Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug License Protection with a Tamper-Resistant Token C.N. Chong (Jordan), B. Ren, J. Doumen, S. Etalle, P. H. Hartel and R. Corin Faculty of EEMCS University of Twente The Netherlands

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Overview Introduction Objectives Security Requirements License Script License Protection Scheme Prototype Evaluation Conclusions and Future Work

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Introduction Content protection is intended to enforce usage rights, which are specified by a license. A license often carries content key, metadata of the content, and some other sensitive information of the user. Therefore, it requires adequate protection.

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Objectives To ensure confidentiality and integrity of a license or parts thereof, so that usage rights, keys, metadata can be protected. To enforce different usage rights on different parts of the content and license. To share and control the access on the content or license (or parts thereof) with other users, with flexibility.

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Security Requirements We assume some of the system components can be trusted. We define some requirements for our license protection scheme: 1. License integrity 2. Frequent token interaction 3. Key confidentiality

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug License Script Language License Script is based on multiset rewriting and logic programming. Multiset rewriting can capture dynamic license evolution. Logic programming can capture the static terms and conditions on the licenses.

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug License Script License license(stock_price, [(canreset(S,B1,B2) :- S==provider, set_value(B1,viewed,0,B2)), (canupdate(S,B1,B2) :- S==provider, get_curr_time(T), set_value(B1,updated,T,B2)), (canview(S,B1,B2) :- get_value(B1,subject,Ss), is_member(S,Ss), get_value(B1,viewed,X), get_value(B1,maxviews,Y), X<=Y, X=X+1, set_value(B1,viewed,X,B2))], [maxviews=10, viewed=0, updated= , subjects=[broker]]) Content Identifier Clauses (Prolog) Bindings Prolog Programs Primitive

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug License Protection Scheme We use a key tree and a hardware token. 4 components: application, reference monitor, token and provider. 2 protocols: Protocol A and Protocol B. Application Reference Monitor Token Provider Protocol B Protocol A

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Protected Storage Mechanism Protected storage is a service to the host platform in which the trusted platform module (TPM) helps storing confidential data on unprotected storage media. We use protected storage in a form of a key tree.

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Key Tree A child node is encrypted using the parent node. The root key is the “master key” for the whole tree. Keys are not exposed when the license is in use. We can selectively deploy the information of the license with other entities by using a key tree. rootkey skey1skey2 skey3skey4 data1 data2data3 data4

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Protected License rootkey skey1skey2 skey3skey4 data1 data2data3 data4 license(stock_price, [(canreset(S,B1,B2) :- S==provider, set_value(B1,viewed,0,B2)), (canupdate(S,B1,B2) :- S==provider, get_curr_time(T), set_value(B1,updated,T,B2)), (canview(S,B1,B2) :- get_value(B1,subject,Ss), is_member(S,Ss), get_value(B1,viewed,X), get_value(B1,maxviews,Y), X<=Y, X=X+1, set_value(B1,viewed,X,B2))], [maxviews=10, viewed=0, updated= , subjects=[broker]])

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Protected License license(stock_price, [(canreset(S,B1,B2) :- cipher(“CJ…”,skey1)), (canupdate(S,B1,B2) :- cipher(“XY…”,skey3)), (canview(S,B1,B2) :- cipher(“AB…”,skey4))], [maxviews=cipher(“12…”,skey4), viewed=cipher(“AC…”,skey4), updated= , skey1=cipher(“89…”,rootkey), skey2=cipher(“aC…”,rootkey), skey3=cipher(“CC…”,skey1), skey4=cipher(“XA…”,skey2), mac=cipher(“JK…”,rootkey), subjects=[(provider,rootkey), (broker,skey2), (alice,skey4)]]) Predicate that stores the encrypted value with the key Storage keys Message Authentication Code

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Protocol A To send a protected license to the application. To send the public key of the application to the token. 1. A->T : {A,P,“name”} 2. T->A : {N,MAC(N,K (P,T) ),A,P,T,“name”}_K + eP 3. A->P : {A,{N,MAC(N,K (P,T) ),A,P,T,“name”}_K + eP } 4. P->A : {Lic,{N+1,A, K + eA }_K + eT } 5. A->T : {N+1,A, K + eA }_K + eT

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Protocols: Protocol B To use the protected license. 1. A->T : {A,Lic,MAC(Lic,K (P,T) )} 2. T->A : {K ss1 }_K + eA 3. A->T : {Key,{D}_K st,“param”}_K ss1 } 4. T->R : {{D,SIG(D,K - sT )}_K ss2,{K ss1, K ss2 }_K + eR } 5. R->A : {D}_K ss1 6. A->T : {D’}_K ss1 7. T->A : {{D’}_ K st }_K ss1 8. A->T : {Lic’}_K ss1 9. T->A : {MAC(Lic’,K (P,T) )}_K ss1

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Security Analysis CoProVe verification. Security requirements are fulfilled: License integrity: using MAC. Frequent token interaction: different parts of the content/license are encrypted using different keys. Key confidentiality: keys stored on the license are encrypted.

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Prototype License Interpreter acts as a reference monitor. ECLiPSe. Meta-Interpreter. Rewrite Rules. Token (Java iButton) Application (Java) Reference Monitor (License Interpreter) Provider (Java) Serial Socket

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Performance Evaluation Test 1: Level of the key tree It takes approximately 1.22 seconds to decrypt data of ≤128 bytes at level 10 of the key tree. Test 2: License Reconstruction It takes approximately 2.25 seconds to reconstruct the license for an arbitrary updated level in the key tree. Conclusion: suitable for shallow key trees and small licenses.

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Conclusions A license is an important element of digital rights management (DRM). We propose a license protection scheme based on a tamper-resistant token and a key tree. We apply it to the License Script licenses. A prototype is built by using the Java iButton. Performance assessment and formal verification. It is secure (w.r.t. assumptions) and practical (for shallow key trees and small licenses).

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Future Work To extend our business model of one token per provider to one token and many providers. To use a USB connection for performance improvement. To extend the protection scheme for protecting fancy media.

Workshop on Information Security Applications (WISA 2004) Jeju Island, Korea 23 Aug – 25 Aug Thank you for your attention! Questions? Answers?…