How Embedding Third-Party IP Can Help Prevent Security Attacks
Introduction
The creation and distribution of digital content, such as music and video, is growing rapidly. Consumers want greater flexibility and portability in terms of how and where they play digital content. For example, consumers can now play and distribute digital content using various electronic devices such as: set-top boxes, DVD players, computers and all-in-one handheld devices such as Apple’s recently announced iPhone.
While content producers and distributors embrace the proliferation of digital content, they also want to protect their assets and revenue streams by preventing unauthorized copying or redistribution of their content. According to the Motion Picture Association (MPA), piracy cost the American film industry $6.1B in 2005. The task of protecting digital content is becoming increasingly difficult, as evidenced by the recent breach of Advanced Access Content System (AACS), a content protection scheme used for HD DVD and Blu-Ray Disc (BD) formats.
In this article, we will discuss the content protection requirements required of electronic device manufacturers and the financial liabilities they face if content protection breaches occur. Two of the content protection schemes that will be discussed in this paper are the aforementioned AACS and High-Bandwidth Digital Content Protection (HDCP). HDCP is the scheme used to protect digital data as it travels across a High-Definition Multimedia Interface (HDMI) typically used to connect an HD DVD player with an HDTV monitor. This article will also cover the design requirements that are contractually required by most new content protection licenses such as AACS and HDCP, and how embedding security deeper into silicon during the System-on-Chip (SoC) design phase can be used to help protect against attacks on these protection schemes.
The Penalty for Insufficient Security
Companies that manufacture devices which process media and digital content are increasingly subjected to licensing penalties for poor security control. Industry standards such as HDMI, Blu-Ray and HD-DVD each use content protection standards such as HDCP and AACS. These standards require adopters to subscribe to a technology license with “Liquidated Damages” clauses. The licensees cannot rely on insurance because typical insurance policies do not cover these types of damages. The damage clauses state that a licensee that is building a product to the licensed standard is liable for $1M to $8M dollars in the event that the security of the product is compromised. Examples of such a compromise would be if cryptographic keys are accidentally divulged due to a licensee not properly controlling keys during the manufacturing process; or by releasing an unsecured product design that allows an attacker to retrieve the key from the product itself. In both cases, a compromise to the key results in digital content that can be stolen -- next generation DVDs can be copied and high definition digital media can be intercepted “on the wire”.
Generally, digital content is protected by cryptographic keys that are purchased from a technology licensing authority. Each key is unique and is programmed into each individual chip during manufacturing. If these cryptographic keys are exposed, then the entire security system is compromised because the keys represent the small “manageable secrets” from which content security is derived. It would be similar to a homeowner using a steel door for security but leaving the key in a plastic bag outside the door. To further this analogy, if a device maker builds a product that protects valuable music or movies, and leaves the key on the doorstep in plain view, then the content owners will have their content stolen.
Securing Encryption Keys
Most new content protection schemes specify security “robustness rules” for handling protected data on consumer devices. Generally speaking, these rules imply that security written in software is not robust. To truly secure a system, cryptographic keys should be stored and used in silicon. If the cryptographic keys are embedded in an SoC design, then it requires more time, money and sophistication on the part of an attacker to retrieve those keys. The most secure way to store a key is by programming it into the embedded, non-volatile memory of an SoC design and then using on-chip cryptographic logic so that keys are never transmitted outside the boundary of the chip.
Another critical security measure is to use a secure process technique to program keys into non-volatile memory at manufacture time. Before the days of offshore outsourcing, a security-savvy company would develop specific, in-house security procedures to closely monitor the internal manufacturing process as it relates to cryptographic key injection into SoC design. However, when using offshore manufacturers, it is difficult to distribute, control, and track unique cryptographic keys, especially when most third-party manufacturers are streamlined for low-cost efficient operations that typically do not have security measures in place. The security of that product is still the responsibility of the content protection technology licensee and product designer and a breach could cost a company all of its product revenues. Prudent designers find a way to protect cryptographic key data right up until the time when it is programmed into the chip.
