Digital Rights Management in Silicon
The Balance between Content Owners and Consumers

Security design is the most challenging area of endeavor for system designers because it requires an extraordinary effort to build a system that offers robust security and ensures that people will use it effectively as part of their everyday lives. Any IT administrator who oversees an IPsec virtual private network or passwords for sensitive applications fully understands the challenge of ensuring that users maintain discipline access methodology. If security design is difficult to administer in a corporate environment, then imagine what is required to migrate good security practice to the consumer world! The industry now has enough good experience (Apple iPOD) as well as the extremely bad practice (Sony’s Rootkit debacle) to get it right. Elliptic has been working with its customers to refine the security use model and to build an architecture that meets the divergent goals of consumers versus content owners. This is explored in more detail in this article.

Security Fundamentals for DRM

Cryptography is divided into two distinct technologies – symmetric and asymmetric. It is important to have some grounding on each of these technologies, so a short introduction is worthwhile. Links to some excellent books on cryptography are given at the end of the article for those that want to know more or need help in implementing their design.

Symmetric encryption is the backbone of security design as it permits high performance encryption and decryption of data with modest overhead. Symmetric encryption assumes that identical keys are available at each end of the network often provided by algorithmic methods or out of band communications. Cryptographers now equate symmetric algorithms to the Advanced Encryption Standard (AES) as it is the cipher recommended by NIST and the default candidate for any new security design. There are some venerable ciphers in broad use including the Data Encryption Standard (DES) and RC4 (primarily in SSL) which are used in Microsoft Windows DRM for Mobile. DES is an odd choice as NIST has for many years recommended that it be discontinued due to vulnerabilities, but RC4 remains a robust cipher that will remain in use for many years to come. The table below outlines which symmetric ciphers are used in the most popular DRM designs and adds some commentary as to why the specific cipher was chosen.

One theme that will recur throughout this article is the tendency of DRM system designers to optimize for a specific application. This is certainly the case for HDMI where a proprietary cipher design was developed through the Digital Content Protection, LLC (a subsidiary of Intel) with the goal of implementing a streaming cipher capable of achieving up to 5 Gbps of capacity. HDMI transmits uncompressed, high-definition digital video in a compact gate count format suitable for consumer electronics such as flat panel TVs. While the cipher is extremely compact and meets the throughput goals, the design was broken in a matter of months and remains open to exploits despite its widespread use. There are no shortcuts in good security design and re-inventing the wheel is seldom the right path to follow. Although it has a higher gate count, the Digital Content Protection, LLC should convert to a NIST approved cipher – and GCM-AES is the right choice.

The next aspect of security used in DRM is asymmetric cryptography, which encompasses three different subcategories – authentication, key exchange and random number generation. The term asymmetric is used as different keys are used at each end of the network which is in contrast to symmetric algorithms which uses the same key at both ends. The algorithms in asymmetric cryptography are much heavier than symmetric and as such the performance is generally poor. As such, asymmetric algorithms are used for specific functions that are not executed very frequently such as authentication of a player.

Authentication is the central algorithm for DRM as it permits a content server to cryptographically confirm that a client on the other end of the network has the right credentials to receive and decrypt content. DRM designers have leveraged the FIPS 186-2 Digital Signature Standard (DSS) as the cornerstone technology for authentication using either RSA or Elliptic Curve algorithms. An asymmetric algorithm relies on the concept of a public and private key pair that are mathematically related. It is possible to widely distribute the public key to other users without opening security vulnerability. The digital signature algorithms are shown in Figure 1 and 2. In digital rights management, the licensing authority will issue the DRM licensee (the manufacturer of the client – i.e. player, flat panel TV or gateway) a certificate and a public/private key pair for use in service. The client will sign the certificate with the licensing authority private key and send it to the content server along with the public key when a content request is processed. The content server can then use the key and certificate to verify the certificate and thereby authenticate the client.  The server will also check the certificate to determine whether or not it is on the revocation list and if so, the client will not be able to receive or decrypt content. This is referred to as revocation and in sophisticated DRM designs, revocation lists are propagated throughout the network of clients to ensure that compromised players are quickly removed from service.

There are two algorithms used in signing. Windows DRM for Network Devices, HDMI and the Open Mobile Alliance use the RSA algorithm primarily because it is in the public domain. Windows DRM for Mobile Devices and DTCP use an Elliptic Curve algorithm because it is much lighter (key size of 160 bits versus 1024 bits). There are however patents held by a number of companies which cause some concern for adopters and have delayed the introduction of ECC to wider use in DRM.

Once a device is authenticated and it is determined that it has the valid license authority certificate, the last step in a DRM design is to derive the key that will be used to decrypt content – the symmetric cipher key. Unlike wireless access points that use the shared secret concept (i.e. all end-points and the access point in the network has the same key that is generally distributed manually, DRM designs have worked to submerge the key management activity so that users need not worry about it. This is obviously very important as consumers clearly don’t have an appetite to manage a key for every song or video that they have licensed under a DRM scheme, nor would the owner of a brand new flat-panel TV wish to enter 40 hex digits into the new console prior to using it. From a strict security perspective, the most rigorous way to generate keys is through a key exchange algorithm such as Diffiie-Hellman. This technology is used in e-commerce sites for example to generate an ad-hoc key for a banking session. The DRM industry has been reluctant to follow this path for two reasons. An algorithm such as Diffie-Hellman would be a significant processing burden - not only to the consumer electronic devices but also the servers distributing content. Lastly, there is that risk/benefit equation that indicates that a compromise of the key derivation algorithm might put an individual song or movie at risk. Hence the loss from an individual breach is modest and the expense of implementing the security algorithm must be proportional to the loss.

