200 likes | 317 Views
License Protection with a Tamper-Resistant Token. C.N. Chong ( Jordan ), B. Ren, J. Doumen, S. Etalle, P. H. Hartel and R. Corin. Faculty of EEMCS University of Twente The Netherlands. Overview. Introduction Objectives Security Requirements License Script License Protection Scheme
E N D
License Protection with a Tamper-Resistant Token C.N. Chong (Jordan), B. Ren, J. Doumen, S. Etalle, P. H. Hartel and R. Corin Faculty of EEMCS University of Twente The Netherlands
Overview • Introduction • Objectives • Security Requirements • LicenseScript • License Protection Scheme • Prototype • Evaluation • Conclusions and Future Work
Introduction • Content protection is intended to enforce usage rights, which are specified by a license. • A license often carries content key, metadata of the content, and some other sensitive information of the user. • Therefore, it requires adequate protection.
Objectives • To ensure confidentiality and integrity of a license or parts thereof, so that usage rights, keys, metadata can be protected. • To enforce different usage rights on different parts of the content and license. • To share and control the access on the content or license (or parts thereof) with other users, with flexibility.
Security Requirements • We assume some of the system components can be trusted. • We define some requirements for our license protection scheme: • License integrity • Frequent token interaction • Key confidentiality
LicenseScript Language • LicenseScript is based on multiset rewriting and logic programming. • Multiset rewriting can capture dynamic license evolution. • Logic programming can capture the static terms and conditions on the licenses.
Primitive Prolog Programs Clauses (Prolog) Bindings LicenseScriptLicense license(stock_price, [(canreset(S,B1,B2) :- S==provider, set_value(B1,viewed,0,B2)), (canupdate(S,B1,B2) :- S==provider, get_curr_time(T), set_value(B1,updated,T,B2)), (canview(S,B1,B2) :- get_value(B1,subject,Ss), is_member(S,Ss), get_value(B1,viewed,X), get_value(B1,maxviews,Y), X<=Y, X=X+1, set_value(B1,viewed,X,B2))], [maxviews=10, viewed=0, updated=01012004, subjects=[broker]]) Content Identifier
We use a key tree and a hardware token. 4 components: application, referencemonitor, token and provider. 2 protocols: Protocol A and Protocol B. License Protection Scheme Application Protocol B Reference Monitor Token Protocol A Provider
Protected Storage Mechanism • Protected storage is a service to the host platform in which the trusted platform module (TPM) helps storing confidential data on unprotected storage media. • We use protected storage in a form of a key tree.
A child node is encrypted using the parent node. The root key is the “master key” for the whole tree. Keys are not exposed when the license is in use. We can selectively deploy the information of the license with other entities by using a key tree. rootkey skey1 skey2 skey3 skey4 data1 data4 data2 data3 Key Tree
license(stock_price, [(canreset(S,B1,B2) :- S==provider, set_value(B1,viewed,0,B2)), (canupdate(S,B1,B2) :- S==provider, get_curr_time(T), set_value(B1,updated,T,B2)), (canview(S,B1,B2) :- get_value(B1,subject,Ss), is_member(S,Ss), get_value(B1,viewed,X), get_value(B1,maxviews,Y), X<=Y, X=X+1, set_value(B1,viewed,X,B2))], [maxviews=10, viewed=0, updated=01012004, subjects=[broker]]) rootkey skey1 skey2 skey3 skey4 data1 data4 data2 data3 Protected License
Predicate that stores the encrypted value with the key Storage keys Message Authentication Code Protected License license(stock_price, [(canreset(S,B1,B2) :- cipher(“CJ…”,skey1)), (canupdate(S,B1,B2) :- cipher(“XY…”,skey3)), (canview(S,B1,B2) :- cipher(“AB…”,skey4))], [maxviews=cipher(“12…”,skey4), viewed=cipher(“AC…”,skey4), updated=01012004, skey1=cipher(“89…”,rootkey), skey2=cipher(“aC…”,rootkey), skey3=cipher(“CC…”,skey1), skey4=cipher(“XA…”,skey2), mac=cipher(“JK…”,rootkey), subjects=[(provider,rootkey), (broker,skey2), (alice,skey4)]])
Protocol A • To send a protected license to the application. • To send the public key of the application to the token. • A->T : {A,P,“name”} • T->A : {N,MAC(N,K(P,T)),A,P,T,“name”}_K+eP • A->P : {A,{N,MAC(N,K(P,T)),A,P,T,“name”}_K+eP} • P->A : {Lic,{N+1,A, K+eA}_K+eT} • A->T : {N+1,A, K+eA}_K+eT
Protocols: Protocol B To use the protected license. • A->T : {A,Lic,MAC(Lic,K(P,T))} • T->A : {Kss1}_K+eA • A->T : {Key,{D}_Kst,“param”}_Kss1} • T->R : {{D,SIG(D,K-sT)}_Kss2,{Kss1, Kss2}_K+eR} • R->A : {D}_Kss1 • A->T : {D’}_Kss1 • T->A : {{D’}_ Kst}_Kss1 • A->T : {Lic’}_Kss1 • T->A : {MAC(Lic’,K(P,T))}_Kss1
Security Analysis • CoProVe verification. • Security requirements are fulfilled: • License integrity: using MAC. • Frequent token interaction: different parts of the content/license are encrypted using different keys. • Key confidentiality: keys stored on the license are encrypted.
License Interpreter acts as a reference monitor. ECLiPSe. Meta-Interpreter. Rewrite Rules. Prototype Token (Java iButton) Application (Java) Serial Reference Monitor (License Interpreter) Provider (Java) Socket
Performance Evaluation • Test 1: Level of the key tree • It takes approximately 1.22 seconds to decrypt data of ≤128 bytes at level 10 of the key tree. • Test 2: License Reconstruction • It takes approximately 2.25 seconds to reconstruct the license for an arbitrary updated level in the key tree. • Conclusion: suitable for shallow key trees and small licenses.
Conclusions • A license is an important element of digital rights management (DRM). • We propose a license protection scheme based on a tamper-resistant token and a key tree. • We apply it to the LicenseScript licenses. • A prototype is built by using the Java iButton. • Performance assessment and formal verification. • It is secure (w.r.t. assumptions) and practical (for shallow key trees and small licenses).
Future Work • To extend our business model of one token per provider to one token and many providers. • To use a USB connection for performance improvement. • To extend the protection scheme for protecting fancy media.
Thank you for your attention! Questions? Answers?…