1 / 10

A Signature-like Primitive for Broadcast-encryption-based Systems

A Signature-like Primitive for Broadcast-encryption-based Systems. Jeffrey Lotspiech IBM Almaden Research Center. Overview. Motivation Broadcast encryption basics The scheme Attacks/defenses Conclusion. Motivation – “Broadcast Encryption”.

navid
Download Presentation

A Signature-like Primitive for Broadcast-encryption-based Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Signature-like Primitive for Broadcast-encryption-based Systems Jeffrey Lotspiech IBM Almaden Research Center

  2. Overview • Motivation • Broadcast encryption basics • The scheme • Attacks/defenses • Conclusion

  3. Motivation – “Broadcast Encryption” • A term describing a class of key management schemes • “One-way” cryptographic flow • Essential for protection of physical media (e.g., DVDs) • Over one billion CPRM devices licensed so far (e.g., SD cards, DVD RAM/R/RW) • Used for AACS (new generation of DVDs) • Not based on identity • Great for high-privacy applications • Not so great for forensics • Very friendly to consumer electronic devices

  4. Motivation – “Electronic Sell-through” • Download of a movie onto a recordable DVD • Richer format compared to broadcast recording, therefore only for server/client download, not recorders • Possible attack: “Garage replicator” • There would be additional security if there were a “server blessing” • E.g., a server-signed token for the individual disc • Easily accomplished by a public key infrastructure • But, high overhead calculation

  5. x x Devices x • Licensing agency picks subsets that cover all innocent devices and exclude all compromised devices • Encrypts the media key in each selected subset key How Does Broadcast Encryption Work? • Devices organized into overlapping subsets; each subset associated with a key • Each device in many different subsets • Each device knows the key for every subset it is a member of Devices

  6. Media Key Block Media key block

  7. EST Binding Table Produced by Server “Type 6” MKB (associated w/Movie) Binding Table E E E . . . k1 k2 k3 kn … … + Km E Media ID (Associated w/disc)

  8. Hierarchy of Binding Tables Possible Km K’s +,e +,e … … . . . k1 k2 k3 kn hash1 hash2

  9. Attacks • A set of device keys helps very little • Binding table is valid for only one entry (e.g., 1/1000th of the market, under control of content owners) • Licensing agency can respond effectively by subdividing new MKBs • E.g., doubling size of binding table reduces attack to 1/1,000,000th of the market • Makes “Garage Replicator” attack uneconomic • Other uses of stolen devices keys are more effective

  10. Conclusions • Only authorized servers can make widely playable EST downloads • By using broadcast encryption instead of public key signatures: • Transactions per second at the server greatly increased (for a given server cost) • No difference in “disc insertion time” at player for pre-recorded versus EST download.

More Related