|
|||
It is unlawful to manufacture, import, offer to the public, provide or otherwise traffic in any interactive digital device that does not include and utilize certified security technologies." Of course, writing a law is one thing, implementing it is another. Suppose, just suppose, that this were to pass, and that hardware copy protection were actually implemented on all new hardware. This would do nothing about the tens of millions of computers and other digital devices already in circulation, of course, but I think it's worse than that. There isn't any way that this can directly prevent piracy, even with hardware. We take as our model a portable player for digitally-encoded music. The assumption is that you would purchase music over the internet, download that information into your desktop computer, and then crossload it into your portable device. So let's design as secure a system as we possibly can, shall we? The portable device contains a unique serial number, which its processor knows. When you purchase music, you have to provide the device's serial number. The server at the other end then creates a file for you specifically coded so that it would only run on the device which has that serial number. It's possible that the encryption on that file uses a one-time throw away session key, used for that particular file. Further, the device is designed so that it will refuse to play any file which is not properly protected, or files which are protected but not encoded for its own serial number. But the portable device operates independently. Once you disconnect it from your desktop computer, it no longer has any connection to the Internet or any ability to access a certifying authority. The player has its data file and has the ability to play it, which means that all the information necessary to remove copy protection from the file is present in the player. And here we have the key observation: No matter what it is that the player is doing, it can be simulated in software on a desktop computer, yielding an unprotected data stream. Also, whatever it was that the server did to create the file in the first place can also be simulated on a desktop computer. Therefore, once sufficient information about the process was known, a program could be written which removed the copy protection from the file. The raw data could be passed around, via Napster-clones. The users receiving this data could then run programs which reencapsulated the data so that it was encoded for their particular players, and would be able to play them for free. This would also apply to desktop computers themselves. If copy protection for sound files was implemented directly in the sound cards, so that decryption did not take place in the CPU of the computer, it remains the case that the process just described could be done to recode a file purchased for one system to make it play on another. Equally, a video file on a future replacement for DVD which had strong protection could not rely on being decrypted in the display card. Whatever it was that the display card was doing could be simulated by software to yield an unencrypted video stream, which could then be encrypted for some other display card. It is theoretically impossible to create a perfect content protection mechanism as long as it has to run on any player which is not able to access a certifying authority at the time it plays the file. (discussion in progress) Actually, this is wrong. It will always be possible to decrypt, but it isn't necessarily possible for the computer to encrypt; to do that it might need to know a secret key. So it wouldn't be possible to recode for a standalone player. However, it would always be possible to play on a desktop computer, because that must necessarily be able to play unencrypted data streams. |