DVD PRO Conference
V2B Conference
TechVideo Expo
Current Issue
Article Archive
News Archive
Buyer's Guide
nbsp; Home Magazine eNewsletters Events Contact Navigation



Current Issue Current Issue
Buyers Guide 2001

Buyers GuideCompany SearchProduct Search

News Indices

CD TrackerCD/DVD-ROM IndexFact, Figures & FindingsConference Calendar



NEW! 2002 Online
Buyer's Guide
Listings


eNewsletters
DVD TodayDigital EarfulTechVideo NEWSSubscript
Ad Links

Security to Go: A Look at Portable Memory Alternatives

Linden deCarmo

November, 2000 | Portable Media devices are the Pandora's box of the music industry. The studios are tempted to open their content to these devices to boost sales. However, they are petrified that once these devices are used, they will unleash a torrent of piracy. Fortunately, the widespread adoption of the SD Card interface has eased studio concerns about security. In this article, we'll examine the SD Card interface, reveal why it has become the preferred portable memory interface, and uncover how it interoperates with the Secure Digital Music Initiative (SDMI).

A STATE OF UNCERTAINTY

As discussed in the November 1999 article "Safety in Numbers: A Look at the Secure Digital Music Initiative," SDMI provides a device-independent framework for creating a secure digital music platform. It intentionally avoids defining the hardware and software interfaces to ensure neutrality. Although SDMI has a robust architecture and is backed by large conglomerates, it has struggled to gain widespread adoption because of the late delivery of its specifications and controversy over the specification contents. The consortium promised that Phase I of the specifications would be released early enough so that compliant devices could be shipped before Christmas 1999. While Phase I was completed in August 1999, this was too late for the devices to be shipped by the Christmas consumer entertainment selling season.

Most of the early debate over Phase I revolved around user concerns about the motives of the SDMI consortium. These doubts have been replaced by far graver concerns by audio engineers about the audibility of watermarks in SDMI streams. David Faulkner of Green Room Productions summarizes these concerns: "Many have worked hard to get high-density audio off the ground and we need audible watermarking like we need to be shot in the left leg. The testing in SDMI Phase I was I believe cursory, too limited in scale, even more limited in quality. Why would anybody bother to buy a new DVD-Audio or SACD player and new discs if they cost more, but do not sound much, if any, better than a current unwatermarked top-quality CD?"

SDMI is also under siege by retailers. The National Association of Retail Merchants has issued a white paper titled, NARM's Baseline Principles for Online Commerce in Music, that suggests that SDMI is too focused on technology and is ignoring fundamental consumer rights. They are particularly concerned that SDMI may trample consumer rights to anonymity, transferability, privacy, and confidentiality.

LOWEST COMMON DENOMINATOR

While the future of SDMI is uncertain, it is clear that the industry needs a standardized Digital Rights Management (DRM) system that protects content holders' rights. Consequently, most portable Device manufacturers are concentrating on implementing SDMI compo-nents that are usable in any DRM architecture. When an industry standard emerges, they will already have the infrastructure in place to support it.

SDMI consists of five core elements: Licensed Compliance Modules (LCMs), applications, Portable Media (PM), Audio Renderers, and Portable Devices (PDs). Portable Devices, applications, and Audio Renderers are intimately involved in the detection and usage of audio watermarks, and therefore remain controversial. By contrast, Portable Media and LCMs are independent of watermarking solutions and focus on the secure transfer of multimedia content.

The first responsibility of the LCM and PM is the establishment of a secure protocol between themselves. The LCM also is responsible for supervising the media check in/out process on the PM. Each media stream controls how many times it can be copied, and the check in/out procedure ensures that only authorized copies can be transferred to the PM.

Since these procedures are common to all DRMs, they can be implemented before an industry standard solidifies. Furthermore, since LCMs are typically either PC- or Mac-based applications, Portable Device manufacturers are concentrating on the selection of a Portable Media interface. This selection is critical because it enables consumers to expand storage capabilities of their device and transfer content to and from their PCs.

STICKING POINT

There are two Portable memory solutions currently vying for dominance: Memory Stick, a Sony product, and SD Card, which was developed by multiple vendors. Both solutions are technically adequate, highly secure, and both offer reasonable performance. Therefore, the competition will be decided on non-technical merits.

A significant advantage for the Memory Stick is Sony's immense marketing muscle. For instance, Sony has unveiled a campaign promoting the use of Memory Sticks in devices ranging from PDAs to cameras. Unfortunately, hidden in the fine print of this promotion is the fact that the Memory Stick is a proprietary interface.

