Nuovo DRM Paradiso Towards a verified, fair DRM protocol Hugo - - PowerPoint PPT Presentation

Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 1/12

Nuovo DRM Paradiso

Towards a verified, fair DRM protocol

Hugo Jonker

h.l.jonker@tue.nl

Srijith Krishnan Nair

srijith@few.vu.nl

Mohammad Torabi Dashti

dashti@cwi.nl

Introduction

• Digital Rights Management

NPGCT Scheme Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 2/12

Digital Rights Management

■ Goal: ◆ restrict access to digital contents ◆ access granted only when complying with license

Introduction

• Digital Rights Management

NPGCT Scheme Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 2/12

Digital Rights Management

■ Goal: ◆ restrict access to digital contents ◆ access granted only when complying with license ■ Method:

enforce link by bundling license with content

Introduction

• Digital Rights Management

NPGCT Scheme Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 2/12

Digital Rights Management

■ Goal: ◆ restrict access to digital contents ◆ access granted only when complying with license ■ Method:

enforce link by bundling license with content

■ Environment: ◆ trusted devices (well...) ◆ trusted content providers

Introduction

• Digital Rights Management

NPGCT Scheme Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 2/12

Digital Rights Management

■ Goal: ◆ restrict access to digital contents ◆ access granted only when complying with license ■ Method:

enforce link by bundling license with content

■ Environment: ◆ trusted devices (well...) ◆ trusted content providers ■ Enemy: ◆ untrusted device owners ◆ Untrusted network

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 3/12

Enabling C2C exchange

■ bottleneck in provider-to-client exchanges: bandwidth

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 3/12

Enabling C2C exchange

■ bottleneck in provider-to-client exchanges: bandwidth ■ solution: enable client-to-client exchanges...

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 3/12

Enabling C2C exchange

■ bottleneck in provider-to-client exchanges: bandwidth ■ solution: enable client-to-client exchanges... ■ ... whilst preserving DRM

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 3/12

Enabling C2C exchange

■ bottleneck in provider-to-client exchanges: bandwidth ■ solution: enable client-to-client exchanges... ■ ... whilst preserving DRM

Adapt intruder model:

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 3/12

Enabling C2C exchange

■ bottleneck in provider-to-client exchanges: bandwidth ■ solution: enable client-to-client exchanges... ■ ... whilst preserving DRM

Adapt intruder model:

■ complete, lasting protection unrealistic...

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 3/12

Enabling C2C exchange

■ bottleneck in provider-to-client exchanges: bandwidth ■ solution: enable client-to-client exchanges... ■ ... whilst preserving DRM

Adapt intruder model:

■ complete, lasting protection unrealistic... ■ thus: migitation procedures: ◆ detection ◆ revocation list

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 4/12

Protocols

Provider-client:

1. C → P : Request content 2. C ↔ P : Mutual authentication, [payment] 3. P → C : {M}K, {K}pk(C), R, metadata(M), Λ

Client-client:

1. D → C : Request content 2. C ↔ D : Mutual authentication 3. C → D : {M}K′, {K′}pk(D), RC(M), R′, metadata(M), Λ, Λ′ 4. D : Verification 5. D → C : ψ, [payment]

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 5/12

Weaknesses

• 1. P2C: no link request — rights

attack: insert rights

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 5/12

Weaknesses

• 1. P2C: no link request — rights

attack: insert rights

• 2. C2C: No link delivery — payment

attack: abort before payment

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 5/12

Weaknesses

• 1. P2C: no link request — rights

attack: insert rights

• 2. C2C: No link delivery — payment

attack: abort before payment Fairness (violated in C2C): “Either both parties terminate successfully, or none does”

Introduction NPGCT Scheme

• Enabling C2C exchange
• Protocols
• Weaknesses

Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 5/12

Weaknesses

• 1. P2C: no link request — rights

attack: insert rights

• 2. C2C: No link delivery — payment

attack: abort before payment Fairness (violated in C2C): “Either both parties terminate successfully, or none does”

■ Not possible without TTP ■ Optimistic fair exchange: only use TTP if fairness violated

• therwise

■ Two protocols: optimistic exchange and recovery

Introduction NPGCT Scheme Nuovo DRM

• Design
• P2C protocol
• C2C protocols

Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 6/12

Design

Motivation: Goals of Nuovo:

Introduction NPGCT Scheme Nuovo DRM

• Design
• P2C protocol
• C2C protocols

Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 6/12

Design

Motivation:

■ address weaknesses ■ increase assurance of security

Goals of Nuovo:

Introduction NPGCT Scheme Nuovo DRM

• Design
• P2C protocol
• C2C protocols

Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 6/12

Design

Motivation:

■ address weaknesses ■ increase assurance of security

Goals of Nuovo:

■ effectiveness ■ secrecy ■ resist content masquerading ■ fairness

Introduction NPGCT Scheme Nuovo DRM

• Design
• P2C protocol
• C2C protocols

Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 7/12

P2C protocol

Provider — client exchange:

1.

