Posted on July 1, 2009 by wunderbarb

The Digital Watermark Alliance (DWA) released last month the results of a survey it commissioned. The purpose was to evaluate what the impact of using Digital Serial Number (DSN) would have on piracy. Digital Serial Number embeds through watermark a unique identifier of the device that rendered the content. This allows to trace back the origin of an eventual leakage.

The answer is obviously that it would have an effect. About half of the responders admitted that they would stop file sharing. This is probably not a surprise for anybody.

A more interesting output is the reasons why about half responders would not stop file sharing.

– I don’t download enough to be caught.
– The online community will remove DSNs.
– DSNs will not be enforced strongly enough to make a difference.
– My downloading would remain the same as a statement of principle.
– The BitTorrent community can avoid sharing files with DSNs.
– The risk is worth it.

The document also highlights that DSN is deterrent only if users are aware of it.

The document is available here.

PS: THOMSON is member of DWA.

Cheap face recognition

Posted on May 19, 2009 by wunderbarb

I just read about KeyLemon, a company who offers face recognition based login to Windows XP for less than 40$. They have a trial version. For fun I decided to try it.

The installation was straight forward. It used my webcam. When registering for the first time, it became touchy. The software wants you to be in a given relatively precise position.

Instead of your typical login screen, you have a screen who displays what the webcam sees, and a field to possibly enter your password. Once it recognized me (after a few seconds), it logged on without any problem. Now, the funny part, let’s push slightly the limit. I registered with my glasses, because I work without them in front of my screen. When I tried with the glasses, it did not recognize me. OK, let’s do it without the glasses.

Of course, you all already though about it. I took a picture of me with the webcam and printed it on the color printer. YES!!!! It recognized my picture! That’s really bad! An easy way to impersonate.

Then, I decided to comb my hairs (those who know me will understand :Wink: ) It did not recognize me. Ouf, my picture works.

Then, I decided to train better the tool (after 20 cumulative training with glass or not, comber or not), it did perform worse. Gracefully, there was still the field to type the password in.

KeyLemon is a funny tool but not a secure tool. Don’t trust it. Interestingly, the announced advantage

Stop wasting time entering your password

I’m not sure who would win the race

Stop remembering your password

No!!! What if it does not work correctly.

The only funny feature is the lock of the computer once it does not see you anymore in front of the screen.

The blog of content protection

A site managed by Eric Diehl

Category Archives: Technology