Recovering from an Attack
Designers of modern consumer content protection schemes prepare for the worst so that in the event that a particular consumer device’s security is compromised, the content delivery system can recover without having to recall every device in the market or having to scrap the system. This security feature is referred to as “renewability” and could consist simply of a list of revoked keys, as can be found in the HDCP standard. Or it could be the more sophisticated “title key” updates found in the AACS scheme that uses in-band re-keying via “subset-difference trees”, a sophisticated method that allows AACS to publish new Disc titles “for every AACS player in the world, except these ones”. Both of these renewable security features use reprogrammable non-volatile memory embedded in SoC design to securely store the keys and to update the keys and security data throughout the life of the consumer product.
Recent reports have highlighted the attacks against the AACS scheme of software DVD players that allowed high definition title keys to be extracted from HD-DVD and Blu-Ray disks which were then posted on the Internet. Through the use of renewability, AACS could recover by encrypting the new high definition content titles with new title keys that would not be communicated to the broken software product that leaked the old keys. This allows security to be renewed for new disc titles in all of the players in the world that are not broken, because only the broken player will be cut out of the distribution scheme.
This is an example of the importance of renewable security systems, and the need to store renewable keys safely in hardware according to the robustness rules of the licensed content protection technology.
Cost Constraints
Content producers and distributors are the drivers behind the new security schemes as they want to ensure the protection of their assets. However, they are not willing to subsidize the cost of doing so. This puts the device manufacturer in a difficult position because consumers do not want to be burdened with additional costs associated with content protection because they do not have the same level of interest in protecting content as do the content producers. Another challenge faced by a consumer electronics vendor is how to provide a robust security system while minimizing the cost to do so. Storing the encryption keys securely in embedded non-volatile memory is an ideal solution. To minimize costs, the embedded non-volatile memory should require no additional masking, process steps or process modifications; and it should be able to be manufactured on a standard CMOS logic process.
Summary
Consumers are playing and distributing digital content using a variety of electronic devices, making the task of protecting that content increasingly difficult. Recent attacks on software content protection systems highlights the need for stronger security which can be achieved by embedding encryption keys in the SoC design, furthest from the reach of attackers. More specifically, encryption keys can be embedded in multi-time programmable non-volatile memory that can be manufactured on a standard CMOS logic process. Multi-time programming allows for renewability, which provides the system with the ability to recover from an attack. Virage Logic’s NOVeA® memory is an embedded multi-time programmable NVM which can be manufactured on a standard CMOS logic process and requires no additional masking, process steps or process modifications.
Attackers are always seeking the easiest method to steal content and the encryption keys which protect that content. As security is embedded deeper into devices, manufacturing facilities in global locations will increasingly be targeted. In an unsecure global manufacturing environment, a single bribed line worker could put a company’s entire product revenues at risk, due to key secrecy requirements built into the new content protection standards. To minimize risk, encryption keys must be kept confidential during manufacturing and programming of keys on the chips must be tracked and auditable in a way that ensures manufacturing line availability. Many companies embark on long internal development cycles to build such a secure manufacturing logistics system. A faster and less costly alternative is the Certicom KeyInject™ product that can be quickly deployed to global third party contract manufacturers while being remotely controlled from North America. KeyInject™ allows companies to adhere to the strict security requirements of the latest content protection technology licenses using a COTS product designed for global manufacturing operations.
About the Authors
Pat Lasserre, Director of NOVeA Marketing, Virage Logic
As director, NOVeA marketing, Pat Lassere is responsible for the
direction of the non-volatile memory product line including strategic
marketing and product development for the company’s patented memory
system.
Prior to joining Virage Logic, Lasserre held a variety of management,
sales, and engineering positions at several companies including
Integrated Device Technology, Integrated Silicon Solution, and Cypress
Semiconductor.
Lasserre is a certified product manager from the Association of
International Product Marketing & Management and holds a BSEE from the
University of California, Berkeley.
Brian Neill, Certified Information Systems Security Professional (CISSP), Certicom
Brian Neill is a Product Manager at Certicom Corp. Prior to his current role, Neill was a member of Certicom's Professional Services team, helping customers to engineer security into their systems and products. Neill received his B.Math degree from the University of Waterloo (Canada) in 1999.
