In present days, content is increasingly made available in digital format to users, for example by means of the Internet, a broadcast medium, or by means of a digital data carrier such as CD or DVD. Consumer electronics (CE) products, such as televisions, settop boxes, and audio equipment, are equipped with digital data processing capabilities to render these digital contents.
The use of the Internet and other digital distribution media for copyrighted content has created the challenge to secure the interests of the content provider. In particular it is desirable to have technological means available to enforce the copyrights and business models of the content providers. Increasingly, CE devices are operated using a processor loaded with suitable software. Such software may include the main part of functionality for rendering (playback) of digital content, such as audio and/or video. Control of the playback software is one way to enforce the interests of the content owner including the terms and conditions under which the content may be used. Where traditionally many CE platforms (with the exception of a PC and PDA) used to be closed, nowadays more and more platforms at least partially are open and allow computer programmers to inspect the software and to make modifications to the software. In such open systems, including personal computers, some users may be assumed to have complete control over the hardware and software that provides access to the content. Also, some users may have a large amount of time and resources to attack and bypass any content protection mechanisms. As a consequence, content providers must deliver content to legitimate users across a hostile network to a community where not all users or devices can be trusted.
Digital rights management systems have been introduced to control the distribution of digital content to legitimate users. Typically, digital rights management systems use an encryption technique which allows only legitimate users to decrypt the content. The implementation of such encryption techniques in the consumer devices may be obfuscated to make it more difficult for an attacker to find out the value of the key. Examples of ciphers commonly in use for many different kinds of applications are DES, AES, RSA, and the method disclosed in WO9967918.
In relation to key handling, for playback a media player has to retrieve a decryption key from a license database. It then has to store this decryption key somewhere in memory for the decryption of the encrypted content. This gives an attacker two options for an attack on the key. Firstly, reverse engineering of the license database access function could allow the attacker to retrieve asset keys from all license databases. Secondly, by observation of the accesses to memory during content decryption, it is possible to retrieve the asset key. In both cases the key is considered to be compromised.
“White-Box Cryptography and an AES Implementation”, by Stanley Chow, Philip Eisen, Harold Johnson, and Paul C. Van Oorschot, in Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002, St. John's, Newfoundland, Canada, Aug. 15-16, 2002, and “A White-Box DES Implementation for DRM Applications”, by Stanley Chow, Phil Eisen, Harold Johnson, and Paul C. van Oorschot, in Digital Rights Management: ACM CCS-9 Workshop, DRM 2002, Washington, D.C., USA, Nov. 18, 2002 (hereinafter, these two publications will be referred to collectively as “Chow”), disclose methods with the intend to hide the key by a combination of encoding its tables with random bijections representing compositions rather than individual steps, and extending the cryptographic boundary by pushing it out further into the containing application.
The techniques disclosed in Chow make it possible to perform cryptographic operations in software without exposing the cryptographic key to a person who can fully debug the software. In the approach of Chow, the cryptographic key is hidden by using look-up tables rather than mathematical operations, with the result that the operands of the mathematical operations do not have to be stored as such. These tables may be encoded using random bijections to further obfuscate them. The encoding of one table may be undone by the encoding of another table, or may be undone elsewhere in the program. However, not all operations are easily represented by means of a look-up table.