Technologies for Intellectual Property Protection
Chapter 5 deals in general terms with mechanisms that can be used to protect digital intellectual property (IP), providing an overview that describes what is and is not easily accomplished. This appendix is intended for those interested in understanding more of the technical detail of how the available mechanisms work. The focus here is on technologies that are useful in general-purpose computers; techniques used in specialized hardware (e.g., in consumer electronics) are covered in Chapter 5. Encryption, digital signatures, the infrastructure needed to make public-key encryption widely usable, techniques for marking and monitoring digital information, and mechanisms for secure packaging of information are described in this appendix.
The sophistication and power of some of the mechanisms discussed below are impressive, in some cases providing what are, effectively, unbreakable protections. This power, however, should not blind the reader to some of the simple security principles that, if not followed, can derail any system, whether computational or physical. Modern encryption mechanisms that are well designed are analogous to door locks that are, for all practical purposes, unpickable. Install one on your front door and you feel secure. But the best door lock is rendered useless if you leave a window open, your valuables outside the door, or your key lying around. Each of these mistakes occurs frequently with information security: Open
windows are provided by other routes into the computer, files are left in the clear, and encryption keys are too often easily guessed or left accessible. Even when all these mistakes are avoided, other techniques may be used to gain unauthorized access, such as "social engineering" (i.e., tricking someone into surrendering the information, or the password or key). These examples make clear that advanced encryption alone, although providing important tools, is only a part of the story.
Encryption is an underpinning for many computing and communications security services because it provides the only way to transmit information securely when others can eavesdrop on (or corrupt) communication channels. The goal of encryption is to scramble information so that it is not understandable or usable until unscrambled. The technical terms for scrambling and unscrambling are "encrypting" and "decrypting," respectively. Before an object is encrypted it is called "cleartext." Encryption transforms cleartext into ''ciphertext," and decryption transforms ciphertext back into cleartext.1
Encryption and other closely related mechanisms can be used to help achieve a wide variety of security objectives, including:2
• Privacy and confidentiality;
• Data integrity: ensuring that information has not been altered;
• Authentication or identification: corroborating the identity of a person, computer terminal, a credit card, and so on;
• Message authentication: corroborating the source of information;
• Signature: binding information to an entity;
• Authorization: conveying to another entity official sanction to do or be something;
• Certification: endorsing information by a trusted entity;
• Witnessing: verifying the creation or existence of information;
• Receipt: acknowledging that information has been received;
• Confirmation: acknowledging that services have been provided;
• Ownership: providing an entity with the legal right to use or transfer a resource to others;
• Nonrepudiation: preventing the denial of previous commitments or actions; and
1These terms are used even when the medium involved is not text. For example, one may refer to a "cleartext image."
2Adapted from Menezes et al. (1997), p. 3.
• Revocation: retracting certification or authorization.
The two major categories of encryption systems are "symmetric key" and "public key."
Symmetric-Key (One-Key) Systems
A symmetric-key encryption system consists of three procedures: a key generator, an encryption function, and a decryption function. The user first runs the key generator to obtain a key; in a well-designed system, the key will look random to the user, that is, it will be indistinguishable from a key chosen uniformly at random from the set of all possible keys. The user then runs the encryption function, using as input the cleartext object and the key. The result is the ciphertext object. Subsequently, anyone who possesses both the ciphertext object and the key can feed them as input to the decryption function and obtain the cleartext object as output.
There are a variety of ways to implement the encryption and decryption functions shown in Figure E.1. One of the simplest (and oldest) is the "shift cipher." The cleartext is a text message, the key is a number k between 1 and 25, and encryption is accomplished by shifting each letter of the cleartext k places to the right (wrapping around from the end of the alphabet back to the beginning when necessary). Thus, if the key is 10, the cleartext "OneIfByLandTwoIfBySea" is mapped to the ciphertext ''YxoSpLiVkxnDgySpLiCok." To decrypt, each letter is shifted k places back to the left (wrapping around the other way when needed). Cryptologic folklore has it that Julius Caesar used the shift cipher with k equal to 3; this special case is often referred to as the "Caesar cipher." The shift cipher is completely unusable in a modern computing environment because the key space (i.e., the set of all possible keys) is far too small: Anyone who obtained a ciphertext could simply try decrypting it with each of the 25 possible keys and would recognize the right key when the result was a meaningful text.