One ramification of a Portable Device's use of a proprietary interface is a paucity of publicly-available technical information. For instance, while Sony has indicated that the Memory Stick is compliant with SDMI's check in/out procedure and supports secure communication between the LCM and PD/PM, there is no public explanation of how this is accomplished. Furthermore, since it's a proprietary interface, Sony has absolute control over the evolution of the interface and collects royalties on any product that uses it.

THE 4C CONNECTION

By contrast, the SD Card architecture was initially designed by the triumvirate of SanDisk, Matsushita, and Toshiba and has been embraced by the 4C entity (the same group that designed the SDMI specification). Because the SD Card Association is a consortium (à la DVD), any vendor willing to pay membership fees can obtain the specification (there are currently over 80 vendors in the consortium).

While it's possible that Sony's marketing machine can make Memory Stick a de facto standard, most vendors are choosing to implement SD Cards because of the products' close ties to SDMI and the open nature of the specification. For instance, Tom Harrah, President of PocketPyro, a leading vendor of MP3 players for the Palm platform, indicated that they chose the SD Card in their Pyro for Palm because "SD is an open standard with a small, but rugged, form factor and high-speed transfer rates."

A third portable memory alternative is the IBM microdrive. Although it has a small form factor and several magnitudes more storage capacity than SD Cards and Memory Sticks, microdrives currently don't offer comparable security features. Consequently, they are only viable in scenarios where secure content playback is not essential. The lack of security make the microdrives unlikely to supplant either the Memory Stick or SD Cards as the preferred portable memory architecture.

SD CARD DETAILS

Unlike Sony, the 4C entity has published two white papers on their solutions, titled, Content Protection for Record-able Media Specification: Introduction and Common Cryptographic Elements and Content Protection for Recordable Media Specification: SD Memory Card Book. While these documents give you a glimpse into how SD Cards operate, they are not complete specifications. To implement an SD Card interface, you'll need to join the SD Card association to obtain the critical technical details necessary to design a product.

The Content Protection for Recordable Media (CPRM) standard is dedicated to protecting content holders' rights for both video and audio streams and, surprisingly, is not limited to SD Cards (i.e., it is also useable on optical media like DVD-Audio). While it makes no assumptions about the media format, CPRM assumes that content will be encrypted with a series of keys and divides these keys into three categories: device, media, and content (or title).

Device keys are issued by the 4C Entity to a specific manufacturer and a single device key is stored in the internal memory of each device. When an SD Card is inserted into the system, the Portable Device analyzes the layout of the memory card to determine how to use the device key.

Each SD Card is divided into four sections: System, Hidden, Protected, and User. By default, the PD is locked out of the Hidden, Protected, and User areas of the card (it does have read-only access to the System section). To unlock these four sections, the PD must authenticate itself with the SD Card. Before it starts the authentication process, the PD reads an entry in the System section called the Media Key Block. It then runs an algorithm on the device key/Media Key Block combination to create a secret Media Key.

The PD submits this secret Media Key to SD Card. The SD Card compares the generated key to the Media unique keys in the Hidden section. If a matching key is found, the PD is granted preliminary access to the Protected section of the SD Card.

The DVD industry learned in the DeCSS debacle that hackers will eventually crack device keys no matter how robust the algorithm. While DeCSS started off as a harmless open-source project to enable DVD playback on Linux platforms, its success required cracking the DVD algorithm and obtain keys that were necessary to authenticate Linux with the DVD drive. Unfortunately, the discovery of these keys had the side-effect of enabling pirates to steal legitimate content. Consequently, the Motion Picture Association of America (MPAA) filed a lawsuit against the DeCSS authors.

The developers of SD Cards have gone to great lengths to prevent such security breaches. SD Cards are self-healing–that is, they are equipped to detect and eliminate devices with compromised device keys. For instance, once hackers break the device key, the studios can generate new values in the Hidden section that cause the hacked key to generate a bogus secret key. When the PD submits this invalid secret key to the card, the SD Card rejects the request and alerts the PD that it is using a pirated key. Although the white paper does not mandate how the PD should react to this error, most PDs will display a warning or play an error message.

Pocket Pyro's Tom Harrah is excited about the potential of this solution. "The Napster phenomenon illustrates consumers crave digital music that is easy-to-use, but doesn't have insane piracy measures," he says. "The self-healing approach adopted by the SD Consortium allows users to enjoy the benefits of flexible, high-speed Portable Devices like the Pyro for Palm, while protecting the interests of the music industry."

EXCESSIVE PROTECTION?

