Establishing Security Requirements For DRM Enabled Systems Jeremy Wyant W3C DRM Workshop 23 January 2001
Download ReportTranscript Establishing Security Requirements For DRM Enabled Systems Jeremy Wyant W3C DRM Workshop 23 January 2001
Establishing Security Requirements For DRM Enabled Systems Jeremy Wyant W3C DRM Workshop 23 January 2001 1 W3C DRM WORKSHOP NTRU Background • NTRU provides next generation public key technology with all the same basic security capabilities as RSA or ECC • Public key authentication, digital signature and encryption capabilities are critical technologies for complete DRM solutions • NTRU provides the fastest and smallest public key technology – Enables the only practical technology for the widest range of wired and wireless content capable devices and client solutions – Meets server side performance requirements for normal and peak security transaction loading – Facilitates establishing trusted devices and enhancing the user experience without sacrificing performance NTRU delivers the fastest and most efficient security solutions which are especially well suited to complement DRM technologies and provide end-to-end content protection. 2 W3C DRM WORKSHOP Business Requirements • Content Owner: Strong protection of content and strong authentication of end user • End User: Ease of use, portability, transparency • Leverage Internet economies and paradigms (e.g. Napster) • Support all media types: text, video, audio • Support all platform types, PC, PDA, Mobile, CE • Support wired and wireless, tethered and untethered players • Support streaming and download models • Standards: interoperability for broader adoption, competition and economies of scale 3 W3C DRM WORKSHOP System Security Practices • Security at the system level • Security needs to be designed into the system; only as good as its weakest link • Public scrutiny of algorithms • Renewability of security • Protection of key material in storage and use • Management and distribution of key material 4 W3C DRM WORKSHOP Available Technologies • • • • • • Digital Rights Languages Digitals Rights Management Systems and components Public Key based technology Symmetric key cryptographic components Watermarking Fingerprinting 5 W3C DRM WORKSHOP Public Key Technology Three fundamental Public Key based services apply in this space: • Authentication – – – – • Digital Signature – – – – – • Users Devices Servers Trusted components Data authenticity Data integrity Binding of content, metadata and rights Non-repudiation, e.g. of payment authorization Proof of purchase, e.g. for the user Key exchange (symmetric key typically used for bulk content encryption) – Content encryption 6 W3C DRM WORKSHOP Public Key Related Requirements Analysis • What components in the system need to be authenticated? And for what purposes? • What is the value of the content being protected and the damage that might result from disclosure? • What type of transactions and/or data are being signed? • Who relies on the signature? • Who are the potential trusted third parties? • Who will assume liability if content or other sensitive information is disclosed? 7 W3C DRM WORKSHOP End User Example End User System Distribution Server Authenticate Server/Client Payment Establish Secure Session Content Request Rights Management Content/Rights Description, Payment Options Signed Purchase Authorization Content Packaging Transaction Log Signed Content Protection Public Key Packaged Content w/key(s) and signed receipt ID “Token” Media Client Rights Filters Content Player Key Management Purchase Log Green, bold text indicates transactions involving the use of Public Key 8 W3C DRM WORKSHOP End User Example with Trusted Device End User System Distribution Server Authenticate Server/Client Payment Establish Secure Session Content Request Rights Management Content Packaging ID “Token” Content/Rights Description, Payment Options Media Locker Signed Purchase Authorization Rights Filters Signed Content Protection Public Key Trusted Media Device Packaged Content w/key(s) and signed receipt Transaction Log Purchase Log Green, bold text indicates transactions involving the use of Public Key 9 W3C DRM WORKSHOP Key Lessons Learned • Learn from other PKI projects - SET, Identrus, US NACHA Pilot • End User Experience – Performance – affected by local and server components – Portability of content between devices and users – Trust • Scalability – Communications – Operational – Server Performance – e.g. cryptographic operations 10 For more information, please contact: Jeremy Wyant [email protected] www.ntru.com 11