A far more powerful result can be accomplished by implementing encryption using a "one-time pad." One variety of one-time pad uses as a key a text of the same length as the cleartext; the characters of the key are used one by one to indicate how to transform each character of the cleartext. The characters of the key could, for example, be used to indicate how far to shift each character of the cleartext. For instance, if the cleartext is "OneIfBy" and the key is "CallMeIshmael," the first character of the key ("C") would indicate that the "O" should be shifted right by 3 (to become "R"), the "n" shifted right by 1 (to become "o"), and so on. A key is "one-
time" if it is used exactly once; the phrase "one-time pad" comes from the hard-copy pad of such keys used in the intelligence services.3
When done by computer, a one-time pad is typically implemented by selecting as a key a random sequence of 0s and 1s that is the same length in bits as the cleartext. To compute the ith bit of the ciphertext, the encryption procedure takes the exclusive-or of the ith bit of the cleartext and the ith bit of the key.4 Decryption is done in precisely the same way. For example, encrypting the cleartext string "01100010" with the key "11001100" produces the ciphertext ''10101110."
3The most secure keys are truly, uniformly random; hence the example of using readable text as the key is not the best practice.
4The exclusive-or is 0 if both bits are 0 or both are 1, and it is 1 if one of the bits is 1 and the other is 0.
The power of a one-time pad arises from both the length of the key and the fact that it is discarded after one use. There are only 25 keys in a Roman alphabet shift cipher, but a one-time pad has 26N keys for a cleartext of length N, obviously far too many to search in any reasonable amount of time, and if used only once there will be little ciphertext to analyze. Unfortunately, it is usually impractical to use a one-time pad, because its security depends on a new key being generated and used each time a new message is encrypted; this means that the total number of key bits is too large to be practical. The mathematics underlying one-time pads is, however, useful in designing practical cryptosystems; see Luby (1996) and Menezes et al. (1997) for examples.
If a symmetric-key system is well designed, decryption can be done only by having access to the key. That is, it is infeasible for anyone to infer any information about the cleartext from the ciphertext, even if that person has access to the key generation, encryption, and decryption procedures. An adversary can of course always mount an exhaustive search attack to try to find the right key, decrypting using each possible key and testing each output result to see if it is a comprehensible cleartext object (e.g., readable text, viewable image, or sensible sound). If the key space is sufficiently large, an exhaustive search attack will be infeasible. A large key-space comes at the price of longer keys, however, and these make the encryption and decryption processes slower. Thus an encryption system designer must trade off speed of operation against resistance to exhaustive search attacks.
As previously noted, any encryption system must be used very carefully. For a symmetric-key system, in particular, the key generator must be run only in a completely private, reliable computing environment. The person responsible for a cleartext object must also keep the key completely secret, both when using it to encrypt or decrypt and when storing it between uses. The key must be given only to parties with a right to decrypt the ciphertext object, and they must treat the key with the same care. Similarly, everyone who gets the key must keep the cleartext object secureencryption is useless if the cleartext version is left where it is accessible. Because one user may have many keys, each used in a different application or for a different object in one application, key management can become complex and expensive.5 The issue of key management is discussed below.
Many commercial IP management strategies plan a central role for symmetric-key encryption systems. Details differ from plan to plan, but the plans all have the following structure in common. Each object is
5Consider the problem of remembering all your passwords and PINs.
encrypted by the distributor with a key that is used only for it. Ciphertext objects are widely distributed. An object's key is given only to paying customers and other legitimate users; this activity occurs over a different, more secure, but likely less efficient, distribution channel from the one used for the object itself. The product or service that allows paying customers to decrypt and use the object must take responsibility for handling the key and the cleartext carefully.
Examples of symmetric-key encryption systems, including the widely used Data Encryption Standard, can be found in Menezes et al. (1997), which is also a good starting point for literature on the mathematical and engineering foundations of the design and analysis of cryptosystems. Mathematically sophisticated readers can also refer to Luby (1996).
Anyone using a symmetric-key encryption system must deal with the key exchange problem: If one or more recipients are to be able to decrypt a message, they must get the key, and they must be the only ones to get it. Two distinguishable problems here are evident: authentication and secrecy. The process must ensure that the person legitimately entitled to receive the key is who he or she claims to be (authentication) and that no one else can get the key while it is being transmitted (secrecy). Key exchange is thus a high-overhead operation.
An interesting circularity exists here: If we can ensure authentication and secrecy in transmitting the key, why not use that machinery to send the original message? One answer was suggested above: The key is often far smaller than the thing being encrypted, so the key distribution mechanism can use a more elaborate, more secure, and slower transmission route.
