Thursday, 10 November 2011

DRM is always broken

I have received a couple of spam comments on old posts of mine from a company with a vested interest in promoting DRM software. Their comment is that DRM needs "built in safeguards" to prevent "reverse engineering or bypassing". Leaving aside the fact that bypassing DRM is the same as defeating it entirely, if it were good encryption and you could reverse engineer the method, it would not mean anything for attacks, since good encryption depends on the security of the key, not the obscurity of the method. You should be able to publish your encryption software as open source, and this will actually increase its security, because more people will be able to find and alert you to bugs.

Now, when it is applied to DRM, encryption is a pointless endeavour, because the message recipient and the potential attacker are the same person. All DRM systems, if people care at all about what they are protecting, will be cracked and defeated eventually. That's not because they've all been written badly, but because they all depend on a misuse of encryption. You can't hand someone an encrypted message and the key to decrypt it and still control how they use them together. There is no good way to hand someone a decryption key that they can only use when you say so. When you write DRM, you must write bad encryption, because that's how it works.

In practice, systems do hold up for a while, but in theory (which precedes practice) all DRM systems are fundamentally flawed, because that is the essential nature of DRM. So when you come up with a new protection scheme, you will see it succeed for a while, then become totally worthless. That's what happened with CSS on DVDs, HD-DVD, and HDCP as well. It will happen with Blu-Ray, if that even matters any more, it will happen to the Kindle, and it will happen to LockLizard. The systems will get revised, and they will get hacked again. The only way they die is for people to stop caring about what is protected, at which point they also stop buying it, and the revenue goes away. That's really bad business.

Mokalus of Borg

PS - DRM is anti-customer technology anyway.
PPS - So why would you want it?


Vicky Milza said...

Hi all,

DRM starts with the encryption of the content. Once the content is encrypted, a key is required to unlock the content. The encrypted content can be delivered either through streaming or HTTP download. DRM works for both on-demand and live streaming content. Thank you...

Access Rights

John said...

Hi, Vicky,

Once you deliver unencrypted content to a user, it is impossible to control what they do with it, and you have to deliver unencrypted content at some point, or else you're just delivering noise.

Thank you.