WWW/Internet - Portal do Software Público Brasileiro

IADIS International Conference WWW/Internet 2010Tki: transport key for session i, a generated symmetric key randomly generated by MG, used to transportthe media key for the ith trust interval session.Hash: one way hash function.Ks: public key for S.VS: is the instructions of the viewer software along with MG’s instructions, see Figure 5.|: concatenation.2- S-> MG: {Nm|Ns|S}_KmWhere Km: public key for MG.3- MG-> S: {Ns|MG}_Ks4- S->MG: {Mki|S}_TkiWhere Mki: media key for the trust interval ith session.Figure 4 depicts the protocol exchanged between the two roles.Figure 4. Protocol Simulation.Figure 5. Input of hash function calculation [Grimen-DRM2].Figure 6. Attack trace for key exchange protocol proposed by Grimen et al.We translated the previous message exchanges into HLPSL and simulated the attack. Figure 6 shows theattack simulation. “i” represents the intruder entity who is trying to gain access to the media key for allsessions. An intruder is a forwarded MG, i.e., an illegal copy of MG, who knows MG’s public key.The first message shows that the intruder generates a transport key and a new nonce, and encrypts themwith SS’s public key. Then, the intruder generates a checksum that is a result of applying code instructionsinto a hash function, these instructions are: fixed parts of the binary code of the VS and MG, transport keyand nonce. Then the intruder sends the result to SS. SS extracts the transport key and nonce, and thencalculates the checksum code, since the VS has all inputs for the hash function, and then compare the resultwith received information. Upon successful verification, the SS creates a nonce and then sends the SS’snonce along with MG’s nonce all encrypted with MG’s public key. The intruder who has the MG’s publickey can extract the SS’s nonce and then encrypt it with SS’s public key and then send it to SS. The SSbelieves that he is talking to a legal MG, and then encrypts the media key for ith session with the transportkey. This leads to an attack since the intruder can extract that media key. We assume that forwarding theMobile Guard to an illegal user is a DRM attack, which means that the illegal user uses indirectly the MGpublic key or at least the pirated MG can decrypt any messages that have been encrypted with MG's publickey.The problem with the Grimen et al. solution is that generating a new transport key from any MG instancedoes not correspond to the validity of any MG instance, thus any message from a pirated MG is accepted. A69