As such key derivation algorithms have tended to be elegant but comparatively unsophisticated. For example, the Open Mobile Alliance v2.1 distributes keys by encrypting the key with an RSA encrypt using the client pubic key and AES key wrap technology that is largely impervious to compromise. The HDMI/HDCP uses a unique key derivation algorithm which derives session keys from Device Private Keys provided to the device manufacturer by the licensing authority and the Key Selection Vector selected during the session negotiation. DTCP has two different algorithms – a full fledged Elliptic Curve Diffie-Hellman supported in Full Authentication mode and pre-shared key selection algorithm supported in Restricted Authentication for low cost devices that don’t have the horsepower to support the Diffie-Hellman algorithm. In summary, there is little convergence today on key derivation scheme in rights management and this is expected to be the norm for several years to come.

There are two security technologies that are often overlooked when discussing rights management design. One extremely important aspect of DRM security design is the methods by which secret DRM values are stored. Since these are consumer electronic products open to the world, hackers will snoop the design looking for vulnerabilities. The simplest, brute-force method for key storage is to use on chip non-volatile memory. There are three significant problems with this approach – the first being that NVM memory is not available in every process – especially the advanced technology nodes, the license fees for NVM are quite high and lastly the programming of the secret values in off-shore ODMs may represent a potential security hole as the secret values are in plaintext. Elliptic has adapted well-proven key wrap technology used in FIPS grade security design and implemented a key wrap and decrypt function which allows the secret constants to be stored in off-chip Flash memory. The technology offers encrypted distribution of the constant in Flash loads that prevent leakage at ODMs and permits simple field upgrades should any of the values need to be updated. Information on this technology is available to licensees under NDA but a general flow diagram is shown below in Figure 3.

Last but certainly not least is the issue of random numbers.  Random numbers are used to create nonces and are part of challenge response authentication. NIST studies have repeatedly proven that the better the random number generator, the more secure the implementation. Almost all DRM schemes today use pseudo-random numbers implemented in software. With advances in silicon IP, it is now possible to integrate a FIPS grade true random number generator into hardware in under 5,000 gates thereby opening the possibility of replacing the software solution with a greatly superior hardware technology. This breakthrough is all the more remarkable as the design must be created is accomplished in all logic process commonly used for consumer electronics products.

The DRM Architecture – Buy Once, Enjoy Everywhere

With this background, it is now important to look ahead to where DRM technologies are driving the industry and what will finally be delivered in mainstream use. To develop that vision, it is important to start with the user and implement a solution that is as close to that which is enjoyed with content that is not encumbered with DRM. In simplest terms, content when licensed by a user should be usable anywhere inside the personal network owned by the user. That means that a song or video licensed with the file sitting on a local hard drive in a media center can be streamed to the user’s iPOD or Zune, cellphone, home entertainment center or burned to a CD (if that is even necessary going forward). This suggests that the separation of content and rights object as envisioned in the Open Mobile Alliance is the correct model and authentication should occur through a license server proxy. Figure 4 illustrates how content might be distributed to the local gateway and how it can available on any client device owned by the consumer.

The only challenge from a security perspective found in this model is the reliance on a gateway box housed in a subscriber’s home which now becomes the root of trust for all DRM content. This ups the ante quite significantly as this device is open for intense scrutiny by hackers and a lot of content will be housed in these devices making the cost of a breach very high. As such, this new class of media gateway must implement security worthy of a security appliance which in reality is exactly what this product becomes. The table below outlines what steps need to be taken to ensure the integrity of the system design found in the gateway device.

By building a highly secure system solution in the gateway, the security model used in DRM can be upgraded to include heavier asymmetric algorithms such as Diffie-Hellman key exchange for content super distribution and re-distribution. As content is consumed, the content server is no longer a central load for either authentication or key exchange and this is proxied by the gateway. In this architecture, the security load is distributed throughout the network. All of the tools are available to implement this system architecture for DRM. It will likely take organizations like the RIAA and MPAA to force this architecture into existence as it transcends individual vendors. It will however provide an invisible, highly secure infrastructure for DRM and offer a use model to users that is as close as possible to way unencrypted content is consumed today. All of the silicon technology and associated middleware is available to make this architecture a reality. It now a matter of the will to put it in place and to overcome individual commercial objectives to make way for the right solution that will be embraced by consumers.

The Gateway SoC Architecture

It is now time to examine the SoC architecture that can meet the requirement. The most difficult challenge is the obviously the gateway SoC which is doing conditional access and will proxy authentication. The SoC architecture for this SoC is shown in Figure 5.

The virtualized processor can be implemented using either ARM TrustZone or MIPS SafeSoC and the processor runs either in open or secure mode. In secure mode, it has access to the Key Administration, Context memory and the ECC core. This ensures that all keying material is confined to secure operations and the system cannot be broken. In addition, the ECC and SHA core combined with the SoC Root of Trust can run a fast secure boot operation and verify that the boot code has not been changed by a hacker, effectively blocking another path to hack the design. IP core design techniques can be used to offer both power analysis and timing analysis attack resistance making the security design extremely robust. Security JTAG techniques can be employed to prevent access to sensitive material through the JTAG port. And what is more important is that all of this can be accomplished in a reasonable gate count that effectively addresses the price point targets for consumer electronic products. With this FIPS grade security module deployed in media gateways, content owners and content distributors can leverage the proxy security model presented in this article without investing in high performance, security-enabled processors for content servers. Lastly, the consumer has the pleasure of purchasing content once and using it anywhere on their personal network, irrespective of whether that network is at home, at work or traveling. 

by Al Hawtin, VP, Marketing and Business Development, Elliptic Semiconductor

February 6, 2007

Elliptic Semiconductor develops and licenses security designs for semiconductor intellectual property and middleware for rights management, storage and network applications.

[back to top]