fundamentals of ecommerce security

8/6/2019 Fundamentals of eCommerce Security

1/20

ECOM 6031

Fundamentals of e-Commerce

(Dr KP Chow, Dr Lucas Hui)

Lecture 4:

Content and Software Protection

Dr Lucas Hui

1

, , . .

Content

Content Copyright protection

Case of Broadcast encryption technique in CPRM

Case of HDCP

Software Copyright Protection

Method 1 Software Watermarkin

(Method 2) Registration Key

(Method 3) Tamper-proof Hardware Token

(Method 4) Obfuscation

Final Remarks

2

Content IP Protection

Merchants wish: the machine

content in case of access rightviolation

Digital Content +access right (e.g.

reg on co einfo

Customersmachine

Merchant Website

3

DVD copyright protectionCase 1: The CSS story

The encryption system that most commercial

CSS is weak in cryptographic strength:

- ,function (some literature said it contains secret-sharing mechanisms)

Fits the US export restriction for cryptographicproducts

block ciphers Can be cracked in minutes usin modern

4technology


2/20

CSS Stor CSS : Content Scrambling System

Main goal: stop piracy

Apply encryption technology Other goals: region coding, non-skippable FBI

warnings, avoid second generation copying,other artificial restrictions

DVD manufacturers, player manufacturers, haveto sign obtain a license (to use the encryption

technology) Pledged not to produce non-complaint machine

Not to reveal copy protection scheme

5

Two major camps in Linux community

LSDVD: working on a licensed DVD player

: wor ng on crea ng a ree open-

source version of DVD for Linux DeCSS (released on LiViD at 1999):

a software published by Jon Johansen whichdecrypts the CSS

Johansen (a 16-year old youngster in Norway),w o a er ac e a rp ay, e pp eiTunes closed system

not the first one to publish CSS decryption tools

6

Info about security on some published claimed tobehave like CSS scheme is as follows.

2 kinds of keys:

Player key P1, P2, , Pn (n is around 400), each

ran o p ayer as a un que ey Disk key D (each DVD disk has a unique key)

contains

A 40-bit hash H of D looks like not a o ularhash algorithm like SHA-1 or MD5)

D encrypted with P1 (denoted as EnP1(D) )

D encrypted with P2 ( EnP2(D) )

7

D encrypted with Pn ( EnPn(D) )

When Player Brand 99 reads the DVD, it willperform

Decrypting EnP99(D) to retrieve D

Perform a verification D = Decrypt (H, D) (with aproprietary decryption algorithm)

Use D to decrypt title key (a key unique to eachtitle

Use the title key to decrypt the data blocks

8


3/20

Cr to Ob ects in CSS Scheme

EnT (Data) EnP1 (D)

P2

EnP3 (D)

EnP99 (D)

EnD (T) H

9

Potential weakness

being known, exhaustive search on D using the

The decryption algorithm is badly designed,

with a Pentium III (with more elaboratedcr tanal sis techni ues

If one player key is cracked, advanced

cr tanal sis is ossible to crack another la erkey

Actuall if one la er ke is cracked all DVDs

10

can be read

Alternatives to DVD rotection-Watermarking

Addition of watermarks in the DVD content.

e wa ermar s con a n e copyr gnotices.

DVD if

The watermark is supposed to be changed

watermark, which is possible by directly

11

Alternatives to DVD protection a ermar ng

Cannot avoid non-compliant players

integrity control, (2) robustness (error

(Serious Problem) If one player key is,

key, without disabling the old players inplaying new DVDs.

How can we solve this?

