Re: limits of watermarking (Re: First Steganographic Image in theWild)
On Sat, 20 Oct 2001, Ben Laurie wrote: If it were possible, it would indeed raise the bar. The problem is, it would seem, that it is not possible to have a provably strong means of copy protection, publicly known or otherwise. The SDMI charter can say what it wants, but that doesn't mean it can be achieved. The arguments that support the impossibility of the goal have been well rehearsed, so I won't repeat them here. For the sake of the yet-to-be-converted people like myself, could you at least point to the impossiblity arguments that have conviced you and possibly others, that strong open standards copy protection is impossible. Thanks in advance, -- Roop - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in theWild)
Roop Mukherjee wrote: On Thu, 18 Oct 2001, Marc Branchaud wrote: This analogy doesn't quite hold. Copy protection need only be broken once for the protection to be disabled for a particular piece of work. Also, once the scheme is known for one piece of work, it is extremely easy to break the scheme for other pieces, and in particular to write an application that will do so. With crypto's bar-raising, OTOH, breaking one instance, like an SSL stream or an AES key, does not break all other uses of SSL or AES. In particular, SSL AES will provide the same degree of protection for any other communication of the same data between the same or other parties. Also, good crypto schemes are already widely known and designed explicitly so that knowledge of the scheme does not break the scheme. M. I am not certain which scheme of copy protection you are refering to. But I agree that any scheme that relies on a secret recipie (ala Coca Cola) would not be effective. The analogy was intended towards publicy know provably strong means of copy protection. Most security measures these days would be foolish to choose otherwise. My impression of the DRM work that was being undertaken is that most of it aiming towards open specifications that are provably secure. For instance the SDMI charter says, ...to develop open technology specifications that protect the playing, storing, and distributing of digital music Measures like this would indeed raise the bar in much the same way as some other security measures like SSL did. If it were possible, it would indeed raise the bar. The problem is, it would seem, that it is not possible to have a provably strong means of copy protection, publicly known or otherwise. The SDMI charter can say what it wants, but that doesn't mean it can be achieved. The arguments that support the impossibility of the goal have been well rehearsed, so I won't repeat them here. Cheers, Ben. -- http://www.apache-ssl.org/ben.html There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in theWild)
Marc Branchaud wrote: This analogy doesn't quite hold. Copy protection need only be broken once for the protection to be disabled for a particular piece of work. Also, once the scheme is known for one piece of work, it is extremely easy to break the scheme for other pieces, and in particular to write an application that will do so. With crypto's bar-raising, OTOH, breaking one instance, like an SSL stream or an AES key, does not break all other uses of SSL or AES. In particular, SSL AES will provide the same degree of protection for any other communication of the same data between the same or other parties. Also, good crypto schemes are already widely known and designed explicitly so that knowledge of the scheme does not break the scheme. Although I agree with the general point, I should just mention that if an SSL break is a break of a private key, then future communications between the broken party and others may be compromised. Cheers, Ben. -- http://www.apache-ssl.org/ben.html There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in theWild)
On Thu, 18 Oct 2001, Marc Branchaud wrote: This analogy doesn't quite hold. Copy protection need only be broken once for the protection to be disabled for a particular piece of work. Also, once the scheme is known for one piece of work, it is extremely easy to break the scheme for other pieces, and in particular to write an application that will do so. With crypto's bar-raising, OTOH, breaking one instance, like an SSL stream or an AES key, does not break all other uses of SSL or AES. In particular, SSL AES will provide the same degree of protection for any other communication of the same data between the same or other parties. Also, good crypto schemes are already widely known and designed explicitly so that knowledge of the scheme does not break the scheme. M. I am not certain which scheme of copy protection you are refering to. But I agree that any scheme that relies on a secret recipie (ala Coca Cola) would not be effective. The analogy was intended towards publicy know provably strong means of copy protection. Most security measures these days would be foolish to choose otherwise. My impression of the DRM work that was being undertaken is that most of it aiming towards open specifications that are provably secure. For instance the SDMI charter says, ...to develop open technology specifications that protect the playing, storing, and distributing of digital music Measures like this would indeed raise the bar in much the same way as some other security measures like SSL did. -- Roop Roop Mukherjee wrote: The fact that someone can break open his box/software and sucessfully invalidate their verification scheme does not mean that there is no value in copy marks. Initial schemes that verify copymarks may not make it impossible to cheat, but they will raise the barrier. To compare, in theory one can break even strong encryption. We only try to make it sufficiently hard. The copy protection schemes that are being debated may not be as good at raising the bar as some others like SSL but the recording industry will push ahead because evey copyright violator discouraged means savings in the piracy attributed losses that their analysts (somewhat mysteriously) produce. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in theWild)
