1. Field of the Invention
The invention relates to digital rights management, and more specifically to using a derivation function to derive a key for each page of data.
2. Introduction
Protection of digital content transferred between computers over a network is important for many enterprises. Enterprises attempt to secure this protection by implementing some form of digital rights management (DRM) process. The DRM process often involves encrypting the piece of content in order to restrict usage to those who have been granted a right to the content and prevent unauthorized access.
Cryptography is a method to protect digital content by systematically obscuring data so it appears unintelligible to the adversary. The objective of cryptography is to enable users to communicate securely in an insecure environment, while maintaining data integrity, privacy and user authentication. Over time, many cryptography systems have been developed, some requiring a great deal of resources to break. When an adversary recovers the secret key used to protect digital content, the system has been compromised and is no longer secure.
White box cryptography is a cryptographic implementation designed to withstand the white box attack model. In the white box attack model, the adversary has access to the cryptographic software implementation and program execution. In the classical black box model, the attacker has access to only the input and output of the black box. The processes inside the black box are protected from the attacker and considered secure except using side-channel attacks requiring physical manipulation. White box solutions are typically slower and more cumbersome than black box solutions, due to their complexity. However, for some applications, the advantages of using white box solutions outweigh the disadvantages. Software-only white box solutions can be installed and updated remotely, whereas hardware black box solutions cannot without costly approaches. In the white box model, storing the private key in memory is insecure since the adversary has access to the entire system. One approach is to integrate the key into the encryption algorithm so that the key is never made explicit. This approach performs encryption in front of an attacker without ever revealing the secret key.
In the mid 1980s, Ronald Rivest proposed a derivation function called All or Nothing Transform (AONT). The goal was not to derive a key, but to increase complexity with the message length when recovering the key. AONTs can increase the strength of encryption without increasing the key size. FIG. 2 illustrates the prior art AONT algorithm in terms of a system implementing AONT, such as a computing device. The system initializes a value b to zero (202) and fetches a plain text block (204). The system encrypts each plaintext block (206) with a random key (208) to form a pseudomessage and, using a shared master key (210), hashes each block (212). The system applies an exclusive-or (XOR) (214) operation of all the hashes together with the value b to generate an output cipher block (216). The system determines whether the block is the last block (218) and, if yes, the system XOR's the value b (220) with the random key (208) to generate the last block of the pseudomessage (222).
FIG. 3 illustrates a more detailed view of the prior art AONT encryption process, also discussed in terms of a system implementing the AONT algorithm. Here, the system initializes a bn+1 value to zero (302) and splits a message m into sub blocks (304). A variable i is initialized to zero (306) and the system chooses a random value k′ (308). The system starts a loop until i is equal to n+1 (310). If i is not equal to n+1, the system executes the following steps. The system assigns E(i,k) to ai (312). The function represents any encryption algorithm. The system assigns ai XOR mi to bi (314). (The symbol ⊕ means XOR.) The system assigns bi XOR i to gi (316) to prevent duplicate blocks from encrypting identically. The system next assigns li to E(gi, k) where E is any encryption function (318). The system assigns bn+1 XOR li to bn+1 (320). The system increments i as i+1 (322) and returns to step 310. After each loop is processed, and the result of i=n is “Yes” in step 310, the system assigns bn+1 to bn+1 XOR k′ (324), and outputs the set of encrypted blocks {E (bi, k)}0 . . . n+1. (3264). The system applies an XOR of each block with an incrementing counter. Using the counter preserves block order for encryption modes such as Electronic Code Book (ECB). The package created cannot be partially decoded, and can use a cipher in any mode, for example ECB or Cipher Block Chaining (CBC). AONTs are hard to invert unless all of the output is known.
The use of an AONT results in a ciphertext that is one word longer than the plaintext (326). Three encryptions are applied to each block of data, two static and one dynamic. Dynamic encryption refers to using a random key, while static encryption refers to using a non-random key. In this approach, partial messages cannot be decrypted; the entire package must be decrypted at the same time.
FIG. 4 illustrates a prior art AONT decryption process. The system decrypts each block of ciphertext with the master key (402) to obtain a set {bi}0 . . . n+1. The system initializes i to 0 (404) and starts a loop until i is equal to n+1 (406). For each block, the system computes a value g by applying an exclusive or of the corresponding value b with the index (408) and computes a value l as the encryption of the corresponding g and the master key (410). The system increments i by 1 (412) and tests the loop condition again (406). Once all of the g's and l's have been produced, the system initializes both i and k′ (the random key) to 0 (414), and starts a loop until i equals n+1 (416). The system computes a partial random key (418) by XORing the random key with the corresponding 1 (418). The system then increments i by 1 (420) and tests the loop condition again. The completed random key is computed by applying an exclusive or of the partial random key with bn+1 (422). The system initializes i to 0 again (424) and starts another loop until i is equal to n+1 (426). For each block, the value a is generated by encrypting the block index with the random key (428), and the decrypted block is produced by applying the exclusive or of the value a with the corresponding b (430). The system outputs the decrypted block (432). The system increments i by 1 (434) and tests the loop condition again in step 426. Once all of the blocks have been decrypted and output, the process is complete.
Since AONT was developed in the 1980s, it was not considered in the white box environment. Accordingly, what is needed in the art is a more secure method to make key extraction difficult in a white box environment.