12


4/20

Case of Broadcast Encr tion Techni ue in CPRM

Some early potential alternatives to CSS to achieve DVDcopy protection

CGMS

CPPM

CPRM

DTCP AACS

13

CSS (Content Scrambling System) s ra g - orwar so u on

Pre-recorded DVD-Video content is encrypted

Device without the decryption key cannot playback

CGMS (Copy Generation Management System) The Macrovision DVD Copy Protection system

Store two bits in the header of MPEG-2 stream to indicatewhether copying is allowed or not

2 format and 3 states

the equipment making the copy has to recognize andrespect the CGMS

- Replace CSS

Keys are stored in the lead-in (read-only) area of the disc

14

CPRM Content Protection for Recordable Media Proposed by IBM, Intel, Matsushita and Toshiba

supported by all DVD recorders released after 1999

Making use of CGMS Writable DVD drives are prevented from indiscriminately

copying protected content

A general solution to the Broadcast Encryption Problem

DTCP (Digital Transmission Content Protection) ropose y n e , ony, ac , a sus a, an os a

Anti-DVD copying

Making use of CGMS

15

AACS Advanced Access Content S stem Successor of CSS, final specification posted 2010

It is like CSS + a tree-based broadcast encryption structure

Since appearing in devices in 2006, several AACS decryptionkeys have been extracted from weakly protected softwarep ayers an pu s e on e n erne , a ow ng ecryp on yother unlicensed software

16


5/20

DVD Protection Conceptual ScenarioDVD Pla er 1 DVD Pla er 2me

2005

2005 DVD

Ke 1 Ke 2

2007

ey s expose

Old Player 22005 DVD

Player 1 New Player 2 ??? Player

Key 1 Key 2Key 2 Key 2

2007 DVD

17

Q: What key should be contained in a commercial DVD writer machine?

(one solution: use a key which is used in every commercial DVD reader)

Case of Broadcast EncryptionTechnique in CPRM

One potential approach to solve the DVD

co ri ht technical roblem at least artiall

CPRM (Content Protection for Recordable

Using Broadcast encryption technique

Used in DVD, Secure Digital Memory Card orecure ompac as

18

The CPRM scheme Each DVD (or more general, data to be protected) with

contains a ke mana ement block

There is a management key/Master key (k) similar tothe disk key in CSS. That is the information that enable

t e rea ng o t e w o e content There is a CPRM matrix (with 16 columns, and around

Each device (that reads the DVD legally) will have 16different device keys, one key per column

Two devices may have some common device keys

Very unlikely to have 2 or more common device keys

19

The CPRM matrix Each entry contains the encrypted Master Key

y a ev ce ey j Denoted as En(dj, k)

Some entries can be voided (if the device key iscracked)

Note: there are a lot of different device keys !!!

20


6/20

Normal CPRM matrix Assume Ej = En(dj, k), & a device knows E1 E16

E4 E11

E1

E6E3

E10 E14

E12

E8 E16E13

E2

E9

. . .

21

E5

(assume 2500 rows)

Prob of device key in first column the same

Prob of all 16 device keys identical- = -

Prob of all 16 device keys different(1 1/2500) ^ 16 = 0.9936

Prob of exactly 1 device key differentC161 * ( 1/2500 * (1 1/2500)^15 ) =16 * ( 0.004 ) = 0.00636

22

O eration of CPRM Each device knows

The 16 device keys (one in each column)

The position of that 16 device keys in the CPRM

matrix

To extract the mana ement ke ,

read any one of the 16 device key positions inthe matrix

If that position is voided, try another one.

least one device key entry can be read

23

If a device key (say d ) is cracked

Later, produced DVDs will have CPRM matrix

The entries in the device key are voided

keys other than d99

Non-com liant devices usin d can onl read oldDVDs (before the d99 entries are voided)

Will not affect other devices

In the matrix-based scheme (CPRM), if manydevice keys are cracked, the scheme is cracked

More advanced schemes using trees of keys calledLogical Key hierarchy (LKH) can make the scheme

24

stage).


7/20

After some device keys being

Voided entry:Normal entry:

E4 E11

E1

E6E3

E10 E14

E12

E8 E16E13

E2

E9

. . .

25

E5

Content IP Protection Remarks

Steganography is also used in IP right protection

There are techniques to destroy/modify the

Without making some assumptions in the- ,

illegal copying

. .encryption technique) are used to assist the IP

ri ht rotection roblem Against, certain assumptions on client-side

machine are needed

26

Case of Hi h-bandwidth Di italContent Protection (HDCP)

A form of digital copy protection developed by IntelCorporation.

