Download - Content security Ecole d’été RESCOM 2006
![Page 1: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/1.jpg)
Content securityEcole d’été RESCOM 2006
DIEHL EricTechnology, Corporate Research, Security Domain Manager12 June 2006
![Page 2: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/2.jpg)
What is content security about?
Protect contentIdentify
source of leakage
Mitigate theft
![Page 3: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/3.jpg)
Eight laws to rule
II
IIIIII
VV
VIIVII
IIII
IVIV
VIVI
VIIIVIII
![Page 4: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/4.jpg)
Law 1: Pirates will always find a way
Examples– DeCSS unprotected DVD since 1999
– Sony Key2Audio and the lethal pen
– Pay TV cards have always been brokenDesign with mandatory renewability
– Smart cardFind the hole
– Track illegal activity
– Watermark
CPCP
![Page 5: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/5.jpg)
Law 2: Know the assets to protect
Examples– Wrong asset
– Useless protectionThreat analysis
– What to protect
– Who are the attackers
– Identify the attacks, the consequences and the risk
![Page 6: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/6.jpg)
Law 3: No security through obscurity
Example– Walmart’s cart
– Selection process of AESSound cryptographyKerckoff’s law
– Security should rely on the secrecy of keys and not on secrecy of algorithms
![Page 7: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/7.jpg)
Law 4: Trust no one
Example– ATT report
2/3 of content leakage done by insiders!
Simplify the trust model– The less you need to trust, the more secure you are
BYERS S., et al., Analysis of security vulnerabilities in the movie production and distribution process, ATT Labs, September 2003 available at http://lorrie.cranor.org/pubs/drm03.html
![Page 8: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/8.jpg)
Law 5: Si vis pacem, para bellum
Example– DirecTV counter attacks
Know your enemyChange the targetMultiple defenses
– Combination of encryption and watermark
– Physical security and encryption
If you want peace, prepare
war
![Page 9: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/9.jpg)
Law 6: You are the weakest link
Examples:– Password jeopardy
– PhishingSocial Engineering
– MITNICK K., The art of deception, WILEY, 2002 Security must be transparent
A2783E67BFA39C60DF234E79FD45E93F
A2783E67BFA39C60DF234E7BFD45E93F
![Page 10: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/10.jpg)
Law 7: Security is not stronger than the weakest link
Example– High robustness security locks on a thin wooden
door
– Constant failure of Copy Protection for CD-A
– Side Channel AttacksDesign of security from the startStrengthen the weakest element
![Page 11: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/11.jpg)
Law 8: Security is a process, not a product
Examples– Day-to-day patching process
– Best firewall with default admin passwordSecurity is global
– Secure system A + secure system B is not a secure system
Security policy is mandatoryCertainty is a weakness
![Page 12: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/12.jpg)
An example: NexGuard™
Encryptcontent
Create & encryptlicence
Decryptlicence
Decrypt & watermark
content
![Page 13: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/13.jpg)
An example: NexGuard
Si vis pacem, para bellum– Encryption, and watermark– Possible revocation of every element
You are the weakest link– Transparent for user
No security through obscurity – Use of proven cryptography (AES, RSA)– Keys are stored in secure cards
Trust no one– A very limited set of assumptions
![Page 14: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/14.jpg)
An example: NexGuard
Pirates will always find a way– Smart card allows renewability
Know the assets to protect– Only protect content
Security is not stronger than the weakest link– Special effort in the design of the product
Security is a process, not a product– Help the customer to design its security policy
Best practices, guidelines, …
![Page 15: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/15.jpg)
Conclusions
Piracy is a reality BUT
A toolbox already exists
Many fields open for academic/industrial research– Cryptography– Watermark– Fingerprint– Smart cards– Policy enforcement and definition– Formal proof of security– …
![Page 16: Content security Ecole d’été RESCOM 2006](https://reader036.vdocument.in/reader036/viewer/2022081506/56814937550346895db67904/html5/thumbnails/16.jpg)
Thank you for your attention
This document is for background informational purposes only. Some points may, for example, be simplified. No guarantees, implied or otherwise, are
intended