Free Subscription
Click Here

Public Key Encryption

The encryption process may be private or public. Public key encryption is an asymmetric authentication and encryption process that uses two keys, a public key and a private key, to setup and perform encryption between communication devices. The public key and private keys can be combined to increase the key length provider and more secure encryption system. The public key is a cryptographic key that is used to decode information that was encrypted with its associated private key. The public key can be made available to other people and the private key is only used by the owner of the key pair.

The encryption process may be continuous or it may be based on specific sections or blocks of data. A media block is a portion of a media file or stream that has specific rules or processes (e.g. encryption) applied to it. The use of blocked encryption may make re-synchronization easier which may occur if there are transmission errors.

There are several types of encryption processes used in DRM systems including PGP, RSA, DES, AES, RC5 and ISMACrypt.

Pretty Good Privacy (PGP)

Pretty good privacy is an open source public-key encryption and certificate program that is used to provide enhanced security for data communication. It was originally written by Phil Zimmermann and it uses Diffie-Hellman public-key algorithms.

Rivest, Shamir and Aldeman (RSA)

Rivest, Shamir and Adleman is a public key encryption algorithm named after its three inventors. The RSA algorithm is an encryption process that is owned by RSA Security, Inc. The RSA algorithm was patented in 1983 (patent number 4,405,829). 

The RSA encryption process encodes the data by raising the number to a predetermined power that is associated with the receiver, divided the number by predetermined prime numbers that are also associated with the receiver and transferring the remainder (residue) as the ciphertext. 

Data Encryption Standard (DES)

The data encryption standard is an encryption algorithm that is available in the public domain and was accepted as a federal standard in 

Triple data encryption standard (3DES) is a variation of the data encryption standard that adds complexity to the encryption process by increasing the difficulty to break the encryption process.

Advanced Encryption Standard (AES)

Advanced encryption standard (AES) is a block data encryption standard promoted by the United States government and based on the Rijndael encryption algorithm. The AES system uses a fixed block size of 128 bits and can have key sizes of; 128, 192 or 256 bits. The AES standard is supposed to replace the Data Encryption Standard (DES).

Rivest Cipher (RC5)

RC5 is a symmetric block encryption algorithm that was developed by the expert cryptographer Ronald L. Rivast. RC5 is a relatively simple, efficient encryption process that can use variable block sizes and key lengths. The RC5 encryption process has block sizes of 32, 64 or 128 bits and can use a key size that can range from 0 to 2040 bits.

International Streaming Media Association (ISMACrypt)

International streaming media association encryption is a privacy coding process that was developed by the ISMA for streaming applications. 

Digital Watermarks

A digital watermark is a signal or code that is hidden (typically is imperceptible to the user) in a digital signal (such as in the digital audio or a digital image portion) that contains identifying information. Ideally a digital watermark would not be destroyed (that is, the signal altered so that the hidden information could no longer be determined) 

A digital watermark is extracted by a software program or assembly that can separate the watermark from a media file. This watermark may be used to provide the key that is able to decode and play the media file. The process of watermarking is called steganography.

Watermarks can be encrypted to increase the resistance of the DRM system to hackers. Encrypted watermarks are tamper resistant information that is added (data embedding) or changed information in a file or other form of media that can be used to identify that the media is authentic or to provide other information about the media such as its creator or authorized usage. While it may be possible to identify the watermark in the media file, a decryption code is needed to decipher the contents of the watermark message.

Digital watermarks can be added to any type of media files such as digital video and audio. Video watermarking may be performed by adding or slightly modifying the colors and/or light intensities in the video in such a way that the viewer does not notice the watermarking information. Audio watermarking may be performed by adding audio tones above the normal frequency or by modifying the frequencies and volume level of the audio in such a way that the listener does not 

Figure 1.17 shows how watermarks can be added to a variety of media types to provide identification information. This example shows that digital watermarks can be added to digital audio or video media by making minor changes to the media content. The digital watermark is added as a code that is typically not perceivable to the listener or viewer of the media. This example shows that digital watermarks can be added to audio signals in the form of audio components (e.g. high frequency sound) or video components (color shift) that cannot be perceived by the listener or viewer.

Digital Fingerprint

A digital fingerprint is a unique set of characteristics and data that is associated with a particular data file, transmission system or storage medium. Digital fingerprints may be codes that are uniquely embedded in a media file or they may be unique characteristics that can be identified in the storage or transmission medium such as the particular variance of digital bits that are stored on a DVD.

