DRM, encryption, obfuscation, and open source

Posted by on . One comment.

There’s a fundamental problem with DRM. DRM is just a sleek marketing word for “Obfuscation”. In order to understand why this is the case, you need to have a basic understanding of cryptosystems.

A “cryptosystem” is any system designed to ensure secrecy of a piece of data. In security jargon, the data to be encrypted is called the “plaintext” (not the same thing as “plain text”, but similar). To encrypt and decrypt a plaintext, we use an “encryption function” and a “decryption function”. An encryption function takes a plaintext and a “key” and returns the encrypted text, which is known as “ciphertext.” The decryption function takes the ciphertext and the key, and returns the plaintext. In some systems, the decryption and encryption functions are the same, or the encryption and decryption keys are different, but every cryptographic system follows this general pattern.

So what does this have to do with DRM? Digital Rights Management is a term for any system that allows a user to encrypt data, and place restrictions on that data. The most familiar DRM is used to protect against the unauthorized distribution audio files. However, there are other uses for DRM, such as for email, where one can place restrictions on whether an email may be forwarded, or whether the text of an email can be copied and pasted. A DRM protected piece of data includes: a ciphertext, a key, and a set of rules about how the data may be used. Do you see the problem yet?

If DRM gives us the ciphertext and key, what prevents us from decrypting it and not obeying the rules? The problem is that we still lack the third element, the decryption function. This function exists in, say, Windows Media Player, but media player is trusted to follow the rules of the DRM, and only decrypt the data when it is allowed. The only reason that DRM works at all is because the decryption method is kept a secret. In security, there’s another name for a “secret” crypto algorithm. Security professionals call it “security by obfuscation”. There’s a saying among security and open source advocates: “Obscurity is not security”.

So on the one hand we have DRM, which revolves around secrecy and obfuscation, and on the other hand, we have open source software, which revolves around open standards and fredom of information. Obviously, these two concepts are completely incompatible. One cannot simultaneously have a truly open source software that simultaneously implements DRM. If DRM software was open source, it would be very easy to change the code so that the data was simply decrypted and left in an unencrypted state.

So it comes as no surprise that FOSS advocates are so vocally opposed to DRM. If DRM wins, Open Source loses. Unfortunately, it’s really that simple. The justification for opposing DRM on music files rests on some very sound argument. However, DRM has been portrayed as a morally wrong concept, despite the fact that it can be used for very positive purposes. One such purpose is using DRM with e-mail, which can be used to prevent private customer data from accidentally getting forwarded outside a company domain for instance.

I think open source advocates realize how incompatible the ideas of DRM are with open source software. They choose to oppose it by lumping it together with their opposition of the evil RIAA and MPAA. By associating DRM with RIAA, open source advocates have successfully given DRM a bad name.

Comments

  1. Tim says:
    September 19, 2006 at 11:41 am

    I also believe that DRM is fundamentally flawed (due to it’s nature as a cryptosystem) but that wasn’t the point of this blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>