Prevent copying of digital audio and video content as ittravels across DisplayPort, Digital Visual Interface (DVI),

- ,Video Interface (GVIF), or Unified Display Interface (UDI)connections

ReceiverTransmitter

Mutualauthentication

Encrypted datatransmission

Each HDCP-capable device has a unique setof 40 56-bit keys.

Each set of Device Private Keys is associated with aspecial public key called a KSV (Key Selection Vector).

from all other HDCP Transmitters.

Each HDCP Receiver has assi ned to it a uni ue KSVfrom all other HDCP Receivers.

Each KSV consists of 40 bits (one bit for each HDCPey , w s se o an s se o .


8/20

s ev ce eys - samp e Transmitter (A) Receiver (B)

Public Key (40-bit KSV):

Apub

Public Key (40-bit KSV):

Bpub

r va e ey(40 56-bit key):Apri

(40 56-bit key):Bpri

Transmitter (A) Receiver (B)

Public Key (40-bit KSV):Apub

Public Key (40-bit KSV):Bpub

(40 56-bit key):Apri


ApubBpub

Km = Apri . Bpub

ompu e:Km = Bpri . Apub

Km = Km

Transmitter (A) Receiver (B)

Public Key (40-bit KSV):Apub

Public Key (40-bit KSV):Bpub

(40 56-bit key):Apri


K KmHDCP HDCP

m

Data DataData Encr ted

p er p er

Using HDCP Cipher, with inputKm , data are encrypted & sent

Using HDCP Cipher, with inputKm , data are decrypted


9/20

. u en ca on

Purposes

Before sending data, a transmitting device checksthat the receiver is authorized to receive it.

Stop HDCP-encrypted content from being played-- .

Prevent the HDCP content from being copied bythe modified devices.

Function

Establishes shared values between the twoHDCP Devices if both devices have a validDevice Key Set from the Digital Content

.

. u en ca on con .

KSV (Aksv) and a 64-bit pseudo-random value (An) to the HDCPReceiver (B).

HDCP Receiver responds by sending a response messagecon a n ng e rece ver s sv .

HDCP Transmitter verifies that the HDCP Receivers KSV has notbeen revoked.

. .

If both HDCP Devices have a valid array of secretdevice keys and corresponding KSV from the

,calculate a 56-bit shared secret value, Km (or Km'in the video receiver). Each device calculates Km (or Km) by addinga

selection of its private device keys described by the -, . .

unsigned addition modulo 256). The selection of secret device keys that are added

indexesof all of the 1-bits of the binaryrepresentation of the KSV.

. .

For example: Suppose Bksvequals 0x5A3. For the binary

, , , , , ,10 are ones and all other bit positions are zeros.

Device A will add its own secret device keys at arrayindexes 0 1 5 7 8 and 10 to ether to calculate theshared secret value, Km.

Device B will perform an analogous calculation usingits own rivate ke arra and Device As KSV to etKm'.

keys or corresponding KSV, then Km will not beequalto Km'.


10/20

. u en ca on con .

The HDCP Cipher function hdcpBlkCipheris then used to

calculate three values, Ks, M0, and R0. The ci her initialization values for this calculation are K or K ' ,and the 65-bit concatenation of REPEATERwithAn.

The session keyKs is a 56-bit secret key for the HDCP Cipher. M is a 64-bit secret value used in the second art of the

authentication protocol (for repeater), and as a supplementalHDCP Cipher initialization value.

R0'is a 16-bit response value that the video receiver returns tothe HDCP Transmitter to provide an indication as to the successof the authentication exchange.

If authentication was successful, then R0'will be equal to R0. Ifaut ent cat on was unsuccess u , t en 0 an 0w , n mostcases, differ.

. ncryp on

Purposes If authenticated the transmitter encr ts the data

to prevent eavesdropping as it flows to thereceiver.

Defense against man-in-the-middle attacks.

Function Each pixel is encrypted by applying an XOR

operation with a 24-bit number produced by agenerator. The HDCP specifications ensureconstant updating of keys after each encoded

.

