Public Key Cryptography

[Taylor514ce]

Double-talk. Content's "license"? When I buy a book, I own that copy of the book. Period.

This idea of a "license" to "content" is a legal fiction. Any attempts to base a system on the concept of a license to use content is going to fail, as has been amply demonstrated by the current state of affairs.

What I'm suggesting via pk-cryptography is a way to generate a copy of a book unique to an individual purchaser.

You also haven't explained the rationale for limiting content to a specific number of devices.

[Peter Sorotokin]

Quote:

Originally Posted by Taylor514ce

Please to explain why?

You may not want to reencrypt the content for every user (although, some systems do that). Generating public-private key pair from a password is not commonly done in RSA cryptography (and it is just easier to keep the key on the server anyway). Also, typically, you have to limit a number of devices in some way or many content providers just won't take you seriously.

[Peter Sorotokin]

Quote:

Originally Posted by Taylor514ce

Double-talk. Content's "license"? When I buy a book, I own that copy of the book. Period.

This idea of a "license" to "content" is a legal fiction. Any attempts to base a system on the concept of a license to use content is going to fail, as has been amply demonstrated by the current state of affairs.

What I'm suggesting via pk-cryptography is a way to generate a copy of a book unique to an individual purchaser.

You also haven't explained the rationale for limiting content to a specific number of devices.

Hey, I am not going to engage into discussion about licensing vs. owning from a legal standpoint - it is an endless debate and I am sure you know all the pro and con arguments already. Similarly, I am not prepared to discuss what will succeed or fail in the marketplace.

What I am talking about is that from an engineering point of view, there is a license associated with a particular piece of content which determines what can be done with the content.

Limiting to a small number of devices - that's requirement from the content providers. For instance, in most cases, libraries won't be able to lend you copyrighted material if it can be copied and used to arbitrary number of devices. However with that restriction in place they can lend you a PDF file just fine (and for free, BTW).

[Taylor514ce]

Fair enough. I appreciate hearing the issue from the perspective of a DRM vendor, operating under the constraints imposed by content providers.

I think the whole thing is a charade, however. DRM only provides the illusion of the kind of control publishers seek. Any system that provides perfect control makes the content unusable to consumers (or unpalatable). Give the consumers exactly what they want (no restrictions on MY copy of the book I just purchased) and the publisher has no protection.

I think recognition and compromise is needed from both sides. Publishers have to understand that it is impossible to generate digital content that can't be copied, and consumers need to understand that publishers need to impose some control over the content to prevent indiscriminate copying.

Encrypting the content per user (rather than device) seems a reasonable compromise, to me.

[Peter Sorotokin]

Quote:

Originally Posted by Taylor514ce

Encrypting the content per user (rather than device) seems a reasonable compromise, to me.

I agree.

[moz]

PKI does not work as DRM - it's useful for transmitting a copy of the book only to one particular user, but once the user has it they decrypt the book and have a completely free copy. There's nothing to stop them sending that decrypted copy to whoever they like.

DRM works the other way round - transmit the copy to everyone but only the permitted users can view it. That requires a locked viewer so that it will only display content licensed to it in some way, but it generally will not provide a copyable output (that defeats the whole point). If you "hide" the user's private key in the viewer and only allow viewing you have the CSS bug - all it takes is one person to find that key and it's game over. There are newer systems that try to work around that by updating the keys every time they're used. Similar problem, as I'm sure many of you know.

This is complicated by the number of legal systems, not all of which allow the restrictions that copyright owners would like and many of which make it legal to distribute equipment that removes illegal restrictions. The US, in contrast, makes it illegal to distribute that equipment even when it's designed to only allow the removal of illegal measures. Which is kind of odd, but there you have it.

[Taylor514ce]

Quote:

Originally Posted by moz

PKI does not work as DRM - it's useful for transmitting a copy of the book only to one particular user, but once the user has it they decrypt the book and have a completely free copy. There's nothing to stop them sending that decrypted copy to whoever they like.

The software does the decryption, not the user. The files on the file system stay encrypted. To create a clear text copy to pirate, the user would have to write their own decryption program. And yes, this would be possible. Again, the goal is not to make piracy impossible. At some point in ANY process, the user must be able to read the book, and that means clear text will be visible / accessible / copyable.

