The present invention relates to content protection, and more specifically, to recording keys in broadcast encryption systems.
The rapid rise in illegal copying of digital entertainment content has necessitated increasingly sophisticated content protection systems. Broadcast encryption cryptography is one content protection approach that has become very popular in recent years because it is especially well suited for content protection systems. Broadcast encryption is essential to provide secure key management on physical media. For example, the Content Protection for Recordable Media (CPRM) system has been developed to protect content on DVD recordable discs and on Secure Digital (SD) flash memory cards. More recently, the Advanced Access Content System (AACS) has been developed to protect content on high-definition blue-laser DVDs. Both CPRM and AACS are fundamentally based on broadcast encryption.
There is a certain type of attack that broadcast-encryption-based systems are susceptible to. This attack is called the anonymous attack. In this attack, the attackers steal one or more sets of device keys. With these sets of device keys, the attackers are able to make unauthorized copies of the content. Rather than putting those device keys into a circumvention device and selling it as a copying device, however, the attackers may put the keys in a server and offer a copying service instead of a copying device. Whether the attackers are selling a copying device, or offering a copying service, it is the goal of the licensing agency to determine precisely which sets of keys the attackers are using, so that they can be revoked on new content.
However, this determination is substantially harder in the case of an anonymous attack than it is in the case of a circumvention device. In the case of the circumvention device, the licensing agency can bring the device into the lab and test it by giving it a series of special forensic media key blocks (MKBs), which are designed so that only a fraction of the devices in the world can calculate the right key. In the anonymous attack, forensic MKBs cannot be used; the MKBs must be production MKBs: all devices can use them.
To combat anonymous attacks, the AACS system has a special forensic feature: in addition to the media key, which fundamentally protects the DVD, and which all devices can calculate, there are 1024 media key variants. The idea is that the content (such as a digital movie) is authored so that at certain points in the movie, there are logically identical but differently encrypted variations. A given device can calculate only one media key variant, and therefore play only one of the variations. Likewise, the anonymous attack server must reveal at least one media key variant when it decrypts the content. (Of course, the server, unlike a licensed device, could have more than one variant, because it might be comprised of keys from more than one device). Nonetheless, by carefully observing the sequence of variations the server picks, the licensing agency can determine which sets of device keys the server must have. This process is commonly called tracing traitors.