A digital certificate is information that is encapsulated in a file or media stream that identifies that the media has been originated by a specific person or device. Certificates are usually created or validated by a trusted third party who guarantees or assures that the information contained within the certificate is valid. 

A trusted third party is a person or company that is recognized by two (or more) parties to a transaction (such as an online) as a credible or reliable entity who will ensure a transaction or process is performed as both parties have agreed. Trusted third parties that issue digital certificates are called a certificate authority (CA). The CA typically requires specific types of information to be exchanged with each party to validate their identity before issuing a certificate.

The CA maintains records of the certificates that it has issued in repositories and these records allow the real time validation of certificates. If the certificate information is compromised, the certificate can be revoked.

Figure 1.18 shows how digital certificates can be used to validate the identity of a provider of content. This diagram shows that users of digital certificates have a common trusted bond with a certificate authority (CA). This diagram shows that because the content owner 

Digital Signature

A digital signature is a number that is calculated from the contents of a file or message using a private key and appended or embedded within the file or message. The inclusion of a digital signature allows a recipient to check the validity of file or data by decoding the signature to verify the identity of the sender.
To create a digital signature, the media file is processed using a certificate or validated identifying information using a known encoding (encryption) process. This produces a unique key that could only have been created using the original media file and identifying certificate. The media file and the signature are sent to the recipient who separates 

Secure Hypertext Transfer Protocol (S-HTTP)

Secure hypertext transfer protocol is a secure version of HTTP protocol that is used to transmit hypertext documents through the Internet. It controls and manages communications between a Web browser and a Web server. S-HTTP is designed to privately send and receive messages without the need to setup and maintain a security session.

Machine Binding

Machine binding is the process of linking media or programs to unique information that is located within a computer or machine so the media or programs can only be used by that machine. 

Conditional Access (CA)

Conditional access is a control process that is used in a communication system (such as a broadcast television system) that limits the access of media or services to authorized users. Conditional access systems can use uniquely identifiable devices (sealed with serial numbers) and may use smart cards to store and access secret codes. CA systems use a subscriber management system coordinates the additions, changes, and terminations of subscribers of a service. 

Product activation is the process of enabling a product to begin operation by entering information into the product through the use of either local operations (e.g. user keypad) or via an external connection (downloading the information into the product). Product activation usually requires that certain customer financial criteria must also be met before the product activation is performed or before the necessary product entry information is provided to the customer. 

Secure Socket Layer (SSL)

A secure socket layer (SSL) is a security protocol that is used to protect/encrypt information that is sent between end user (client) and a server so eavesdroppers (such as sniffers on a router) cannot understand (cannot decode) the data. SSL version 2 provides security by allowing applications to encrypt data that goes from a client, such as a Web browser, to a matching server (encrypting your data means converting it to a secret code) SSL version 3 allows the server to authenticate (validate the authenticity) the client.

SSL uses a public asymmetric encryption process that uses a key pair. One key is private and one key is public. The private key is only used by the owner of the key pair and the public key can be shared with others. The SSL process uses certificates from trusted third parties (certificate authorities) that validate the authenticity of messages and users. 

Because the asymmetric encryption process used by the SSL system is relatively complex and time consuming to process, the SSL system may change its encryption process to use symmetric encryption after the initial asymmetric public key secure link has been setup.

Figure 1.19 shows how secure socket layer can be used to protect the transfer of digital information between the user (client) and the provider (server) of the information. This diagram shows that SSL operation uses asymmetric public key encryption to allow the sharing of public keys and that a certificate authority is used as a trusted third party to provide public keys that accessible and verifiable. In this example, the CA has provides a key pair (public and private key) to a vendor. The server (vendor) provides their public key in their certificate which allows the user to decode encrypted messages that are provided by the vendor. The vendor certificate is signed by the CA which can be verified by the user. This example shows that after SSL public key encryption link is established, the SSL system can exchange keys that can be used for a less complex symmetrical encryption process.

Transport layer security is a set of commands and processes that are used to ensure data transferred across a connection is private. TLS is composed of two protocol layers; TLS record protocol and TLS handshake protocol. TLS is the evolution of secure socket layer (SSL) protocol that was developed by Netscape. TLS is defined in RFC 4346.