In the context of mass market IP, key exchange can be a large-scale problem: Online distribution of a best-selling novel may mean a few hundred thousand customers, that is, a few hundred thousand key exchanges. Although the encrypted text of the novel may be distributed via high-bandwidth broadcast channels (neither authentication nor secrecy is required), key transmission must be done in a way that ensures authentication and secrecy.
Public-Key (Two-Key) Systems
One way around this problem is the notion of a public-key encryption system, which eliminates the need for key exchange. As in the symmetric-key case, the system consists of three procedures: a key generator, an encryption function, and a decryption function. Here, when a user runs
the key generator, he or she produces two keysa public key and a secret key. The public key should then be distributed and made widely available (perhaps by a directory service), but the secret key must be carefully guarded and kept private (just as in a symmetric-key system).
To send an object to the owner of a public-key/secret-key pair, the sender looks up the user's public key and feeds both the public key and the cleartext object into the encryption function, producing a ciphertext object. When the recipient receives it, he or she feeds the ciphertext object and his or her secret key into the decryption function, which recovers the cleartext object. (See Figure E.2.)
To be successful, a public-key cryptosystem must have the property that each public key corresponds to a unique secret key and vice versaa ciphertext object produced with a given public key must be decryptable only by the owner of the corresponding secret key. However, determining what the secret key is if all one has is the public key must be infeasible. Logically, a secret key is determined by its corresponding public key, but the time required to compute this uniquely determined quantity should
be longer than an adversary could possibly spend (and is believed to be far longer than a human lifetime for the public-key cryptosystems that are now in use, if an appropriately large key is used).
At first glance, it is not obvious that one could devise a key-generation procedure that is itself efficient but still manages to embed the information needed to determine the secret key into the public key in such a way that it cannot be extracted efficiently. The concept of public-key cryptography was first put forth publicly by Diffie and Hellman (1976) and Merkle (1978) and has given rise to some of the most interesting work in the theory of computation. Interested readers should refer to an introductory book such as the Handbook of Applied Cryptography (Menezes et al., 1997) for an overview of cryptographic theory; this handbook also provides examples of public-key cryptosystems that are now in use, including the well-known RSA system (named for its inventors Rivest, Shamir, and Adelman) (Rivest et al., 1978).
Current public-key cryptosystems are considerably slower than current symmetric-key systems, and so they are not used for "bulk encryption," that is, encrypting long documents. In the IP management context, this means that vendors generally do not use public-key systems to encrypt content directly; rather, it is more common to encrypt content using a fast symmetric-key system, then use public-key encryption to solve the key exchange problem. Because the user's key in a symmetric-key encryption system is typically much shorter than the object, the time spent to encrypt and decrypt it using a public-key system is not prohibitive.
One potential obstacle to widespread use of public-key cryptography for IP management (or for any mass market product or service) is the current lack of infrastructure. Public-key cryptosystems were first proposed in the mid-1970s, but only now are developers producing the systems needed for creation, distribution, retrieval, and updating of public keys. Considerable disagreement still exists in the technical community about how to create an effective public-key infrastructure (see below and Feigenbaum, 1998). Other potential obstacles to widespread use of public keys are the same ones that make symmetric-key systems hard to deploy effectively in a mass market service: A user's secret keys must be managed extremely carefully, as must all cleartext objects; otherwise, the property that was protected during transmission can be stolen once it reaches its destination. Furthermore, public-key systems are, like symmetric-key systems, subject to U.S. government export restrictions.
Another use of public-key technology, one that is potentially more important for IP management and for electronic commerce in general
than public-key cryptosystems, is digital signature. A digital signature scheme involves three procedures: a key generator (with the same structure as the key generator in a public-key cryptosystem), a signing function, and a verification function (Figure E.3). A user who has generated a key pair can feed his secret key and a digital object as input to the signing function, which produces "a signature" (a set of bits) as output. The crucial property of the signature is that it could have been produced only by someone with access to both the digital object and the secret key.
Subsequently, anyone presented with the object and the signature can look up the signer's public key and feed the object, the signature, and the public key into the verification function. The verification function can use this public key to determine whether the signature was produced by the signing function from the object and the secret key that corresponds to the public key.
As before, the success of the scheme depends on the ability to generate public-key/secret-key pairs that cause the signing and verification procedures to work properly and that have the counterintuitive property
that the secret key, although uniquely determined by its corresponding public key, cannot feasibly be computed from this public key.