The creation and distribution of digital content, such as music and video, is growing rapidly. Consumers want greater flexibility and portability in terms of how and where they play digital content. For example, consumers can now play and distribute digital content using various electronic devices such as: set-top boxes, DVD players, computers and all-in-one handheld devices such as Apple’s recently announced iPhone.
While content producers and distributors embrace the proliferation of digital content, they also want to protect their assets and revenue streams by preventing unauthorized copying or redistribution of their content. According to the Motion Picture Association (MPA), piracy cost the American film industry $6.1B in 2005. The task of protecting digital content is becoming increasingly difficult, as evidenced by the recent breach of Advanced Access Content System (AACS), a content protection scheme used for HD DVD and Blu-Ray Disc (BD) formats.
In this article, we will discuss the content protection requirements required of electronic device manufacturers and the financial liabilities they face if content protection breaches occur. Two of the content protection schemes that will be discussed in this paper are the aforementioned AACS and High-Bandwidth Digital Content Protection (HDCP). HDCP is the scheme used to protect digital data as it travels across a High-Definition Multimedia Interface (HDMI) typically used to connect an HD DVD player with an HDTV monitor. This article will also cover the design requirements that are contractually required by most new content protection licenses such as AACS and HDCP, and how embedding security deeper into silicon during the System-on-Chip (SoC) design phase can be used to help protect against attacks on these protection schemes.
The Penalty for Insufficient Security
Companies that manufacture devices which process media and digital content are increasingly subjected to licensing penalties for poor security control. Industry standards such as HDMI, Blu-Ray and HD-DVD each use content protection standards such as HDCP and AACS. These standards require adopters to subscribe to a technology license with “Liquidated Damages” clauses. The licensees cannot rely on insurance because typical insurance policies do not cover these types of damages. The damage clauses state that a licensee that is building a product to the licensed standard is liable for $1M to $8M dollars in the event that the security of the product is compromised. Examples of such a compromise would be if cryptographic keys are accidentally divulged due to a licensee not properly controlling keys during the manufacturing process; or by releasing an unsecured product design that allows an attacker to retrieve the key from the product itself. In both cases, a compromise to the key results in digital content that can be stolen -- next generation DVDs can be copied and high definition digital media can be intercepted “on the wire”.
Generally, digital content is protected by cryptographic keys that are purchased from a technology licensing authority. Each key is unique and is programmed into each individual chip during manufacturing. If these cryptographic keys are exposed, then the entire security system is compromised because the keys represent the small “manageable secrets” from which content security is derived. It would be similar to a homeowner using a steel door for security but leaving the key in a plastic bag outside the door. To further this analogy, if a device maker builds a product that protects valuable music or movies, and leaves the key on the doorstep in plain view, then the content owners will have their content stolen.
Securing Encryption Keys
Most new content protection schemes specify security “robustness rules” for handling protected data on consumer devices. Generally speaking, these rules imply that security written in software is not robust. To truly secure a system, cryptographic keys should be stored and used in silicon. If the cryptographic keys are embedded in an SoC design, then it requires more time, money and sophistication on the part of an attacker to retrieve those keys. The most secure way to store a key is by programming it into the embedded, non-volatile memory of an SoC design and then using on-chip cryptographic logic so that keys are never transmitted outside the boundary of the chip.
Another critical security measure is to use a secure process technique to program keys into non-volatile memory at manufacture time. Before the days of offshore outsourcing, a security-savvy company would develop specific, in-house security procedures to closely monitor the internal manufacturing process as it relates to cryptographic key injection into SoC design. However, when using offshore manufacturers, it is difficult to distribute, control, and track unique cryptographic keys, especially when most third-party manufacturers are streamlined for low-cost efficient operations that typically do not have security measures in place. The security of that product is still the responsibility of the content protection technology licensee and product designer and a breach could cost a company all of its product revenues. Prudent designers find a way to protect cryptographic key data right up until the time when it is programmed into the chip.
