1. Field
Various features pertain to securing content, and more specifically, improving security measures for content protection for recordable media standards.
2. Background
Many security algorithms exist for securing content (e.g., copyrighted music, videos, programming, sensitive data, etc.) on recordable media (e.g., memory circuit, digital storage devices, etc.). For example, a content provider may wish to limit a storage device from transmitting copyrighted content to another unauthorized communication device. As such, the content provider may establish a cryptographic security algorithm onto the storage device that authenticates other communication devices requesting the content from the storage device prior to allowing the storage device to transmit the content to the requesting communication device. Authenticating the requesting communication device prior to content transmission attempts to secure the content from being distributed without permission.
Despite the myriad of security algorithms that help secure against unauthorized data transmission, many have security vulnerabilities that can be discovered and exploited by an astute, rogue party. One such security vulnerability that exists in some security algorithms is explained in FIG. 1.
FIG. 1 illustrates a security algorithm protocol found in the prior art. Specifically, FIG. 1 illustrates a method step flow diagram 100 of a mutual authentication and key exchange (AKE) between an accessing device 102 and a rogue storage device 104. In this example, the accessing device 102 is an authorized recording device that desires to record copyrighted content and/or content subject to restrictions onto another authorized storage device using the AKE. The AKE utilizes a symmetric key cipher algorithm to authenticate authorized communication devices, such as the accessing device 102 and other authorized storage devices. Authorized storage devices include, for example, non-volatile memory circuits (e.g., FLASH, Secure Digital (SD) Cards, etc.) that store secure content. In the illustrated example, the rogue storage device 104 may be any communication device that is posing as an authorized storage device.
Referring to FIG. 1, the accessing device 102 unsuspectingly wishes to record content to the rogue storage device 104. However, before doing so the accessing device 102 must authenticate the storage device 104. As such, the accessing device 102 begins the AKE process by generating (or is otherwise provided) a symmetric key Kmu 106 (ordinarily an authorized storage device would also have a copy of the symmetric key Kmu). Then, the accessing device 102 generates and transmits a first authentication challenge 108 to the rogue storage device 104. The first authentication value is a random number encrypted using an encryption cipher algorithm and the key Kmu. Instead of generating its own unique second authentication challenge with another random number, the rogue storage device 104 sets its second authentication challenge equal to the first authentication challenge received 110. Note that the rogue storage device 104 is presumed not to have the symmetric key Kmu that other authorized storage devices would ordinarily use to generate unique authentication challenges. The rogue storage device 104 then transmits the second authentication challenge 112 to the accessing device 102. The accessing device 102 generates a response R2 based on and in response to the second authentication challenge 114. For example, the response R2 is given by formula (1):R2=Ex(Kmu,AC2)XORAC2  (1)where AC2 is the second authentication challenge, XOR is the exclusive OR operation, and Ex is an encryption cipher algorithm. The accessing device 102 then transmits 116 the response R2 to the rogue storage device 104.
Authorized storage devices then ordinarily generate and transmit a unique response to the first authentication challenge received from the accessing device. However, instead of generating the response itself directly using the received first challenge, symmetric key Kmu, and the cipher algorithm Ex, the rogue storage device 104 sets its response R1 equal to the response R2 118, and sends the response R1 120 to the accessing device 102. Since both the first authentication challenge and the second authentication challenge are equal to one another, the expected responses R1 and R2 to the authentication challenges should also be equal to one another. Thus, the accessing device 102 unwittingly verifies the response R1 it receives from the rogue storage device 104 as being the correct response to its issued first authentication challenge and consequently authenticates 122 the storage device 104. After successful authentication the accessing device 102 records the content 124 (which may be encrypted using a title key Kt unknown to the rogue storage device 104) onto the rogue storage device 104. One or more additional steps not shown in FIG. 1 may take place after authentication 122 at the accessing device 102 and the storage device 104 in order to generate additional keys, such as a session key KS that is used to encrypt the title key Kt that may have been used to encrypt the content. The rogue storage device 104 may then distribute the encrypted content to other accessing devices, such as playback devices, that can derive the session and symmetric keys necessary to decrypt and play the content without proper authorization.
One example of a content protection scheme that utilizes a very similar AKE protocol to the one described above, and thus suffers from the same vulnerabilities, is the Content Protection for Recordable Media (CPRM), Content Protection for Pre-recorded Media (CPPM), and the Content Protection for Extended Media (CPXM) standards developed by the 4C Entity, LLC (a Delaware, USA corporation). Documents that describe the aforementioned CPRM/CPPM and CPXM standards (all herein after referred to simply as “CPRM”) include, but are not limited to: Content Protection for Recordable Media Specification: Introduction and Common Cryptographic Elements, revision 1.1 (December 2010); Content Protection for Recordable Media Specification: SD Memory Card Book—Common Part, revision 0.97 (December 2010); Content Protection for Recordable Media Specification: SD Memory Card Book—SD-Binding Part, revision 0.92 (December 2005); Content Protection for Recordable Media Specification: SD Memory Card Book—SD-Video Part, revision 0.96 (June 2006); Content Protection for eXtended Media Specification (CPXM): Introduction and Common Cryptographic Elements, revision 0.85 Preliminary Release; Content Protection for eXtended Media Specification (CPXM): SD Memory Card Book, Common Part, revision 0.85 Preliminary Release; and C2 Block Cipher Specification, revision 1.0, (Jan. 1, 2003).
The CPRM standards are especially vulnerable to the attack described above with respect to FIG. 1 where the rogue device 104 sets the first and second authentication challenges equal to one another. According to the CPRM standards, after successful authentication, a session key KS is derived by the accessing device and storage device. The session key KS is given by the formula (2):KS=EC2(Kmu,AC1XORAC2)  (2)where EC2 is either the Cryptomeria C2 cipher algorithm or Advanced Encryption Standard (AES) algorithm, AC1 is the first authentication challenge, and AC2 is the second authentication challenge (i.e., Kmu and AC1 XOR AC2 are inputs to the EC2 encryption cipher). If AC1=AC2 (e.g., according to the aforementioned attack), then AC1 XOR AC2 will always return a zero (0) value, and thus KS will always equal EC2(Kmu,0) regardless of what specific value AC1 and AC2 are. Such a constant KS value poses a major security vulnerability. According to CPRM, once a rogue storage device obtains the encrypted content (e.g., step 124 of FIG. 1), the rogue device may initiate communications with other playback devices and execute the same AC1=AC2 scheme to derive the constant session key KS and decrypt the encrypted content for unauthorized playback on the playback devices.
Thus, there is a need for security protocols, such as improved AKE protocols, that feature increased security against unauthorized content recording, distribution, and playback. Moreover, there is a need to improve the existing AKE protocol used by the CPRM standards to safeguard against at least the security vulnerability described above with respect to FIG. 1.