Note that digital signatures can serve as analogues to paper signatures but are different in interesting ways. In the paper world a person's signature depends only on the person doing the signing. In the digital world, the signature is a function of both the person (represented by his secret key) and the document. Each document signed by a given secret key will have a different signature (i.e., a different set of bits). This is necessary, given the digital nature of the documents being signed: If a person's digital signature were the same for each document, as soon as he or she signed one document, the signature could easily be forged. The bits could be removed from the signed document and attached to a different document. (Note that this is not generally feasible with paper documents: Signatures cannot be torn off (or otherwise copied) and pasted elsewhere without disturbing the visual and tactile qualities of the document.) Because digital signatures depend on both the secret key and the document being signed, no one can claim that a signature produced for one document is the signature for another document.
Digital signatures have the potential to play an important role in IP management (as well as electronic commerce more generally), one that may be more important than public-key encryption. As noted earlier, public-key encryption is currently too slow to use to encrypt significant amounts of content, hence its main role in the foreseeable future is likely to be key distribution. Digital signatures, on the other hand, provide assured provenance (only the person in possession of the secret key could have created the signature) and nonrepudiation (the object must have been signed by the possessor of the key, because the signature could not have been created any other way). Knowing the origin of a digital object can be extremely valuable, for example, to ensure that a program you have downloaded comes from a reliable source.
Note that we have phrased this carefully, saying "the person in possession of the secret key" to emphasize that, as with any form of encryption, all the guarantees depend on security of the secret key. A program can determine whether a particular secret key was used to create a signature ("this was signed with Joe's secret key"), but the connection between that secret key and a particular person (''only Joe could have signed this") is a separate issue, one the owner of the key must ensure.
Management of Encryption Keys: Public-Key Infrastructure
Any product or service that uses public-key cryptography or digital signatures must have a reliable way to determine that it has the right
public key each time it decrypts a message or verifies a signature. For example, a digital library may insist that each article it offers be digitally signed by the author so that readers can verify the article's authenticity. This approach requires that the readers be able to trust that the library has correctly associated the authors' names with their public keys. What is the foundation for that trust, given that the library may deal with tens of thousands of authors, most of whom it has only "met" in cyberspace? This and many similar questions fall under the general heading of public-key infrastructure challenges.
The basic building blocks of the simplest approach to public-key infrastructure are "identity certificates" (ID certificates) and "certifying authorities" (CAs), analogous in some ways to the physical identity cards (e.g., passports) issued by authorities such as national governments. In the digital world, an ID certificate is a signed data record containing a public key and the name of its owner (and perhaps some related data items such as an expiration date). An ID certificate is issued by a CA, which signs it with its signature key SKCA. If a user (or a service like a digital library) has a trustworthy copy of the CA's public key PKCA, it can build on its trust in PKCA to develop trust in the ID certificates (and their keys) that the CA has signed.
For example, someone receives a document signed by Alice, together with an ID certificate associating Alice with her public key PKA. The recipient uses the CA's public key PKCA to verify CA's signature on the ID certificate and, if this succeeds, the recipient can then be confident in using the key in the certificate, PKA, to verify Alice's signature on the document. The user's trust in the CA consists of trust that his or her copy of PKCA has not been tampered with and trust that the CA has associated the correct public key with the name Alice.
The public-key infrastructure task also requires that there be a means of dealing with keys and certificates that have expired or been revoked. Basic security principles require that both keys and certificates have expiration dates (no password should be good forever) and that both are revocable to deal with secret keys that have been compromised.
One standard version of public-key infrastructure calls for official CAs to issue ID certificates for other official CAs, thus forming "hierarchies of trust." (Having numerous CAs prevents the entire system from being dependent on a single source.) In another approach, anyone can act as a CA (or "introducer") by signing name-key pairs in which he or she has confidence, and "webs of trust" emerge spontaneously as users decide whom to go to for introductions (Zimmerman, 1994). More recently, the research community has developed public-key infrastructures in which certificates do more than just bind public keys to names. See, for example, Ellison (1999) for a discussion of ''authorization certificates" (in
which the public key is bound to a capability or privilege to perform a certain action) and Blaze et al. (1996) or Blaze et al. (1998) for a discussion of fully programmable certificates. Direct authorization of verification keys can be a powerful tool in IP management and in e-business generally, enabling individual customers to do business anonymously (as they often can in the physical world) and enabling businesses to derive much more information from digital signature verification than simply the name of the signer. For an in-depth discussion of this work on expressive public-key infrastructure, see Feigenbaum (1998) and the references cited there.