Recovering from an Attack
Designers of modern consumer content protection schemes prepare for the worst so that in the event that a particular consumer device’s security is compromised, the content delivery system can recover without having to recall every device in the market or having to scrap the system. This security feature is referred to as “renewability” and could consist simply of a list of revoked keys, as can be found in the HDCP standard. Or it could be the more sophisticated “title key” updates found in the AACS scheme that uses in-band re-keying via “subset-difference trees”, a sophisticated method that allows AACS to publish new Disc titles “for every AACS player in the world, except these ones”. Both of these renewable security features use reprogrammable non-volatile memory embedded in SoC design to securely store the keys and to update the keys and security data throughout the life of the consumer product.
Recent reports have highlighted the attacks against the AACS scheme of software DVD players that allowed high definition title keys to be extracted from HD-DVD and Blu-Ray disks which were then posted on the Internet. Through the use of renewability, AACS could recover by encrypting the new high definition content titles with new title keys that would not be communicated to the broken software product that leaked the old keys. This allows security to be renewed for new disc titles in all of the players in the world that are not broken, because only the broken player will be cut out of the distribution scheme.
This is an example of the importance of renewable security systems, and the need to store renewable keys safely in hardware according to the robustness rules of the licensed content protection technology.
Cost Constraints
Content producers and distributors are the drivers behind the new security schemes as they want to ensure the protection of their assets. However, they are not willing to subsidize the cost of doing so. This puts the device manufacturer in a difficult position because consumers do not want to be burdened with additional costs associated with content protection because they do not have the same level of interest in protecting content as do the content producers. Another challenge faced by a consumer electronics vendor is how to provide a robust security system while minimizing the cost to do so. Storing the encryption keys securely in embedded non-volatile memory is an ideal solution. To minimize costs, the embedded non-volatile memory should require no additional masking, process steps or process modifications; and it should be able to be manufactured on a standard CMOS logic process.
Summary
Consumers are playing and distributing digital content using a variety of electronic devices, making the task of protecting that content increasingly difficult. Recent attacks on software content protection systems highlights the need for stronger security which can be achieved by embedding encryption keys in the SoC design, furthest from the reach of attackers. More specifically, encryption keys can be embedded in multi-time programmable non-volatile memory that can be manufactured on a standard CMOS logic process. Multi-time programming allows for renewability, which provides the system with the ability to recover from an attack. Virage Logic’s NOVeA® memory is an embedded multi-time programmable NVM which can be manufactured on a standard CMOS logic process and requires no additional masking, process steps or process modifications.
Attackers are always seeking the easiest method to steal content and the encryption keys which protect that content. As security is embedded deeper into devices, manufacturing facilities in global locations will increasingly be targeted. In an unsecure global manufacturing environment, a single bribed line worker could put a company’s entire product revenues at risk, due to key secrecy requirements built into the new content protection standards. To minimize risk, encryption keys must be kept confidential during manufacturing and programming of keys on the chips must be tracked and auditable in a way that ensures manufacturing line availability. Many companies embark on long internal development cycles to build such a secure manufacturing logistics system. A faster and less costly alternative is the Certicom KeyInject™ product that can be quickly deployed to global third party contract manufacturers while being remotely controlled from North America. KeyInject™ allows companies to adhere to the strict security requirements of the latest content protection technology licenses using a COTS product designed for global manufacturing operations.
About the Authors
Pat Lasserre, Director of NOVeA Marketing, Virage Logic
As director, NOVeA marketing, Pat Lassere is responsible for the
direction of the non-volatile memory product line including strategic
marketing and product development for the company’s patented memory
system.
Prior to joining Virage Logic, Lasserre held a variety of management,
sales, and engineering positions at several companies including
Integrated Device Technology, Integrated Silicon Solution, and Cypress
Semiconductor.
Lasserre is a certified product manager from the Association of
International Product Marketing & Management and holds a BSEE from the
University of California, Berkeley.
Brian Neill, Certified Information Systems Security Professional (CISSP), Certicom
Brian Neill is a Product Manager at Certicom Corp. Prior to his current role, Neill was a member of Certicom's Professional Services team, helping customers to engineer security into their systems and products. Neill received his B.Math degree from the University of Waterloo (Canada) in 1999.
Տեքստում սխալ կամ վրիպակ նկատելու դեպքում, ուղարկեք խմբագրին հաղորդագրություն` նշելով տվյալ սխալը, այնուհետև սեղմելով Ctrl-Enter: