November, 2000 | Portable Media devices are the
Pandora's box of the music industry. The studios are tempted
to open their content to these devices to boost sales. However,
they are petrified that once these devices are used, they
will unleash a torrent of piracy. Fortunately, the widespread
adoption of the SD Card interface has eased studio concerns
about security. In this article, we'll examine the SD Card
interface, reveal why it has become the preferred portable
memory interface, and uncover how it interoperates with
the Secure Digital Music Initiative (SDMI).
A STATE OF UNCERTAINTY
As discussed in the November 1999 article "Safety in Numbers:
A Look at the Secure Digital Music Initiative," SDMI provides
a device-independent framework for creating a secure digital
music platform. It intentionally avoids defining the hardware
and software interfaces to ensure neutrality. Although SDMI
has a robust architecture and is backed by large conglomerates,
it has struggled to gain widespread adoption because of the
late delivery of its specifications and controversy over the
specification contents. The consortium promised that Phase
I of the specifications would be released early enough so
that compliant devices could be shipped before Christmas 1999.
While Phase I was completed in August 1999, this was too late
for the devices to be shipped by the Christmas consumer entertainment
Most of the early debate over Phase I revolved around
user concerns about the motives of the SDMI consortium.
These doubts have been replaced by far graver concerns by
audio engineers about the audibility of watermarks in SDMI
streams. David Faulkner of Green Room Productions summarizes
these concerns: "Many have worked hard to get high-density
audio off the ground and we need audible watermarking like
we need to be shot in the left leg. The testing in SDMI
Phase I was I believe cursory, too limited in scale, even
more limited in quality. Why would anybody bother to buy
a new DVD-Audio or SACD player and new discs if they cost
more, but do not sound much, if any, better than a current
unwatermarked top-quality CD?"
SDMI is also under siege by retailers. The National Association
of Retail Merchants has issued a white paper titled, NARM's
Baseline Principles for Online Commerce in Music, that suggests
that SDMI is too focused on technology and is ignoring fundamental
consumer rights. They are particularly concerned that SDMI
may trample consumer rights to anonymity, transferability,
privacy, and confidentiality.
LOWEST COMMON DENOMINATOR
While the future of SDMI is uncertain, it is clear that the
industry needs a standardized Digital Rights Management (DRM)
system that protects content holders' rights. Consequently,
most portable Device manufacturers are concentrating on implementing
SDMI compo-nents that are usable in any DRM architecture.
When an industry standard emerges, they will already have
the infrastructure in place to support it.
SDMI consists of five core elements: Licensed Compliance
Modules (LCMs), applications, Portable Media (PM), Audio
Renderers, and Portable Devices (PDs). Portable Devices,
applications, and Audio Renderers are intimately involved
in the detection and usage of audio watermarks, and therefore
remain controversial. By contrast, Portable Media and LCMs
are independent of watermarking solutions and focus on the
secure transfer of multimedia content.
The first responsibility of the LCM and PM is the establishment
of a secure protocol between themselves. The LCM also is
responsible for supervising the media check in/out process
on the PM. Each media stream controls how many times it
can be copied, and the check in/out procedure ensures that
only authorized copies can be transferred to the PM.
Since these procedures are common to all DRMs, they can
be implemented before an industry standard solidifies. Furthermore,
since LCMs are typically either PC- or Mac-based applications,
Portable Device manufacturers are concentrating on the selection
of a Portable Media interface. This selection is critical
because it enables consumers to expand storage capabilities
of their device and transfer content to and from their PCs.
There are two Portable memory solutions currently vying for
dominance: Memory Stick, a Sony product, and SD Card, which
was developed by multiple vendors. Both solutions are technically
adequate, highly secure, and both offer reasonable performance.
Therefore, the competition will be decided on non-technical
A significant advantage for the Memory Stick is Sony's
immense marketing muscle. For instance, Sony has unveiled
a campaign promoting the use of Memory Sticks in devices
ranging from PDAs to cameras. Unfortunately, hidden in the
fine print of this promotion is the fact that the Memory
Stick is a proprietary interface.
One ramification of a Portable Device's use of a proprietary
interface is a paucity of publicly-available technical information.