I can't think that publishers really believe that a "perfect" DRM system is possible. What they want is protection from casual copying; a system that mimics a physical transaction: one person buying a unique copy of a book.

The system I'm proposing, I think, meets that need, while not limiting my personal use of the books I buy.

[Taylor514ce]

A book from an author I thoroughly enjoy, Simon Singh, "The Code Book" is extremely entertaining and educational. One of the latter sections of the book discusses the development of public key cryptography. It is one of those books which tells the backstory, describing the events and the people involved. It's a wonderful book, and while there isn't an e-book version, there is a CD version of the book. One of the very interesting features of the CD is a working virtual Enigma, a WWII-era German encryption device.

[moz]

Quote:

Originally Posted by Taylor514ce

The software does the decryption, not the user. The files on the file system stay encrypted.

So you only "own" the book while you can still run the software they provide under whatever conditions they choose to impose on the day. That's exactly the same as current DRM systems, with all the same problems and flaws.

You can't have "open" and "locked against the user" in the same place, it just does not work. Whether you can have the latter at all is an open question (at least to some people). If you simply say "here's an algorithm and a sample implementation, send us your public key" you're using PKI, otherwise it's DRM. Most existing DRM systems already use variants of PKI somewhere, adding it does not make your DRM special.

[Taylor514ce]

I'm not sure I understand the points you're trying to make, so I hesitate to respond in depth. Yes, if you want to use an encryption system, you have to have software to decrypt things. If you stop using the software, you can't decrypt your files. Similarly, your email is only accessible if you use an email program. Uninstall your email program and then try to read your email, and yes, I suspect you'll have some problems.

[tompe]

Quote:

Originally Posted by Taylor514ce

I'm not sure I understand the points you're trying to make, so I hesitate to respond in depth. Yes, if you want to use an encryption system, you have to have software to decrypt things. If you stop using the software, you can't decrypt your files. Similarly, your email is only accessible if you use an email program. Uninstall your email program and then try to read your email, and yes, I suspect you'll have some problems.

Well, cat and less works perfectly well reading most emails. And email handling is standardized so you can write your own programs. So I think moz' point is perfectly valid and correct.

[Taylor514ce]

What is the point? I didn't understand it. I'm suggesting a system where the books are encrypted and you use a reader program to decrypt and read them. He seems to be objecting to the idea of having to use a software program to read the books. I don't know what you'd use if you didn't use a software program, thus my comparison to email and email software.

The main difference is that the books are encrypted to the user, via a key, rather than to a device.

[tompe]

Quote:

Originally Posted by Taylor514ce

What is the point? I didn't understand it. I'm suggesting a system where the books are encrypted and you use a reader program to decrypt and read them. He seems to be objecting to the idea of having to use a software program to read the books. I don't know what you'd use if you didn't use a software program, thus my comparison to email and email software.

The reader program will not work on all platforms and when the company doing the reader program dissappear then it will definitely not work on new platforms. So exactly the disadvantages we have now with DRM.

[tompe]

Quote:

Originally Posted by Taylor514ce

He seems to be objecting to the idea of having to use a software program to read the books. I don't know what you'd use if you didn't use a software program, thus my comparison to email and email software.

The objection was to using a secret software. If the software is not secret then you can decrypt the file and read it with whatever you want.

[Taylor514ce]

Ah, now I understand. Thanks. Sorry, moz, I was just dense.

Understand I'm talking about a theory only, and in this ideal theory, DRM would disappear, and all book publishers would agree, if not on a format, at least on an encryption infrastructure. Thus any software developer, including third parties, could publish a reader application that supported "e-book encryption". If you don't like one reader application, use a different one.

The reader app doesn't matter. The encryption scheme is public, which doesn't matter either. The strength of public key encryption is that the encryption method is known and the encryption keys are public. The power of the method is that it still requires a private key to decrypt a file. So, anyone could build a decrypting reader application. The e-book publisher cannot lock you into a device or application. They can only lock the book to your public key. The encryption method is not secret, the app isn't secret. The only secret is your private key.

Keep in mind the goal of this system isn't to prevent piracy, a technological impossibility. It's a system to key a book to a person, which is analogous to a person walking into a store and picking a copy of a book off a shelf and buying it, with the additional goal of providing a reasonable degree of protection against casual copying.