. .

p er pro uces t e - t w e ey-dependent pseudo-random stream during data

encrypted.

. . HDCP Encryption is applied at the input to the

. . . .output of the T.M.D.S. Decoder.

HDCP Encryption consists of a bit-wise exclusive-or

(XOR) of the HDCP Content with a pseudo-randomdata stream produced by the HDCP Cipher.


11/20

. ey revoca on

Purposes

compromised and cloned from receiving data.

ote t at manu acturers w o want to ma e adevice that supports HDCP must obtain acense rom nte su s ary g ta ontent

Protection, pay an annual fee, and submit tovar ous con t ons.

. ey revoca on con .

Through a process de ined in the HD P Adopters License,the Digital Content Protection LLC may determine that a set ofDevice Private Ke s has been com romised.

If so, it places the corresponding KSV on a revocation listthat the HDCP Transmitter checks during authentication. Thelists are signed with a DSA digital signature, which is meant tokeep malicious users from revoking legitimate devices.

revocation because they have different sets of Device Private

keys. The HDCP Transmitter is required to manage system

renewability messages(SRMs) carrying the KSV revocations .

. . . .

The size of the First-Generation HDCP SRM will belimited to a maximum of 5kB.

e ac ua s ze o e rs - enera on sbytes. For scalabilit of the SRM, the SRM format su orts

next-generation extensions.

By supporting generations of SRMs, an HDCP SRM, ,

accommodate more KSVs.

Next-generation extensions are appended to thecurrent-generation SRM in order to ensure backwardcompatibility with devices that support only previouseneration SRMs.


12/20

aws emons ra e y cryp ana ys s

S. Crosby, etc. A Cryptanalysis of the High-Bandwidth DigitalContent Protection System, Revised Papers from the ACM CCS-8

Workshop on Security and Privacy in Digital Rights Management,' -, , .

HDCP's linear key exchange is a fundamentalwea nesses. Attackers can: Eavesdro on an data Clone any device with only their public key Avoid any blacklist on devices

. In aggregate, can usurp the authority completely.

e aw

HDCP uses a linear system for generating

the shared secret. ApubBpri=Km=Km=BpubApri

The flaw is that any device whose public

of other devices will, when assigned a

rivate ke that's a similar linearcombination of the other devices privatekeys, successfully authenticate.

Idea to break

If we know:

ub ri ub ri ,

then

pub + pub pri+ pri are a so va eys Proof: For any other valid device A, we have

ApubBpri= BpubApri ApubCpri= CpubApri

Therefore Apub(Bpri+ Cpri) = (Bpub + Cpub)Apri

When we have 40 independent valid key pairs,

we can generate ALL valid keys in the scheme!!!

ssume: We have the public and private keys from 40 devices B(i). We have enou h rivate ke s B i, whose ublic ke s

span M (Z/256Z)40, the module generated by all publickeys assigned by the central authority. All of these devices will successfull authenticate with A.

As the subspace is 40 dimensional, a set of at most 40keys will be enough.

ons er any ev ce w t pub , w ose pu c eyand private key are any non-zero linear combination ofB i 's ublic and rivate ke s. C

pub= 40

i=1(a

iB

pub(i))

Cpri= 40

i=1(aiBpri(i))


13/20

u en ca e

Let A and Cauthenticate

When A and Cauthenticate

WeknowKshared(i)=Kshared(i) forallibecauseby', .

Therefore,Kshared=Ksharedandthisauthenticationsucceeds.

ecryp on

Thus, for any device Cwith Cpub

M, we2

rewriting Cpub as a linear combination of

pub .

. , ,

of a possible genuine HDCP master key which can neutralizethe key revocation feature of HDCP.

they discovered it, though the discovery was announced via aTwitterupdate which linked to a Pastebin snippet containingthe ke and instructions on how to use it.

Engadget said the attacker may have used the methodproposed by Crosby in 2001 to retrieve the master key,

. On Sep. 16, Intel confirmed that the code had been cracked.

Intel has threatened legal action against anyone producing, .

