Content protection
Mar 1, 2008 12:00 PM, ERIC DIEHL
In this digital age, protecting your assets is essential.
Digitization of content undoubtedly generates huge benefits for many businesses. Nevertheless, digitalization also increases the risk of piracy. In the analog era, stealing premium content prior to distribution typically required either access to a vault or an accomplice on the premises.
In the digital era, there are many easier ways to steal content — for example penetrating IT networks remotely or intercepting digital transfers to subcontractors.
Liability is another important issue. Content owners may require best-of-class protection for their premium content. In this interconnected world, where illegal content can be distributed at lightning speed, content leakage will negatively affect more stakeholders than just the one experiencing the leak.
This article primarily focuses on content protection within the broadcast environment. It does not tackle the issues related to content during broadcast. However, the concepts discussed here are valid in other contexts.
Four types of protection
In the broadcast industry, any content that will eventually be aired needs to be protected. Protection should extend throughout the whole process from ingest to final transmission.
In a professional environment, there should ideally be four different types of protection, each fulfilling a different goal. All four goals are complementary. Together they ensure strong protection. The goals are:
Figure 1. Four types of complementary protection.
Click image to enlarge.
- Control access to the asset.
- Protect the asset itself.
- Trace the asset.
- Limit illegal use of the asset.
Figure 1 illustrates the positioning of these four types of protection. Together, they constitute a set of overlapping barriers to content loss throughout the lifetime of the content.
Controlling access
The first barrier involves controlling access to the asset. This barrier was already in place during the analog era and only allows authorized users near the asset. This protective measure may take the form of a physical control such as guards at the entrance or gates controlled by badges, biometrics sensors and vaults. Video cameras may also be used to survey entrances and critical areas of the site.
In the digital world, the second type of access control is IT security. Typically, the IT department defines a perimeter, which it defends against intruders through the use of firewalls, demilitarized zones and virtual private networks. Within the perimeter, IT will limit the access to data using tools such as access control lists and role-based policies.
Protecting the asset
The second barrier targets direct attacks on the asset, such as theft, alteration or replacement. The tools deployed are based on encryption and cryptographic signatures. Encryption enforces confidentiality of the asset whereas cryptographic signature enforces its integrity.
Encryption is a mathematical function that turns a clear text (using an encryption key) into a cipher text that is unreadable. Using a special decryption key, decryption turns a cipher text back into clear text. Without the decryption key, the attacker cannot retrieve the clear text.
A signature is used to authenticate signed content. If just one bit of a signed content is modified, then verification of the associated signature fails. The basic algorithms of encryption (AES, Blowfish, DES and RSA) and signature (DSA, EC-DSA and RSA) are well known and thoroughly analyzed. Thus, choosing these algorithms is simple. The difficulty lies in two aspects: key management and implementation.
Key management defines how to distribute and protect the keys used by cryptographic algorithms. Keys are the most important assets in any security system. If keys leak, then encrypted or signed contents are vulnerable. When selecting a system, it is important to verify the used algorithms, but it is even more important to evaluate the robustness of key management.
The way cryptographic algorithms and key management are actually implemented is of paramount importance. A weak implementation of a robust algorithm is useless. The recent hack of the Advanced Access Content System (AACS) is a perfect illustration. In this case, the decryption key was not protected.
| Want to use this article? Click here for options! |  |
