Microsoft Research DRM talk
By Cory Doctorow
Public Domain Books
1. DRM systems don’t work
This bit breaks down into two parts:
1. A quick refresher course in crypto theory
2. Applying that to DRM
Cryptography – secret writing – is the practice of keeping secrets. It involves three parties: a sender, a receiver and an attacker (actually, there can be more attackers, senders and recipients, but let’s keep this simple). We usually call these people Alice, Bob and Carol.
Let’s say we’re in the days of the Caesar, the Gallic War. You need to send messages back and forth to your generals, and you’d prefer that the enemy doesn’t get hold of them. You can rely on the idea that anyone who intercepts your message is probably illiterate, but that’s a tough bet to stake your empire on. You can put your messages into the hands of reliable messengers who’ll chew them up and swallow them if captured – but that doesn’t help you if Brad Pitt and his men in skirts skewer him with an arrow before he knows what’s hit him.
So you encipher your message with something like ROT-13, where every character is rotated halfway through the alphabet. They used to do this with non-worksafe material on Usenet, back when anyone on Usenet cared about work-safe-ness – A would become N, B is O, C is P, and so forth. To decipher, you just add 13 more, so N goes to A, O to B yadda yadda.
Well, this is pretty lame: as soon as anyone figures out your algorithm, your secret is g0nez0red.
So if you’re Caesar, you spend a lot of time worrying about keeping the existence of your messengers and their payloads secret. Get that? You’re Augustus and you need to send a message to Brad without Caceous (a word I’m reliably informed means “cheese-like, or pertaining to cheese”) getting his hands on it. You give the message to Diatomaceous, the fleetest runner in the empire, and you encipher it with ROT-13 and send him out of the garrison in the pitchest hour of the night, making sure no one knows that you’ve sent it out. Caceous has spies everywhere, in the garrison and staked out on the road, and if one of them puts an arrow through Diatomaceous, they’ll have their hands on the message, and then if they figure out the cipher, you’re b0rked. So the existence of the message is a secret. The cipher is a secret. The ciphertext is a secret. That’s a lot of secrets, and the more secrets you’ve got, the less secure you are, especially if any of those secrets are shared. Shared secrets aren’t really all that secret any longer.
Time passes, stuff happens, and then Tesla invents the radio and Marconi takes credit for it. This is both good news and bad news for crypto: on the one hand, your messages can get to anywhere with a receiver and an antenna, which is great for the brave fifth columnists working behind the enemy lines. On the other hand, anyone with an antenna can listen in on the message, which means that it’s no longer practical to keep the existence of the message a secret. Any time Adolf sends a message to Berlin, he can assume Churchill overhears it.
Which is OK, because now we have computers – big, bulky primitive mechanical computers, but computers still. Computers are machines for rearranging numbers, and so scientists on both sides engage in a fiendish competition to invent the most cleverest method they can for rearranging numerically represented text so that the other side can’t unscramble it. The existence of the message isn’t a secret anymore, but the cipher is.
But this is still too many secrets. If Bobby intercepts one of Adolf’s Enigma machines, he can give Churchill all kinds of intelligence. I mean, this was good news for Churchill and us, but bad news for Adolf. And at the end of the day, it’s bad news for anyone who wants to keep a secret.
Enter keys: a cipher that uses a key is still more secure. Even if the cipher is disclosed, even if the ciphertext is intercepted, without the key (or a break), the message is secret. Post-war, this is doubly important as we begin to realize what I think of as Schneier’s Law: “any person can invent a security system so clever that she or he can’t think of how to break it." This means that the only experimental methodology for discovering if you’ve made mistakes in your cipher is to tell all the smart people you can about it and ask them to think of ways to break it. Without this critical step, you’ll eventually end up living in a fool’s paradise, where your attacker has broken your cipher ages ago and is quietly decrypting all her intercepts of your messages, snickering at you.
Best of all, there’s only one secret: the key. And with dual-key crypto it becomes a lot easier for Alice and Bob to keep their keys secret from Carol, even if they’ve never met. So long as Alice and Bob can keep their keys secret, they can assume that Carol won’t gain access to their cleartext messages, even though she has access to the cipher and the ciphertext. Conveniently enough, the keys are the shortest and simplest of the secrets, too: hence even easier to keep away from Carol. Hooray for Bob and Alice.
Now, let’s apply this to DRM.
In DRM, the attacker is also the recipient. It’s not Alice and Bob and Carol, it’s just Alice and Bob. Alice sells Bob a DVD. She sells Bob a DVD player. The DVD has a movie on it – say, Pirates of the Caribbean – and it’s enciphered with an algorithm called CSS – Content Scrambling System. The DVD player has a CSS un-scrambler.
Now, let’s take stock of what’s a secret here: the cipher is well-known. The ciphertext is most assuredly in enemy hands, arrr. So what? As long as the key is secret from the attacker, we’re golden.
But there’s the rub. Alice wants Bob to buy Pirates of the Caribbean from her. Bob will only buy Pirates of the Caribbean if he can descramble the CSS-encrypted VOB – video object – on his DVD player. Otherwise, the disc is only useful to Bob as a drinks-coaster. So Alice has to provide Bob – the attacker – with the key, the cipher and the ciphertext.
DRM systems are broken in minutes, sometimes days. Rarely, months. It’s not because the people who think them up are stupid. It’s not because the people who break them are smart. It’s not because there’s a flaw in the algorithms. At the end of the day, all DRM systems share a common vulnerability: they provide their attackers with ciphertext, the cipher and the key. At this point, the secret isn’t a secret anymore.