This past week’s massive National Association of Broadcasters (NAB) trade show in Las Vegas, like the CES and World Mobile Congress shows earlier this year, was rather light on announcements related to digital rights technologies.
One of the relevant announcements came from Microsoft, which publicized Samsung’s agreement to integrate PlayReady DRM into a wide range of its consumer electronics products. The arrangement is nonexclusive, meaning that Samsung will be able to (and indeed already does) incorporate other DRMs in its products.
A more interesting announcement came from Widevine. Widevine announced that it is partnering with Arxan Technologies to provide software hardening technologies for its multiplatform DRM.
Software hardening is a necessary part of DRM deployment that doesn’t get much press amid discussions of DRM platforms like Widevine, PlayReady, Marlin, OMA DRM, and so on. When DRMs are hacked, it’s often not because of the DRM technology itself but rather the software that surrounds it — such as the software that handles encryption keys and the authentication of users or devices. For example, if the surrounding software reveals keys (or even worse, decrypted content) in such a way that a hacker can grab hold of them, then the DRM itself is compromised. The degree to which such a hack defeats the DRM (e.g., for just one user or system-wide) varies according to how well the entire system is designed to recover from breaches.
No DRM is entirely hack-proof. But to ensure that DRM implementations are as secure as possible, entities that license DRM technologies define so-called robustness rules, which licensees must follow in order to use the technology. Robustness rules dictate things like how keys and decrypted content must be protected. Many DRMs have associated licensing agencies, such as Content Management Licensing Authority (CMLA) for OMA DRM and Marlin Trust Management Organization (MTMO) for Marlin. Other vendors, like Microsoft, Adobe, and Widevine, provide their own licensing functions for their DRMs.
Yet the implementer (e.g., the developer of a content service or application) must determine for itself how to produce software that follows robustness rules. DRM technology vendors generally don’t provide tools or assistance. Techniques for securing commercial software (e.g., code obfuscation, tamper detection, code encryption) have been around for many years, but DRM gives rise to specialized requirements for code hardening.
The need for such tools can, frankly, come as unpleasant surprises in terms of their costs and complexity, even though they are necessary to make DRMs stand a chance of surviving hack attempts. The best-known vendor of software hardening tools for DRM has been Cloakware, a company based in the US and Canada that (since 2007) is owned by Irdeto, a leading vendor of cable TV conditional access and DRM technologies. Cloakware has been working with most of the major DRMs and has been almost a de facto standard.
Arxan was established in 2001 and has developed a reputation for software hardening in the government/military sector and for commercial applications in general. The company has been poking around the DRM space for a couple of years (for example, Arxan’s then-chief scientist spoke at my Digital Rights Strategies conference in July 2007) and has garnered a few customers.
This announcement with Widevine gives Arxan a boost of credibility in the DRM market. It should also help introduce some welcome competition in a market where there hasn’t been much and where the need is growing. Until recently, DRM applications have run either on PCs/Macs or on low-capability mobile devices. On PCs and Macs, many software hardening techniques already exist that can at least partially be applied to DRM applications. Low-capability mobile devices are “walled garden” environments that don’t require much in the way of software security.
But now, with the proliferation of “app phone” platforms like the iPhone, Android, and BlackBerry — as well as cross-platform DRMs like Widevine, PlayReady, Marlin, and OMA DRM — content application developers need software hardening tools and techniques that can apply across multiple platforms without much incremental work. Content owners require application developers to use DRM, yet developers often push back when confronted with the cost and complexity of implementing it. Robustness rule adherence is a part of that cost and complexity that the industry has an opportunity to improve to make DRM more acceptable to those who must foot the bill for it. Arxan’s push into the DRM market with Widevine is a welcome step in the right direction.