• wner(C) → C :

P, h(M), R 2. C → P : C, nC 3. P → C : {nP , nC, C}sk(P ) 4. C → P : {nC, nP , h(M), R, P}sk(C) 5. P → C : {M}K, {K}pk(C), {R, nC}SK(P )

■ concrete protocol ■ first weakness addressed (validity of R)

Introduction NPGCT Scheme Nuovo DRM

• Design
• P2C protocol
• C2C protocols

Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 8/12

C2C protocols

Client — client optimistic exchange:

1.

• wner(D) → D :

C, h(M), R′ 2. D → C : D, nD 3. C → D : {nC, nD, D}sk(C) 4. D → C : {nD, nC, h(M), R′, C}sk(D) 5. C → D : {M}K, {K}pk(D), {R′, nD}sk(C)

Client — client, recovery:

5r. D : resolves(D) 6r. D → P : D, n′

D

7r. P → D : {nP , n′

D, D}sk(P )

8r. D → P : {n′

D, nP , nD, nC, h(M), R′, C, P}sk(D)

9r. P → D : {M}K, {K}pk(D), {R′, n′

D}SK(P )

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 9/12

Formal analysis

Modelling in µCRL:

■ Nuovo DRM ■ communication model ■ intruder model – Dolev-Yao, with restrictions

Analysed scenario’s:

• 1. no intruder, synchronous communication

(effectiveness)

• 2. intruder, asynchronous communication

(secrecy, masquerading, fairness)

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 10/12

Analysis results

Modelled scenario’s checked with CADP: – effectiveness – secrecy – resisting content masquerading – fairness

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 10/12

Analysis results

Modelled scenario’s checked with CADP: √ effectiveness – secrecy – resisting content masquerading – fairness

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 10/12

Analysis results

Modelled scenario’s checked with CADP: √ effectiveness √ secrecy – resisting content masquerading – fairness

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 10/12

Analysis results

Modelled scenario’s checked with CADP: √ effectiveness √ secrecy √ resisting content masquerading – fairness

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 10/12

Analysis results

Modelled scenario’s checked with CADP: √ effectiveness √ secrecy √ resisting content masquerading √ fairness

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 11/12

Device revocation

■ goal: limit interaction with compromised devices ■ method: Device Revocation List (DRL) ■ trade off: size vs. security

Nuovo’s approach:

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 11/12

Device revocation

■ goal: limit interaction with compromised devices ■ method: Device Revocation List (DRL) ■ trade off: size vs. security

Nuovo’s approach:

■ P maintains DRL

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 11/12

Device revocation

■ goal: limit interaction with compromised devices ■ method: Device Revocation List (DRL) ■ trade off: size vs. security

Nuovo’s approach:

■ P maintains DRL ■ C maintains DRLc and list of friends fc,

DRLc = Lc(s) ∪ Lc(o)

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 11/12

Device revocation

■ goal: limit interaction with compromised devices ■ method: Device Revocation List (DRL) ■ trade off: size vs. security

Nuovo’s approach:

■ P maintains DRL ■ C maintains DRLc and list of friends fc,

DRLc = Lc(s) ∪ Lc(o)

■ on contact with P:

Lc(s) := fc ∩ DRL; DRLc := Lc(s) ∪ Lc(o)

Introduction NPGCT Scheme Nuovo DRM Assessment

• Formal analysis
• Analysis results
• Device revocation

Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 11/12

Device revocation

■ goal: limit interaction with compromised devices ■ method: Device Revocation List (DRL) ■ trade off: size vs. security

Nuovo’s approach:

■ P maintains DRL ■ C maintains DRLc and list of friends fc,

DRLc = Lc(s) ∪ Lc(o)

■ on contact with P:

Lc(s) := fc ∩ DRL; DRLc := Lc(s) ∪ Lc(o)

■ on contact with D:

Lc(o) := Lc(o) ∪ Ld(s); DRLc := Lc(s) ∪ Lc(o)

Introduction NPGCT Scheme Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 12/12

Concluding

■ Identified weaknesses in NPGCT ■ Designed improvement: Nuovo DRM Paradiso ■ Formally verified design goals ■ Provide a reworked revocation method

Introduction NPGCT Scheme Nuovo DRM Assessment Conclusions Hugo Jonker, WISSEC2006, November 8, 2006, Antwerpen Formalising Receipt-freeness - p. 12/12

Concluding

■ Identified weaknesses in NPGCT ■ Designed improvement: Nuovo DRM Paradiso ■ Formally verified design goals ■ Provide a reworked revocation method

Thank you for your attention!