Digital Rights Management (DRM) is a set of technologies designed to restrict the use of digital files and media to only actions that the user has licensed from the content owner. The definition sounds most applicable to digital media, and that is where the majority of initial innovation and research money came from, but DRM technologies can be used to secure a variety of digital media. Most of the discussion on DRM has been around movies and music, and it has received a rather bad name because of it. However, DRM can be an incredibly valuable tool for cybersecurity.
DRM currently suffers from significant weaknesses, or vulnerabilities, in its implementation. This presents significant challenges to its use in cybersecurity. Cory Doctorow, science fiction writer, copyright activist, and fellow blogger, wrote back in 2004:
DRM systems are usually broken in minutes, sometimes days. Rarely months. It’s not because the people who think them up are stupid. It’s not because the people who break them are smart. It’s not because there’s a flaw in the algorithms. At the end of the day, all DRM systems share a common vulnerability: they provide their attackers with ciphertext, the cipher and the key. At this point, the secret isn’t a secret anymore.
Doctorow’s argument, which can be found in its entirety here, seems sound at first glance, but the issues he raises are ones that encryption has dealt with for years. If you want to encrypt data, you need the same three things, but the key is what is kept secret. The key is only shared with those who are authorized to decrypt the message. In the case of DRM, the key is shared with those who purchase the media. The problem is not with sharing the key with those “authorized” individuals. The problem is that authorized individuals share the key with others or they use the key to making unencrypted copies of DRM protected content.
Let’s explore some of the potential solutions. The issue is primarily one of trust of the end users who license the content. Since there is a lack of trust of the users, place the trust in the hardware or software and provide controls to prevent misuse by “untrusted” users. What would this look like in practice? Companies could use hardware or software IDs to restrict decryption of content to authorized software or hardware that implements appropriate anti-duplication controls. Content would only be decrypted at the time of viewing, and not all the content would be decrypted, only the portion immediately required for viewing. Next, hardware and software would need controls such as anti-tampering, direct control over data output devices so that the data could not be captured in between processing and display and controls to remove data from memory once it has been viewed.
I think we will see a lot more from DRM. It has great potential to secure sensitive data, and it receives far too much criticism from media pirates and freedom of information pundits than it deserves. DRM, when implemented correctly, like mature encryption technologies, can allow data owners to better control how and when their data is used, but we will need to get past current implementation weaknesses before that can happen.