Protection of digital data and content transferred between computers over a network is important for many enterprises. Enterprises attempt to secure this protection by implementing some form of digital rights management (DRM) process. The DRM process often involves encrypting the piece of content (e.g. encrypting the binary form of the content) in order to restrict usage to those who have been granted a right to the content. Content in this situation involves alphanumeric material, audio material such as music, and video material. It also involves, of course, combinations thereof.
Cryptography is the traditional method of protecting data in transit across a computer network. In its typical application, cryptography protects communications (messages) between two mutually trusting parties from thievery or hackers by attack on the data in transit. However, for many digital file transfer applications (e.g. for the transfer of audio or video content), instead the party that receives the content (i.e., the receiving party) might try to break the DRM encryption that the party that supplied the content (i.e., the distributing party) applied to the content. Thus in this case the receiver is not a trusted party per se, but the point is to protect the distributor who owns the content from its misuse by the receiving party. In addition, with the proliferation of network penetration attacks, a third party may well obtain access to the receiving party's computer and thus to the protected content.
In many DRM systems now in use, the weakest link in security is not the encrypted data (message) but rather cryptographic key management and handling and other aspects of the DRM system. As well known, modem cryptographic systems typically use keys which are strings of digital values for both encryption and decryption purposes. For instance, one of the more successful DRM systems, which distributes music online, requires that the receiving party's computer to maintain the unencrypted key for each piece of encrypted music in an encapsulation system called a “key bag” (repository) that is itself encrypted.
This approach also disadvantageously allows different devices to use different formats for their key bags. The use of different key bag formats for different devices further exposes the keys to penetration when the content is transferred between devices. It is also necessary to link a key bag to a device, to avoid unauthorized replication of DRM information.
The present disclosure is in the context of the so-called “white box” operation model. This relates to the so-called “black box” vs. “white box” approach according to how much a priori information is available to outsiders of the security system. A black box model is a system for which there is no a priori information available to the adversary. A white box model (also called glass box or clear box) is a system where all necessary information is available to outsiders. Most actual systems are somewhere between the black box and white box model, so this concept is intuitive rather than definitive. This means, in the cryptography or security field, that an adversary or hacker can access all of the assets or resources related to a given application (security system) except for the keys. In the white box situation, an adversary or hacker can use what is called static analysis on the executable code (which is a computer program which embodies the encryption system) to understand its behavior. This assumes in the white box model that the actual computer code is available to outsiders which typically is the case. Further in the white box situation, so called dynamic analysis can be performed during execution of the computer code, such as during encryption or decryption, to examine actual runtime values and thereby often extract sensitive data, such as cryptographic keys and proprietary algorithms.
A security system designed to resist dynamic analysis tries to make it difficult for the adversary to obtain significant runtime values. One way to achieve this is to hide the sensitive data relating to the cryptographic system by applying a transformation function to it. One possibility would be to use a traditional cryptographic algorithm, such as AES. However AES requires, as do most cryptographic algorithms, a secret key to operate it. In the white box model, there is no place to hide a secret key. Therefore typically the task becomes one of hiding the cryptographic key which may be difficult in certain types of systems.
In a typical DRM system, the pieces of encrypted digital content are maintained on a central server by the content owner or operator of the service. Users then download to their computer via the Internet particular pieces of content such as a song or a video program. The downloaded material is typically downloaded in encrypted form and the content key is transmitted also, often in a separate transmission. This is done for some form of payment. The user can then play the content by decrypting it on his computer or player. This process is transparent to the user if he has purchased an authorized piece of digital content, since the key accompanies the downloaded file and software installed on the user's computer decrypts the file. It is also possible for the user to download the digital file to a media player. Typically this second download is also performed in the encrypted state and then the decryption occurs upon playback in the player. Again this is transparent for properly purchased content. It is generally been found best if the decryption only occurs upon playback, for security reasons. Of course if the content key or details of the DRM system have been compromised as described above, that is published, anyone can access the song and transfers of the encrypted files to unauthorized users is easily accomplished and they can then apply the decryption key even though not authorized to do so.
Therefore, key management becomes very important and it is especially difficult to maintain key security in consumer type electronic devices where there is an intention to use cryptography, such as DRM systems as described above.