Felten Talks Through the Paper

SPECIAL REPORT

Scott A. Craver, John P. McGregor, Min Wu, Bede Liu (Department of Electrical Engineering, Princeton University); Adam Stubblefield, Ben Swartzlander, Dan S. Wallach (Department of Computer Science, Rice University); Drew Dean (Computer Science Laboratory, Xerox Palo Alto Research Center); Edward W. Felten (Department of Computer Science, Princeton University)

Abstract

The Secure Digital Music Initiative is a consortium of parties interested in preventing piracy of digital music, and to this end they are developing architectures for content protection on untrusted platforms. SDMI recently held a challenge to test the strength of four watermarking technologies and two other security technologies. No documentation explained the implementations of the technologies, and neither watermark embedding nor detecting software was directly accessible to challenge participants. We nevertheless accepted the challenge, and learned a great deal about the inner workings of the technologies. We report on our results here.

Introduction

SDMI is working to develop and standardize technologies that give music publishers more control over what consumers can do with recorded music that they buy. SDMI has been a somewhat secretive organization, releasing little information to the public about its goals, deliberations, and technology.

Felten:"We were naturally very interested in what SDMI was up to. The Challenge gave us a window into what it was planning to do."

The SDMI Challenge extended over roughly a three-week period, from September 15, 2000, until October 8, 2000. The challenge actually consisted of six sub-challenges, named with the letters A through F, each involving a different technology developed by SDMI. We believe these challenges correspond to submissions to the SDMI's Call for Proposals for Phase II Screening Technology. According to this proposal, the watermark's purpose is to restrict an audio clip that is compressed or has previously been compressed. That is, if the watermark is present, an audio clip may yet be admitted into an SDMI device, but only if it has not been degraded by compression. For each challenge, SDMI provided some information about how a technology worked, and then challenged the public to create an object with a certain property. The exact information provided varied among the challenges. We note, though, that in all six cases SDMI provided less information than a music pirate would have access to in practice.

Felten:"The SDMI Challenge conditions were much more difficult for us than they would be for real pirates. They'd have more time, all the watermarked music they could buy, and access to a watermark detector built into their CD player that they could utilize or reverse-engineer."

The challenge was to produce a file that sounded just like File 3 but did not have a watermark - in other words, to remove the watermark from File 3.

The reader should note one serious flaw with this challenge arrangement. The goal is to remove a robust mark, while these proposals appear to be Phase II watermark screening technologies. As we mentioned earlier, a Phase II screen is intended to reject audio clips if they have been compressed, and presumably compression degrades a fragile component of the watermark. An attacker need not remove the robust watermark to foil the Phase II screen, but could instead repair the modified fragile component in compressed audio. This attack was not possible under the challenge setup.

Attack and Analysis of Technology A

Felten:"Challenge A took about one person-week to break. We didn't invent any new tools. None of the work was really cutting-edge research. A person with a background in signal processing or cryptography could do it - it didn't require world-class skills."

Thus, we had reason to suspect a complex echo-hiding system, involving multiple time-varying echoes. It was at this point that we considered a patent search, knowing enough about the data-hiding method that we could look for specific search terms. We were pleased to discover that this particular scheme appears to be listed as an alternative embodiment in US patent number 5,940,135, awarded to Aris Corporation, now part of Verance. This provided us with little more detail than we had already discovered, but confirmed that we were on the right track, as well as providing the probable identity of the company that developed the scheme. It also spurred no small amount of discussion of the validity of Kerckhoffs' criterion, the driving principle in security that one must not rely upon the obscurity of an algorithm. This is, surely, doubly true when the algorithm is patented.

Felten:"That last comment is what passes for a joke in academic circles. The point is you can't rely on an algorithm staying secret this way - a patent search is a very common approach for attackers."

Of course, knowledge of either the robust or fragile component of the mark is enough for an attacker to circumvent the scheme, because one can either remove the robust mark, or repair or reinstate the fragile mark after compression has damaged it. As mentioned earlier, this possible attack of repairing the fragile component appears to have been ruled out by the nature of the SDMI Challenge oracles. One must wait and see if real-world attackers will attempt such an approach, or resort to more brute methods or oracle attacks to remove the robust component.

Felten:"Real pirates are willing to do things we wouldn't stoop to, like breaking into an office or bribing an employee."

Technology D

The oracle for Technology D allowed several different query types. In the first type, an SDMI-provided TOC-authenticator combination is submitted so that a user can "understand and verify the oracle." According to SDMI, the result of this query should be either "admit" for a correct pair or "reject" for an incorrect pair. When we attempted this test with an SDMI-provided pair, the oracle responded that the submission was "invalid."

Felten:"The oracle software was just broken."

For this reason, our analysis of Technology D is incomplete, and we lack definitive proof that it is correct. That having been said, we think that what we learned about this technology, even without the benefit of a correctly functioning oracle, is interesting.

Conclusion

We have reverse-engineered and defeated all four of their audio watermarking technologies.

Some debate remains on whether our attacks damaged the audio beyond standards measured by "golden ear" human listeners. Given a sufficient body of SDMI-protected content using the watermark schemes presented here, we are confident we could refine our attacks to introduce distortion no worse than the watermarks themselves introduce to the the audio. Likewise, debate remains on whether we have truly defeated technologies D and E. Given a functioning implementation of these technologies, we are confident we can defeat them.

Do we believe we can defeat any audio protection scheme? Certainly, the technical details of any scheme will become known publicly through reverse-engineering. Using the techniques we have presented here, we believe no public watermark-based scheme intended to thwart copying will succeed. Other techniques may or may not be strong against attacks. For example, the encryption used to protect consumer DVDs was easily defeated. Ultimately, if it is possible for a consumer to hear or see protected content, then it will be technically possible for the consumer to copy that content.

Felten:"There's no way technology can protect the content all the way from the musician's voice into the listener's ear. Somewhere along that path the information has to be unprotected. It can be captured and recorded there."

The complete text appears on cryptome.org/sdmi-attack.

MUST READ

The RIAA's Low Watermark
Felten Talks Through the Paper
People
Jargon Watch
Bandwidth Blaster
Calculated Communiqués
Friendlier Fire
Anti-Drowning System
Wired Index
Raw Data