For instance, while Sony has indicated that the Memory Stick
is compliant with SDMI's check in/out procedure and supports
secure communication between the LCM and PD/PM, there is
no public explanation of how this is accomplished. Furthermore,
since it's a proprietary interface, Sony has absolute control
over the evolution of the interface and collects royalties
on any product that uses it.
THE 4C CONNECTION
By contrast, the SD Card architecture was initially designed
by the triumvirate of SanDisk, Matsushita, and Toshiba and
has been embraced by the 4C entity (the same group that designed
the SDMI specification). Because the SD Card Association is
a consortium (à la DVD), any vendor willing to pay membership
fees can obtain the specification (there are currently over
80 vendors in the consortium).
While it's possible that Sony's marketing machine can
make Memory Stick a de facto standard, most vendors are
choosing to implement SD Cards because of the products'
close ties to SDMI and the open nature of the specification.
For instance, Tom Harrah, President of PocketPyro, a leading
vendor of MP3 players for the Palm platform, indicated that
they chose the SD Card in their Pyro for Palm because "SD
is an open standard with a small, but rugged, form factor
and high-speed transfer rates."
A third portable memory alternative is the IBM microdrive.
Although it has a small form factor and several magnitudes
more storage capacity than SD Cards and Memory Sticks, microdrives
currently don't offer comparable security features. Consequently,
they are only viable in scenarios where secure content playback
is not essential. The lack of security make the microdrives
unlikely to supplant either the Memory Stick or SD Cards
as the preferred portable memory architecture.
SD CARD DETAILS
Unlike Sony, the 4C entity has published two white papers
on their solutions, titled, Content Protection for Record-able
Media Specification: Introduction and Common Cryptographic
Elements and Content Protection for Recordable Media
Specification: SD Memory Card Book. While these documents
give you a glimpse into how SD Cards operate, they are not
complete specifications. To implement an SD Card interface,
you'll need to join the SD Card association to obtain the
critical technical details necessary to design a product.
The Content Protection for Recordable Media (CPRM) standard
is dedicated to protecting content holders' rights for both
video and audio streams and, surprisingly, is not limited
to SD Cards (i.e., it is also useable on optical media like
DVD-Audio). While it makes no assumptions about the media
format, CPRM assumes that content will be encrypted with
a series of keys and divides these keys into three categories:
device, media, and content (or title).
Device keys are issued by the 4C Entity to a specific
manufacturer and a single device key is stored in the internal
memory of each device. When an SD Card is inserted into
the system, the Portable Device analyzes the layout of the
memory card to determine how to use the device key.
Each SD Card is divided into four sections: System, Hidden,
Protected, and User. By default, the PD is locked out of
the Hidden, Protected, and User areas of the card (it does
have read-only access to the System section). To unlock
these four sections, the PD must authenticate itself with
the SD Card. Before it starts the authentication process,
the PD reads an entry in the System section called the Media
Key Block. It then runs an algorithm on the device key/Media
Key Block combination to create a secret Media Key.
The PD submits this secret Media Key to SD Card. The SD
Card compares the generated key to the Media unique keys
in the Hidden section. If a matching key is found, the PD
is granted preliminary access to the Protected section of
the SD Card.
The DVD industry learned in the DeCSS debacle that hackers
will eventually crack device keys no matter how robust the
algorithm. While DeCSS started off as a harmless open-source
project to enable DVD playback on Linux platforms, its success
required cracking the DVD algorithm and obtain keys that
were necessary to authenticate Linux with the DVD drive.
Unfortunately, the discovery of these keys had the side-effect
of enabling pirates to steal legitimate content. Consequently,
the Motion Picture Association of America (MPAA) filed a
lawsuit against the DeCSS authors.
The developers of SD Cards have gone to great lengths
to prevent such security breaches. SD Cards are self-healingthat
is, they are equipped to detect and eliminate devices with
compromised device keys. For instance, once hackers break
the device key, the studios can generate new values in the
Hidden section that cause the hacked key to generate a bogus
secret key. When the PD submits this invalid secret key
to the card, the SD Card rejects the request and alerts
the PD that it is using a pirated key. Although the white
paper does not mandate how the PD should react to this error,
most PDs will display a warning or play an error message.
Pocket Pyro's Tom Harrah is excited about the potential
of this solution. "The Napster phenomenon illustrates consumers
crave digital music that is easy-to-use, but doesn't have
insane piracy measures," he says. "The self-healing approach
adopted by the SD Consortium allows users to enjoy the benefits
of flexible, high-speed Portable Devices like the Pyro for
Palm, while protecting the interests of the music industry."