Devices to view HDCP signals are available in market, thoseIntel threatened to sue any illegal devices

Some of the 376 lines of HDCP master

Internet.


14/20

e erences

HDCP, LLC., High-bandwidth Digital Content Protection

(HDCP) System Revision 1.4, July 8, 2009. , . -Digital Content Protection System, Revised Papers fromthe ACM CCS-8 Workshop on Security and Privacy in

' , , - ,2001.

Wikipedia, http://en.wikipedia.org/wiki/High-bandwidth_Digital_Content_Protection

Discussion Question

Are those content protection solutions-

house digital assets?

Web documents

e c

54

Merchants wish: the software

detecting access right violation

Software + accessright info (e.g.reg s ra on num er

Cus omers

machine

55

Software Intellectual Propertyprotection

Problem: A normal software code (agent) runningon a malicious host

Software has to protect itself

Against copying (almost impossible) Against re-engineering

ga nst mo cat on tamper ng

Use legal framework to protect:

.g eg strat on o so tware, ser a nos., etc

Sending of user information from executionp a orm may or may no e ega

This is just a monitoring process. It has to

56


15/20

Framework A malicious software code running on a normal

< >

The host has to perform monitoring, intrusione ec on, an o er secur y measures o

minimize the damage by the malicious code

A normal software code (agent) running on amalicious host

Software has to protect itself

A ainst co in Against re-engineering

57

Defense against malicious host attacks:1st method - Software watermarking

Puttin watermarks in the software

Mainly used to defense piracy

Static watermarkin (e.g. constant table, diagrams, logos)

D namic watermarkin

Relatively new, not very common

The watermark only appear after the program isexecuted (e.g. appear in the execution trace log)

Mainly to scare off piracy intention of the users

Aims: fast, high data rate, hard to detect (normalsteganography properties)

58

Attacks to Software watermarking

A.k.a. dewatermarking techniques

Additive attack: the hacker adds anotherwatermark into the pirated software copy

Distortive attack: the hacker transforms thepirated copy (something like obfuscation) tomake the watermark unrecognizable

Collusive Attack: the hacker obtains severalcopies of the software, and by comparing them,anal zin and removin the watermark

59

The 2nd method : Registration Key

Requiring a legal user (buyer) to obtain a key

.

2. Type in some information with the software purchased (e.g.the serial number)

3. Get a key (usually a long number) to use the software The software will perform checking of this key (at the

rs me o use e so ware, a s ar me o every use,or continuously)

registration key to others

,

the serial number are known to hackers, and thehackers can generate as many as as they like

60


16/20

An improvement of Registration Keymet o

A hardware token sold together with the software

The software vendor site via Internet (may be

problematic if Internet connection is not very reliable) Main concern in this improvement

The hacker will re-engineer the software to bypassaut ent cat on c ec s

Therefore: we need tamper-proofing technology

machine to inspect its execution)

61

Defense : the 3rd method -Tamper-Proofing Hardware Token

Tamper-proofing

Many approaches, the core idea is to refuseexecution if the host environment seems hostile

Authentication with Hardware tokens

Antidebugging

Code encryption with decryption by software orhardware tokens

Mainly used to defense tampering

Also used to defense dynamic analysis (analysisabout the execution) of the program for reverse

62engineering purposes

Goals of Tamper-Proofing HardwareToken

As a convenient storage: keep the registration key inhardware

s a e ense oo o ac ers Simply copying the software is not enough to create

The hacker needs to either

Change the executable codes to bypass all

engineering work)

63

Tamper proofing hardware tokens

One common approach: perform copyright checkingI.e. authentication of a valid user in various

execution stages, using hardware tokens:

Dongles: small hardware attached to I/O

ser a para e port o a Smartcards

key disks (special disk with bad sector in specificlocations

Attack to this approach: the hacker will change themachine instruction that perform hardware testing, toan unconditional jump to the code execution

The hacker may duplicate the hardware token (not

64


17/20

Token authenticationCode listing of s/w

Code to test for existence of h/wtoken, online connection, etc

65

Attack illustration Machine instruction:

Call hardware authentication test If (result is ok) goto code_execute

Quit the program/* due to fail in h/w authentication */

Change to:

No-op (no operation)

== go o co e_execu e

66

More com licate rotection Some of the machine codes are encrypted, and

e e ar ware o en o per orm ecryp on

More expensive H/W needed

Attack (more complicate) : replacing theencrypted codes with the decrypted codes.

