2005/9/11 bh@cmlab.csie.ntu.edu.tw 1

Content Protection for Content Protection for PrePre--recorded Media (CPPM) and recorded Media (CPPM) and

Content Protection for Recordable Content Protection for Recordable Media (CPRM)Media (CPRM)

- The “Introduction to Important DRM Standards” Series, NO. 2

Chun-Hsiang HuangCommunication and Multimedia Laboratory

Department of CSIE, National Taiwan University

2005/9/11 bh@cmlab.csie.ntu.edu.tw 2

Outline

♦ Why do we need CPPM / CPRM?♦ The CPPM/CPRM specification proposed by 4C

Entity♦ Broadcast Encryption: the basis of CPPM/CPRM

2005/9/11 bh@cmlab.csie.ntu.edu.tw 3

Current Status of Prerecorded Media Protection

Compliant player

Non-Compliant player

Legal, encrypted copy

Illegal, decrypted copy

Compliant recorder

Non-Compliant recorder

Playback controlby encryption (CSS)

Copy control by watermarking

• Non-compliant devices are more convenient….>___<

Compromised! Not Used!

2005/9/11 bh@cmlab.csie.ntu.edu.tw 4

CPPM Basics

♦ CPPM is a renewable method for protecting content distributed on prerecorded (read-only) media types based on block-cipher.

♦ Currently, CPPM for DVD-audio is defined♦ Key technologies

– Key management– Content encryption– Media based renewability

2005/9/11 bh@cmlab.csie.ntu.edu.tw 5

Overview of CPPM

Source: The CPPM Specification

2005/9/11 bh@cmlab.csie.ntu.edu.tw 6

CPPM Cryptographic Functions

♦ C2 block cipher is used

♦ The C2 Block cipher is based on Feistel network– bit-shuffling – simple non-linear functions (often called S boxes) – linear mixing (in the sense of modular algebra) using XOR– parts of the IBM Lucifer cipher, which are basis of the famous DES – created by Horst Feistel in IBM

Input Block Size

Output Block Size

Input Key Size

Number of Rounds

64 bits

64 bits

56 bits

10

Encryption: C2_E(k, d)Decryption: C2_D(k,d)

Encryption: C2_ECBC(k, d)Decryption: C2_DCBC(k,d)

2005/9/11 bh@cmlab.csie.ntu.edu.tw 7

Key Management in CPPM

Device Keys

MKB ProcessingMedia Key Block (MKB)

Media Key

Device Keys

MKB

Media Key

56bits each, n keys

Variable, multiple of 4 bytes

56 bits

2005/9/11 bh@cmlab.csie.ntu.edu.tw 8

Devices Keys in CPPM

♦ Each CPPM-compliant playback device is given a set of secret device keys,Kd_0,…Kd_n-1, which are provided by 4C Entity and used in processing the MKB to calculate the Media Key

♦ Each device receives n Device Keys. Each Device Key corresponds to an associated Row and Column value, Rd_i and Cd_i(i=0,…,n-1).

♦ For a given device, no two Device Keys will have the same C_d_i , but Rd_i for two devices keys may be the same

2005/9/11 bh@cmlab.csie.ntu.edu.tw 9

Media Key Block (1)

♦ Renewability is enabled by using Media Key Block♦ All compliant devices cane use their set of secret keys to

calculate the same Media Key♦ Revoking

– If a set of device keys is compromised, an updated MKB can be released and used by future contents, so that the devices with the compromised set of Device Keys will calculate a different Media Key from other compliant devices

– A Media Key of 000000000000000016 will be obtained by using a revoked key

2005/9/11 bh@cmlab.csie.ntu.edu.tw 10

Media Key Block (2)

♦ Media Key Blocks are formatted as a sequence of contiguous Records.

♦ Record lengths are always multiple of 4 bytes

♦ Defined Record types– Verify Media Key Record

• Contains output values obtained by encrypting DEADBEEF16 with Media Key

– Calculate Media Key Record• Exactly one such record in each MKB

– Conditionally Calculate Media Key Record– End of Media Key Block Record

16 columns

2500 columns

CPRM MKB

2005/9/11 bh@cmlab.csie.ntu.edu.tw 11

Calculate Media Key RecordRecord Type: 0116

Record Length

Reserved

Revision

Column

Generation: 00000116

Encrypted Key Data for Row 0 (Dke_0)

Encrypted Key Data for Row 1 (Dke_1)

:::

Checking Generation==000000116

Find Kd_i which Cd_I=Column

Km =C2_D(Kd_I, Dke_r)lsb_56 (+) f(c,r),c=Cd_i , r=Rd_i

Media Key=Km

2005/9/11 bh@cmlab.csie.ntu.edu.tw 12

CPRM Basics

♦ Content Protection for Recordable Media ♦ Each recorded title is encrypted with a title-specific

key♦ CPRM also adopts similar renewing scheme♦ CPRM-compliant recorders may accelerate

revoking MKB faster by writing additional MKB Records

2005/9/11 bh@cmlab.csie.ntu.edu.tw 13

Overview of CPRM

Source: The CPPM Specification

2005/9/11 bh@cmlab.csie.ntu.edu.tw 14

Revoking CPRM Media Key Block

Source: Dr. Kuo’s PPT in NTUCSIE ☺

2005/9/11 bh@cmlab.csie.ntu.edu.tw 15

Key Managements in CPRM

Device Keys

MKB ProcessingMedia Key Block (MKB)

Media Key

C2 Hash FunctionMedia ID

Title Key

2005/9/11 bh@cmlab.csie.ntu.edu.tw 16

CPPM/CPRM Protected Scenario

Compliant player

Copy of compliant player

Legal title

Future title

Compliant recorder

Other compliant playerLegal Copy

Satellite or Cable CPPMCPRM

2005/9/11 bh@cmlab.csie.ntu.edu.tw 17

Key Management Problem

♦ The success of CPPM/CPRM is based on different device keys in each device

♦ The amount of DVD is huge, thus causing serious key management problem

♦ Broadcast encryption is adopted – Amos Fiat & Moni Naor, Advances in Cryptography- CRYPTO ’93

Proceeding, LNCS, Vol. 773, 1994, pp. 480-491

2005/9/11 bh@cmlab.csie.ntu.edu.tw 18

Trivial Key Management SolutionsBroadcast center

User 1 User 2 User 3 User N…

Key1 Key2 Key3 KeyN…

Total processing/transmission time is long!

Broadcast center

User 1 User 2 User 3 User N…

Keys for all subsets User 1 belongs to

Keys for all subsets User 2 belongs to

Keys for all subsets User 3 belongs to

Keys for all subsets User N belongs to

…

Every user must store a large number of keys!!

2005/9/11 bh@cmlab.csie.ntu.edu.tw 19

Results of Broadcast Encryption

♦ By obtaining reasonable trade-off between key management related transmissions (size of MKB) and user key storage (device keys), original broadcast encryption scheme requires every user to store only O(k· log k · log n) keys and the center to broadcast O (k2 · log2 k · log n) transmissions