Management of Encryption Keys: User and Middleware Issues
The security of any encryption scheme depends on keys being difficult to guess (i.e., they should be long and effectively gibberish). The analogous lesson about passwords is not widely heeded: Computer systems today are routinely broken into by "dictionary attacks," routines that simply try as a password all the words in a dictionary, along with common names, birthdays, and so on. The more sensitive the resource to be protected, the more difficult its key must be to guess. The problem is that a good key is basically impossible for any human being to remember.
As a consequence, keys are themselves stored and managed by computing systems and passed across the network; they are in turn encrypted under key-encrypting keys. A protection infrastructure becomes necessary. Because digital systems can be extremely complex, the engineering and management disciplines needed to accomplish such infrastructures have become areas for specialists. A great deal has been written about both the engineering side of system protection (see, for example, Gray and Reuter, 1992) and about practical service operations (see, for example, Atkins et al., 1996).
Because key management can be extremely cumbersome, IP delivery middleware and the end-user applications to which IP is delivered go to great lengths to keep end users unaware of it. When a user clicks on the "play," "view," or "print" commands for an encrypted object, the appropriate decryption keys should be retrieved automatically by the application, which should then decrypt the content and present it as appropriate. The user should not have to do anything explicit to find the right key or apply it and the decryption tool. Similarly, when the user is finished inspecting the content, he or she should not have to do more than select the "close'' operation; as a side effect, the system should ensure continued existence of the ciphertext version and (appropriately protected) decryption key(s), but delete all traces of the cleartext.
Unfortunately, the efforts to achieve such ease of use of encryption tend to work against the effectiveness of encryption in safeguarding content, at least in applications that execute in ordinary PCs. No matter how hard the application developers work to find a place on the PC disk safe enough to store cryptographic keys, many PC experts will be sufficiently knowledgeable and skilled to find them. The problem can be solved to some degree by having users store their keys on removable media (e.g., smart cards), but such cards would impose significant burdens on users and distributors. This challenge illustrates that analysis of trade-offs between ease of use and strength of protection is an important and difficult part of IP management systems development.
In addition to posing some technical challenges to the developer of a product or service, the use of encryption also poses legal and political challenges. Encryption systems and products that use them are subject to U.S. government export restrictions, restrictions that are themselves subject to change, making product development and business planning difficult.6 Although there are currently no restrictions on domestic use of encryption, the U.S. copyright industries clearly would not want to use one set of products and services (with strong encryption capabilities) for the domestic market and another (with weaker, exportable encryption capabilities) for the overseas market. Not only would this arrangement mean higher development and maintenance costs, it is also likely backwards: Serious commercial piracy is more of a problem outside the United States, calling for stronger encryption outside national boundaries. The encryption export issue will thus have to be dealt with if encryption is to play a prominent role in IP management.
Like public-key cryptosystems, digital signature schemes are currently cumbersome to use because of the lack of infrastructure for managing public keys. There is good reason to believe that an appropriate infrastructure will emerge soon, however, because of the enabling role that digital signatures could play in electronic commerce. Unlike encryption, digital signature technology is not encumbered by export restrictions. The freely exportable U.S. government Digital Signature Standard (DSS) uses public-key technology, but it is not a public-key cryptosystem.7
6See Cryptography's Role in Securing the Information Society (CSTB, 1996) for a discussion of the market and public policy aspects concerning encryption and U.S. government export restrictions.
7At least, there is no obvious way to use it to encrypt things. Technically sophisticated readers should refer to Rivest (1998) for a provocative discussion of the possibility that the claim that a signature scheme "cannot be used for encryption" might be intrinsically difficult to proveand hence that a crucial distinction made by U.S. export policy may be ill-defined.
DSS and many other signature schemes are covered in basic cryptology textbooks, including Menezes et al. (1997).
Marking and Monitoring
A "watermark" is a signal added to digital data (typically audio, video, or still images) that can be detected or extracted later to make an assertion about the data. The watermark signal can serve various purposes, including:8
• Ownership assertion: To establish ownership over some content (such as an image), Alice can use a private key to generate a watermark and embed it into the original image. She then makes the watermarked image publicly available. Later, when Bob claims he owns an image derived from this public image, Alice can produce the unmarked original and demonstrate the presence of her watermark in Bob's image. Because Alice's original image is unavailable to Bob, he cannot do the same. For such a scheme to work, the watermark has to survive common image-processing operations (e.g., filtering or cropping). It also must be a function of the original image to avoid counterfeiting attacks.
• Fingerprinting: To avoid unauthorized duplication and distribution of publicly available content, an author can embed a distinct watermark (or fingerprint) into each copy of the data. If an unauthorized copy is found later, the authorized copy from which it was made can be determined by retrieving the fingerprint. In this application, the watermark should be invisible and invulnerable to attempts at forgery, removal, or invalidation.
