The ability to control access to digital content stored on a computer, a local server, or the cloud, among other places, is a critical requirement for most content providers. The content may include music, video, documents, corporate information, or other data which is retrievable using a computerized medium, such as a computer, tablet computer, smart phone, or another device. Often, the content is proprietary and intended to be accessed only by parties who have appropriate authorization. Authorized parties may include those who have obtained a license, e.g., when a user purchases entertainment media through an on-line service, or those who have authorization by virtue of their employment, e.g., an employee who accesses his or her employer's data. Various content protection schemes have been developed to prevent unauthorized parties from accessing the content.
FIG. 1 is a diagrammatical illustration of access authorization steps of a conventional content protection scheme 10, in accordance with the prior art. When authorizing a new user to access protected content or re-authorizing access for an existing user, the user presents one or more credentials 20 identifying the user. The credentials may include passwords, biographical information, hardware information, and other such identifying data or information. These credentials are presented to an authorization algorithm 30 which creates a certificate 40 that indicates what access is to be permitted to the protected content when the same credentials are presented in the future. The certificate 42 is then stored for future access. In some implementations, the protected content may be stored on the end-user system. In other implementations, the protected content may be stored on external media or at a location separate from the end-user system.
FIG. 2 is a diagrammatical illustration of a content access process of a conventional content protection scheme 10, in accordance with the prior art. The content protection scheme 10 of FIG. 2 is utilized by many existing digital content protection algorithms for enabling access to protected content. Credentials 20 can be presented by either the user or some other entity to security software 50, which accesses the previously saved certificate 40 and compares the credentials 20 to the certificate 40 to determine whether access should be allowed. If the credentials 20 are authorized by the certificate 40, the security software 50 authorizes access to the protected content 60. The user 70 can then access the protected content 60 in the manner prescribed by certificate 40.
In some existing implementations, the credentials 20 are simply recorded in the certificate 40 and access is allowed if the presented credentials 20 match exactly. More sophisticated implementations may store only data derived from the credentials 20 in order to prevent the recovery of the original credentials 20 from the certificate 40, which may provide varying levels of access to the protected content 60, and may permit access based only on a partial match.
These protection efforts have enjoyed some success, but they are increasingly susceptible to attacks by unauthorized parties who are able to exploit flaws in the protection schemes and ultimately gain access to the protected content. FIG. 3 is a diagrammatical illustration of a forged certificate attack 12 against a conventional content protection scheme 10 of FIGS. 1-2, in accordance with the prior art. Because the security software 50 is stored on a system under the user's control, an attacker who wishes to access the protected content 60 but lacks the proper credentials may mount a forged certificate attack using a forged certificate 80. In the forged certificate attack, the attacker creates a forged certificate 80, which is a new certificate that appears to authorize access for whatever credentials the attacker actually has. The attacker then replaces the original certificate 40 with this forged certificate 80, so that when the security software 50 examines the forged certificate 80, the attacker's credentials will appear to be authorized. FIG. 4 is a diagrammatical illustration of a bypass attack 14 against a conventional content protection scheme 10 of FIGS. 1-2, in accordance with the prior art. The bypass attack 14 of FIG. 4 may be an alternative to the forged certificate attack 12 of FIG. 3. In the bypass attack 14, the attacker can bypass the security software 50, or suppress its output, and access the protected content 60 directly, as depicted FIG. 4. The bypass attack 14 is the most common method of bypassing conventional content protection schemes 10 seen in the industry.
Thus, a heretofore unaddressed need exists in the industry to address the aforementioned deficiencies and inadequacies.