The Protected section of the SD Card contains title keys and
Copy Control Information (CCI). A title key is used by the
PD to decrypt a specific audio/visual file in the User Data
area of the SD Card. Copy Control Information describes the
actions that are permissible on a multimedia stream (i.e.,
unlimited copying, single copy, or no copying) and the check
in/check out state of the content.
Since both the title keys and the CCI manipulate extremely
sensitive information, the PD must go through an additional
authentication process. At first glance, an additional authentication
process seems excessive since the PD already had to authenticate
itself with a secret Media Key. However, this initial authentication
process is vulnerable to man-in-the-middle and save-and-restore
attacks. Therefore, to eliminate these vulnerabilities,
an Authentication and Key Exchange (AKE) is required to
read or write information in the Protected section.
AKE is a challenge/response-based technique where the
PD (or LCM) challenges the validity of SD Card with a challenge
request. If the SD Card survives this challenge, it verifies
the validity of the PD (or LCM) with a response request.
Both the challenge and response are encrypted with the Media
Unique key and a random number to prevent the aforementioned
man-in-the-middle or save-and-restore attacks.
Once the AKE process is complete, the PD finally has access
to the User Data Area. Inside the data area is a file system
(which is likely to be FAT-based) that can be used to retrieve
and play specific content files. Alas, much of the information
in this file system is also encrypted, so the PD must obtain
hints from the Protected section to figure out how to decrypt
These hints are possible because the Protected area contains
a file system that mirrors aspects of the User data area.
For example, both file systems store Audio information in
the SD Audio directory. In order to correlate content between
file systems, both enforce a strict naming convention. Title
keys must have a .KEY extension and reside in the Protected
area file system. By contrast, audio contentMP3 or
Advanced Audio CODEC (AAC)is stored with an .SA1 extension
in the User file system.
PDs and LCMs find the title key files associated with
a content file by taking the first three characters of the
content filename, adding the content filename extension
(i.e. SA1), and appending the .KEY extension. The resultant
filename points to a title key necessary to manipulate the
Once the appropriate title key is located, the PD or LCM
retrieves the appropriate CCI and decryption data structures
from the title key file and use these structures to process
the audio content in the .SA1 file.
WHICH MEMORY WILL STICK?
A Digital Rights Management architecture must gain widespread
acceptance before content producers will release digital content
playable on Portable Devices. Alas, SDMI remains mired in
controversy, so it's unlikely that an industry standard will
emerge in the near future. Consequently, Portable Device manufacturers
are concentrating on designing core features that are applicable
to any DRM solution.
The primary focus of these manufacturers has been implementing
one of two secure Portable Media interfaces: Sony's Memory
Stick or the SD consortium's SD Card. Since these solutions
are both technically capable, the winning interface will
be decided on non-technical merits.
Sony's Memory Stick is a proprietary solution that is
used throughout Sony's product line. By contrast, SD Card
is an open consortium that is implicitly endorsed by the
4C entity. The combination of open interfaces and SDMI backing
has caused SD Cards to gain wide industry acceptance and
emerge as the likely winner in the secure Portable Media
Companies Mentioned in this Article
4C Entity, LLC
225 B Cochrane Circle, Morgan Hill, CA 95037; email@example.com;
5470 Great America Parkway, Santa Clara, CA 95052; 800/881-7256,
408/326-9000; Fax 408/326-5009; firstname.lastname@example.org;
638 SW 34th Street, Ft. Lauderdale, FL 33315; 954/359-9530;
Fax 954/359-8260; email@example.com;
140 Caspian Court , Sunnyvale, CA 94089; 408/542-0500;
Fax 408/542-0503; firstname.lastname@example.org;
SD Card Association
53 Muckelemi Street, P.O. Box 189, San Juan Bautista,
CA 95045-0189; 831/623-2107; Fax 831/623.2248; email@example.com;
Sony Electronics, Inc.
1 Sony Drive, Park Ridge, NJ 07656; 201/930-6136; Fax
Toshiba America Electronic Components Storage Device
35 Hammond, Irvine, CA 92618-1697; 949/457-0777; http://www.toshiba.com/taecdpd