• Authentication and integrity verification: Although authentication can be done through cryptographic techniques, the advantage of using a verification watermark is that the authenticator is inseparably bound to the content, simplifying the logistical problem of data handling. When the watermarked data is checked, the watermark is extracted using a unique key associated with the source, and the integrity of the data is verified through the integrity of the extracted watermark.
• Content labeling: The watermark embedded into the data contains further information about the contents. For example, a photographic image could be annotated to describe the time and place the photograph was taken, as well as identification of and contact information for the photographer.
• Usage control: In a closed system in which the multimedia content needs special hardware for copying and viewing, a digital watermark can
8Adapted from Memon and Wong (1998).
be inserted to indicate the number of copies permitted. Every time a copy is made, the watermark can be modified by the hardware, and at some point the hardware would not create any more copies of the data. An example is the digital video disc.
• Content protection: In certain applications, a content owner may want to publicly and freely provide a preview of the multimedia content being sold. To make the preview commercially worthless, the content could be stamped with a visible watermark that is very difficult to remove.
Currently, no universal watermarking technique exists that satisfies all requirements of all applications; instead the specific requirements of each watermarking application depend on the protection objectives, the kind of object and its digital size, and possibly on the kind of distribution channel. Below, some watermarking techniques are described, using images as a motivating example. Keep in mind that many of these techniques are applicable to other forms of content, including video and audio.
Digital watermarks are embedded in digital objects (images) so that owners and perhaps end users can detect illegitimate copying or alteration. Digital watermarks can be made either "perceptible" (by people) or "imperceptible." A "fragile'' watermark is damaged by image distortions and thus serves to detect alterations made after the watermark is applied. A "robust" watermark survives distortions such as trimming away most of the image and thus can serve as evidence of provenance.9 Both kinds can be embedded in most varieties of digital object. Watermarks are currently of most interest for images, audio signals, and video signals.
A watermark is a digital signal, added to or removed from the original object, that does not interfere unduly with the intended use of the altered object and yet carries a small amount of information. "Invisible watermarks" are imperceptible to people but can be detected by appropriate software. A technical protection service (TPS) that uses watermarking can provide a content distributor with a way to mark content before distribution and track what happens to it subsequently.10 Users of
9The embedded marks should be short so that they can be repeated many times throughout the work. Long marks are not robust because small changes to the work can cause the mark to be lost or damaged. Embedded marks survive normal file transfer and copy operations, but, as with other IP protections, watermarks can sometimes be removed by a determined, knowledgeable user.
10Note that many watermark applications require a network infrastructure and possibly also a rights management system to accomplish the monitoring function.
works may also benefit, because successful watermark detection can demonstrate the source of the content and that it has not been altered subsequently.
Even when designed to be subtle, watermarks do modify the content that carries them and therefore may be unacceptable for applications that need very high fidelity content. Conversely, that same modification can enable some business models: Some companies allow free distribution of lower-resolution works with watermarks, using those as samples of their work, while charging for higher-resolution works without watermarks.
A fragile watermarking scheme has two procedures, one for watermark insertion and one for watermark extraction. The input to the insertion procedure consists of the unmarked object, the watermark, and a key associated with the creator of the object (or another authorized party in the distribution chain); the output is a watermarked object. The input to the extraction procedure consists of the watermarked object and the key used during insertion. If the object has not been altered since it was marked and the correct key is used, the output of the extraction procedure is the watermark; if the object has been altered or the wrong key is used, the extraction procedure outputs an error message. Some fragile watermarking schemes can identify the unauthorized alteration; others detect only that alteration has occurred.
In a robust watermarking scheme, it is assumed that the marked object may be altered in the course of its normal use. For example, robustly watermarked images may undergo compression and decompression, filtering, scaling, and cropping. The inputs to and outputs from a robust watermarking insertion procedure are the same as in the case of fragile watermarking. The inputs to the detection procedure are the watermarked object (which may have been legitimately altered in the course of normal use), the watermark that was inserted into the object, and the key. The detection procedure then indicates whether the object contains a mark that is "close to" the original watermark. The meaning of "close" depends on the type of alterations that a marked object might undergo in the course of normal use.
In a fingerprinting scheme, there is an additional input to the insertion procedure that depends on the recipient of the specific copy. The output is a marked object in which the mark (the fingerprint) identifies the recipient. Two different customers purchasing the same work would receive objects that appeared the same to human perception but contained different watermarks. If unauthorized copies were later found, the fingerprint could be extracted from those copies, indicating whose copy had been replicated.