On Fri, Oct 19, 2001 at 10:24:55AM -0400, Roop Mukherjee wrote: The analogy was intended towards publicy know provably strong means of copy protection. But no such schemes exist, and as I was arguing earlier, I don't think they will be found either because there are fundamental problems with the framework before one even gets to implementation details. Most security measures these days would be foolish to choose otherwise. My impression of the DRM work that was being undertaken is that most of it aiming towards open specifications that are provably secure. For instance the SDMI charter says, ...to develop open technology specifications that protect the playing, storing, and distributing of digital music Measures like this would indeed raise the bar in much the same way as some other security measures like SSL did. Well Kerchoff's principle (strength lies only in the key, assuming open specifications) is a very good thing, but I don't think in the case of copy protection schemes, abiding by it would raise the bar significantly. It would tend to remove the stupid things like the broken proprietary algorithms, simply because someone would look at the specs and guffaw before they'd shipped it. But schemes meeting the RIAA and MPAA's objectives are not buildable whether one uses good crypto or broken proprietary crypto, and whether one publishes what one designs or not. For example Microsoft's DRM v2 was cracked recently [1], and if you read the technical description, there is some sound crypto (SHA1, DES (small keys, but sound), ECC key exchanges) in the design as well as one proprietary block cipher used to build a MAC, but the attacker didn't even have to try to break the proprietary MAC, because the DRM v2 system, and _all such schemes generically_ are systemically flawed. (In this case the attacker simply read the keys from memory, and in fact with far less effort than anticipated by the implementors simply side-stepped their not that thorough attempts at obfuscation.) You can't hide things in the open in software on a PC. You can't even hide things in hardware if the attackers are determined. And as DeCSS shows a few million linux users and hackers counts as a very determined and incredibly technically able group of people. Adam [1] http://www.theregister.co.uk/content/4/22354.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in theWild)
This analogy doesn't quite hold. Copy protection need only be broken once for the protection to be disabled for a particular piece of work. Also, once the scheme is known for one piece of work, it is extremely easy to break the scheme for other pieces, and in particular to write an application that will do so. With crypto's bar-raising, OTOH, breaking one instance, like an SSL stream or an AES key, does not break all other uses of SSL or AES. In particular, SSL AES will provide the same degree of protection for any other communication of the same data between the same or other parties. Also, good crypto schemes are already widely known and designed explicitly so that knowledge of the scheme does not break the scheme. M. Roop Mukherjee wrote: The fact that someone can break open his box/software and sucessfully invalidate their verification scheme does not mean that there is no value in copy marks. Initial schemes that verify copymarks may not make it impossible to cheat, but they will raise the barrier. To compare, in theory one can break even strong encryption. We only try to make it sufficiently hard. The copy protection schemes that are being debated may not be as good at raising the bar as some others like SSL but the recording industry will push ahead because evey copyright violator discouraged means savings in the piracy attributed losses that their analysts (somewhat mysteriously) produce. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: limits of watermarking (Re: First Steganographic Image in theWild)
At 2:23 AM -0700 10/17/01, Ben Laurie wrote: The thing that gets me about all this is that exactly the same argument can be made for all existing media - and, although piracy is rife, no-one is attempting to mark videotapes or CDs, AFAIK. So why all the fuss about more modern digital media? Has no-one noticed all the ripped videotapes, CDs and DVDs? Are we really expected to believe the whole media reproduction industry is ever going to switch over to producing each disc individually, expensively watermarked? So what's the real agenda? Probably to maximize profit. Look at the DVD encryption. Encode the media differently for different markets, thereby allowing you to sell at higher prices in rich countries while still being able to make a modest profit at lower prices in poorer countries. I don't see much use for individually watermarked media. It is too easy to collect several copies and find the watermark with a diff operation. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]