This needs the decrypted codes to bediscovered by tedious monitoring of the softwareexecution

Note: the IP protection scheme is similar to

the operation of polymorphic viruses!!

67

Antidebu in The software search for the execution environment, if

exist, the software will kill itself

Similar to the conce t that the software is a hackin tool

and search for the signature of certain processes (e.g.check for active API calls/memory locations) [So this ishacking!!]

If the software reports this situation by sending Internetmessages, t s more e stea ng t e n ormat on romthe execution environment!!! [may not be legal in some

Another similar setting: the s/w tries to test whether it isrunnin on a virtual machine simulator

68


18/20

The 4th method: Obfuscation

The make the software harder to read, so as tomaximize the time to perform reverse engineering

E.g. Java byte codes, machine instructions Used to maximize the reverse engineering time

only. Cannot completely avoid reverseengineering

E.g: code encryption with software

The hacker has to trace along the program to

discover where the key is stored (takes a longtime, but still possible)

Can be used together with registration key and/or

69hardware token

Obfuscation 2 Normal Practice

Engineering practice (produce easily readable

code Use Obfuscation tools to modify different part

of code s stematicall

Example tool: SandMark (a long list of softwareObfuscation tools & watermarkin tools(www.cs.arizona.edu/sandmark/)

70

Original code

Obfuscated code

Obfuscation Illustration

Source: Fig. 4 in Watermarking, Tamper-Proofing, andObfuscation Tools for Software Protection, Collberg &Thomborson, IEEE Transactions on Software Engineering, 28(8),

p.735-746, August 2002

72


19/20

One Problem of Obfuscation

Obfuscation can be used by illegal companies to copy. .

One potential Solution :

Software D namic Birthmarks

Software Birthmarks

Static birthmark

one that can be extracted solely from the programsource code

Can be destroyed using obfuscation

Dynamic birthmark

t at s extracte w en t e program s execut ng. trelies on the run-time behavior of the program

73

A software birthmark is a unique characteristic of a

program that can be used to identify the program re a ve y new e e ec on approac

Still in research

Existing approahes

Mainly based on sequence of API calls i.e. try to match the API calls of two programs, to

see ow s m ar t ey are

Research in CISC, Dept of CS, HKU

Study the objects in the dynamic heap

i.e. try to match the objects created by twoprograms, o see ow s m ar ey are

Lets see the concrete results some time later

Software IP Protection Remarks

Software Copyright protection technology involves

. .

Hacking & anti-hacking technologies

ac an e ense ec n ques can e use n aw u orunlawful manner

-engineering, try to lengthen the time for the software tobe re-en ineered if the cracked co is available afterone year, the financial loss is acceptable)

A hot on-going research area

76


20/20

References Disappearing Cryptography Information Hiding: Steganography &

Watermarking, 2nd Edition, by P. Wayner, Morgan Kaufmann Publisher,2002.

To DVD or Not to DVD, by B. Simons, Communications of the ACM

42(5), p.31-32, May 1999 Broadcast Encryptions Bright Future, by Lotspiech, Nusser, & Pestoni,

IEEE Computer, p.57-63, August 2002 Protecting Cryptographic Keys: The Trace and Revoke Approach, by

a aor an on aor, ompu er u y : - A set theoretic approach to broadcast encryption, by Thomas Martin,

Technical Report RHULMA20055, Royal Holloway, University of, . . . .

DVD Copy Protection: Take 2, by Tekla S. Perry, IEEE Spectrum, p.38-39, Jan 2005.

- , - , Protection, by Collberg & Thomborson, IEEE Transactions on SoftwareEngineering, 28(8), p.735-746, August 2002

77

fundamentals of ecommerce security

Documents