Detection as described above does not require the original, unmarked object. Watermarking schemes whose detection portions do not require
the unmarked, or "reference," object are called "oblivious" or "public." Schemes that do require reference objects for detection (called ''private" schemes) are less powerful but may be the best that are attainable for certain types of objects and certain applications. Robust schemes may be further classified in many ways that are beyond the scope of this report; interested readers should refer to Memon and Wong (1998) or, for a scientifically rigorous treatment, Matheson et al. (1998). (See Figure E.4.)
Watermarked works posted on the Internet can be tracked through the use of "spiders" that search the Web. For example, Digimarc Corporation's MarcSpider service scans the Web and provides online reports of where and when marked images (or their copies) are found,11 To facilitate copyright compliance by purchasers and licensees, a service for users provides access to up-to-date information about the copyright status of a work. This service is useful in situations in which ownership and terms are dynamic; indeed, it is often the difficulty of obtaining up-to-date terms (rather than the expense of license fees) that causes people to violate licenses.
Watermarking cannot force people to refrain from copying or distributing digitally marked works. Rather, TPSs that use marking and tracking attempt to dissuade violations by making them detectable and traceable to the culprits. Typically, it is only rights holder ownership information that is embedded in marked works, but licensing terms or information about users can also be recorded and carried with the object. As noted above, fingerprinting by adding personal information to the object can add force to the disincentive for infringement, but because it can compromise user privacy and can be done without the knowledge of the licensee, it could also alienate potential customers. Cost-benefit analysis of the trade-off between protecting the vendor's ownership rights and protecting the customer's privacy must be done in a case-by-case manner.
Note that watermarking is only a defense against copying on a large enough scale (e.g., on the scale that would occur in financially viable commercial piracy) to cause the illegitimate copies to be discovered by web crawlers. Realistically, a watermarking scheme will not help an owner detect someone who uses his home PC to make a single copy for private use, because that copy will almost certainly never find its way to the watermark detection process. Digital watermarking is in use today by corporations in the photography, publishing, entertainment, sports, and news industries.
11Information about Digimarc Corporation and its products can be found online at <http://www.digimarc.com>.
Time Stamps and Labels
The purpose of time stamping in a technical protection system is to fix certain properties of a work (e.g., a description of the content, or the identity of the copyright holder) at a particular point in time. TPSs that use time stamping facilitate copyright protection by affixing an authorita-
tive, cryptographically strong time stamp on digital content that can be used to demonstrate the state of the content at a given time. A third-party time-stamping service may be involved to provide, among other things, a trusted source for the time used in the time stamp. Time-stamping technology is not widely deployed as of 1999.12
Web monitoring systematically and comprehensively analyzes thousands of Web pages to find targeted works. Unlike simple Web searching or Web crawling, monitoring tends to be ongoing and in depth and includes analysis and attempts to interpret findings in context.
Effective Web monitoring can detect improper uses of logos or trademarks, as well as piracy and other copyright violations and, more generally, can keep track of how targeted works are being used (including the legal uses). This type of monitoring (and indeed even simpler searching and crawling) is considered by some to be a violation of user privacy; for this reason, some people and organizations take pains to keep monitoring software off their Web sites (e.g., by configuring their firewalls to keep monitors out) or even to feed inaccurate and misleading information to the monitors. Although Web monitoring increases the likelihood of detection of copyright violators, monitoring cannot directly stop violations from happeningits effectiveness lies in the threat of legal action against violators.13
13As one example, Online Monitoring Services provides these capabilities through its services WebSentry and Marketlntelligence.
A high level of protection of valuable content in the face of determined adversaries must involve special-purpose hardware, because the content of any digital work must eventually be displayed or somehow made accessible to the user for its value to be realized. If all of the processing necessary for display takes place in an ordinary PC, the bits that are displayed can be captured and copied by anyone with sufficient knowledge of PC hardware and software. If, on the other hand, transmission, processing, and display involve special-purpose hardware (e.g., as in traditional cable television systems), capturing the content is much more difficult. Indeed, some visions of the future suggest widespread use of such special-purpose hardware, sometimes termed "information appliances" (see, for example, Norman, 1998).
Special-purpose hardware also reduces the opportunity to modify the device: Security circumventions that require hardware modification are much less likely to be widespread than those that can be accomplished with software. Software modifications can be made easily installable (witness all the programs and upgrades that can be downloaded and installed by relatively unsophisticated users), while tinkering with hardware is typically more difficult and less likely to be widely practiced. Software modifications can, in addition, be widely distributed by the Internet.