The Protected section of the SD Card contains title keys and Copy Control Information (CCI). A title key is used by the PD to decrypt a specific audio/visual file in the User Data area of the SD Card. Copy Control Information describes the actions that are permissible on a multimedia stream (i.e., unlimited copying, single copy, or no copying) and the check in/check out state of the content.

Since both the title keys and the CCI manipulate extremely sensitive information, the PD must go through an additional authentication process. At first glance, an additional authentication process seems excessive since the PD already had to authenticate itself with a secret Media Key. However, this initial authentication process is vulnerable to man-in-the-middle and save-and-restore attacks. Therefore, to eliminate these vulnerabilities, an Authentication and Key Exchange (AKE) is required to read or write information in the Protected section.

AKE is a challenge/response-based technique where the PD (or LCM) challenges the validity of SD Card with a challenge request. If the SD Card survives this challenge, it verifies the validity of the PD (or LCM) with a response request. Both the challenge and response are encrypted with the Media Unique key and a random number to prevent the aforementioned man-in-the-middle or save-and-restore attacks.

Once the AKE process is complete, the PD finally has access to the User Data Area. Inside the data area is a file system (which is likely to be FAT-based) that can be used to retrieve and play specific content files. Alas, much of the information in this file system is also encrypted, so the PD must obtain hints from the Protected section to figure out how to decrypt it.

These hints are possible because the Protected area contains a file system that mirrors aspects of the User data area. For example, both file systems store Audio information in the SD Audio directory. In order to correlate content between file systems, both enforce a strict naming convention. Title keys must have a .KEY extension and reside in the Protected area file system. By contrast, audio content–MP3 or Advanced Audio CODEC (AAC)–is stored with an .SA1 extension in the User file system.

PDs and LCMs find the title key files associated with a content file by taking the first three characters of the content filename, adding the content filename extension (i.e. SA1), and appending the .KEY extension. The resultant filename points to a title key necessary to manipulate the audio content.

Once the appropriate title key is located, the PD or LCM retrieves the appropriate CCI and decryption data structures from the title key file and use these structures to process the audio content in the .SA1 file.

WHICH MEMORY WILL STICK?

A Digital Rights Management architecture must gain widespread acceptance before content producers will release digital content playable on Portable Devices. Alas, SDMI remains mired in controversy, so it's unlikely that an industry standard will emerge in the near future. Consequently, Portable Device manufacturers are concentrating on designing core features that are applicable to any DRM solution.

The primary focus of these manufacturers has been implementing one of two secure Portable Media interfaces: Sony's Memory Stick or the SD consortium's SD Card. Since these solutions are both technically capable, the winning interface will be decided on non-technical merits.

Sony's Memory Stick is a proprietary solution that is used throughout Sony's product line. By contrast, SD Card is an open consortium that is implicitly endorsed by the 4C entity. The combination of open interfaces and SDMI backing has caused SD Cards to gain wide industry acceptance and emerge as the likely winner in the secure Portable Media race.


Companies Mentioned in this Article

4C Entity, LLC
225 B Cochrane Circle, Morgan Hill, CA 95037; info@1micp.com; http://www.4centity.com

Palm, Inc.
5470 Great America Parkway, Santa Clara, CA 95052; 800/881-7256, 408/326-9000; Fax 408/326-5009; info@palm.com; http://www.palm.com

PocketPyro
638 SW 34th Street, Ft. Lauderdale, FL 33315; 954/359-9530; Fax 954/359-8260; info@pocketpyro.com; http://www.pocketpyro.com

SanDisk
140 Caspian Court , Sunnyvale, CA 94089; 408/542-0500; Fax 408/542-0503; sales@sandisk.com; http://www.sandisk.com

SD Card Association
53 Muckelemi Street, P.O. Box 189, San Juan Bautista, CA 95045-0189; 831/623-2107; Fax 831/623.2248; rcreech@sdcard.org; http://www/sdcard.org

Sony Electronics, Inc.
1 Sony Drive, Park Ridge, NJ 07656; 201/930-6136; Fax 201/358-4058; http://www.sel.sony.com

Toshiba America Electronic Components Storage Device Division (SDD)
35 Hammond, Irvine, CA 92618-1697; 949/457-0777; http://www.toshiba.com/taecdpd

Linden deCarmo (lindend@ibm.net) is a Senior Software Engineer at NetSpeak Corporation and is the author of Prentice-Hall's Core Java Media Framework.

Comments? Email us at letters@onlineinc.com.


Copyright 2000-2001 Online, Inc.
213 Danbury Road, Wilton, Connecticut 06897-4007
203/761-1466, 800/248-8466
Fax 203/761-1444
info@onlineinc.com