Special-purpose hardware also has its costs. It imposes a burden on the content distributor to manufacture and market (or give away) the hardware, and a burden on the user to obtain, learn about, and maintain it.
The desire to avoid this burden has motivated the search for software-only, end-to-end systems to control digital content. A number of schemes are being actively explored and deployed, including efforts by IBM, based in part on its Cryptolopes®; by Xerox, using its Self Protecting Documents®; and by InterTrust, using its Digiboxes®.14 Several elements are common in these efforts. Each uses some variety of a secured digital container (a cryptographically protected file) holding the content, the vendor's rules for access and use (described in a rights management language), and possibly watermarking or fingerprinting information. Encrypting the information both prevents misuse and ensures authenticity, provenance, and completeness. Not all of the content is necessarily
14Information on the IBM effort can be found at <http://www.software.ibm.com/security/cryptolope/>, the Xerox effort at <http://www.contentguard.com>, and the InterTrust effort at <http://www.intertrust.com>. As noted in Chapter 2 on music, a number of Internet music-delivery services, including AT&T's a2b system and Liquid Audio, use encryption, rights management, and several of the other techniques discussed here.
encrypted: Encrypted documents may be accompanied by unencrypted abstracts so that the document can be previewed by anyone (a form of advertising). Most of these schemes call for a rights management server that performs tasks such as authorizing requests to use content and tracking use for billing. A typical interaction has the customer purchasing content (e.g., a consulting company report) via the Web, receiving a secured digital container with the content, an indication of the rights they have purchased, and possibly additional information that marks the content as having been distributed to this particular customer.
A customer's use of the information must be cleared by software that checks the rights that have been packaged with the content and checks the identity of the local machine. One approach to checking the rights calls for the local machine to issue a request to the rights management server, which must provide clearance before access can occur and at the same time can record billing information.
One of the challenges of these systems is, as noted above, to provide access to content without losing control of it, a task that is not easily accomplished on a general-purpose PC. One approach to this, used by Xerox, is to encapsulate the content as a runnable (Java) program and have that program perform much (or all) of the rendering (for example, display and printing). Having the specialized software do the rendering rather than the underlying operating system can substantially reduce the opportunity to capture the content, making piracy that much more difficult. Rendering is also done in stages, further reducing the chances for capturing content. Although this is not guaranteed to prevent piracy, it does substantially raise the level of technical skill required by a pirate and may suffice for commerce in a wide variety of digital information.
These secure containers are still a relatively new technology and have yet to be used widely. The level of skill and determination that will go into attacking them will depend on the size and structure of the market for the content they are used to protect; whether they will withstand determined attacks is an open question. For a general discussion of the difficulties of building tamper-resistant software, see Aucsmith (1996).
Packaging information in secure containers also enables a concept called "superdistribution," that is, the ability for others to repackage and redistribute content, profiting from their repackaging while respecting the rights of the owners of the original content.15 As one simple example,
15The term "superdistribution" has apparently been used historically in a number of ways. The usage here is consistent with current discussions of e-commerce in information
(footnote continued on next page)
a customer who buys and reads a wide range of consulting company reports on a subject may determine that six of them are particularly useful and that packaging those six together provides added value (e.g., saving someone else the time and effort of finding them). The customer packages those six reports in his own secure digital container, with his own set of rules (e.g., prices) for access. Importantly, those rules are over and above the rules specified by each of the individual reports, which remain "enclosed" in their own (sub)containers. Someone who buys the collection must obtain (i.e., pay for) all necessary rights, including the rights to the collection, and the rights to any of the individual reports. Super-distribution thus enables a chain of value-adding activities, while respecting the rights and restrictions imposed by all the content owners.
(footnote continued from previous page)
products. Earlier uses of the term referred to the distribution of software that metered its use ("meterware"). See, for example, Cox (1994), which describes the approach of Ryoichi Mori of the Japan Electronics Industry Development Association. This work suggested adding a special (tamper-resistant) processor to computers and special instructions in the software to track and bill for use (a system much like the one envisioned for videos with Divx). The interesting suggestion is that where software is currently sold by the copy (and digital copies are difficult to track or control), copies should instead be given away, and only usage should be billed (based in part on the claim that use is easier to track than copying). Mori's work also suggested the possibility of layers of such pay-per-use as different programs call on one another, an idea similar to the notion of superdistribution used above.