Is there any way to protect offline content using DRM ? i want to sell my videos offline to my clients. How i can make sure that content once copied to my clients Desktop , i.e window it will not further copy to any another machine?.
The typical way to address this is not by preventing file copy, which is a hard problem. Current DRM systems all work according to the principle that the file itself can be freely copied, but it is encrypted, usually with some variation of AES-128. Then if the user has a decryption key (which is part of a "license" uniquely bound to the user's machine) he or she can play the content.
Common DRM-friendly file formats are Microsoft's PIFF (Protected Interoperable File Format), and UltraViolet CFF (Common File Format), but there are others too.
Related
I am a Linux user and was unhappy to discover that HDCP protection on websites such as vhx.tv is preventing me from viewing the content in perfectly legitimate contexts because all Linux browsers lack HDCP support. Since HDCP was "broken" years ago, in terms of master key leaking, any device could theoretically authorize itself against an HDCP check.
Hypothetically, what is preventing someone from either writing a browser extension or creating a custom firefox build that overrides the DRM API in this way?
Why is there no such project, is it just a lack of interest or is there a hard technical barrier that is preventing this? How can anyone say that HDCP was "broken" if not even legitimate users can circumvent it when they wish to do so (eg. to watch DRM content on Linux)?
DRM systems are not within the browsers control usually, they are self-contained blobs, and the only way to get licenses (and therefore the content keys) is by using the DRM module to do a license acquisition operation.
Getting the license and decrypting and displaying the content happens within the DRM component (outside the purview of the browser) and can therefore not be accessing from a browser extension. The only way to get around that, would be to create an unauthorised version of the DRM module, get that loaded in the browser, and not have the server side code discover that the DRM module has been altered. This is generally very hard, and that is really what makes the DRM module work.
I'd like to provision a JavaCard so that it only allows the installation of applets that are signed by a certain key. I am not sure whether this signature is part of the cap file format. I can already install a cap file from an Android device via code taken from GlobalPlatformPro. The GlobalPlatformPro README (https://github.com/martinpaljak/GlobalPlatformPro/blob/master/README.md) mentions application signing. But I am not sure this is the way to accomplish what I need to do. I am not even sure this is possible at all.
How do I need to prepare a card to only allow installation of signed cap files?
How do I create such a cap file?
I can already lock a card with a certain key, and then this key is needed to install any cap file. But this would mean that I need to distribute the key with the cap files, so it can be installed. That is not an option as it would compromise the key.
You should read the Global Platform Specification, all information is given there.
Points to look out for that should match your requirements:
Mandated DAP Verification
Delegated Management Tokens
You will still probably need to check that your Java Card supports the given feature(at least Tokens are optional for card manufacturers) and you will need a terminal software that supports this feature(which might be difficult, as it is not very commonly used).
From what I surfed, once the power goes off in an FPGA you've to program it again. But I'm trying to implement an FPGA based security system using verilog. In that, I want the password of the system to be permanently stored i.e. even when the power goes off the password shouldn't be erased. It'll also be good if the program can be stored too. I'm a beiginner in FPGA. So please tell me how to do this. The device is XC3S400 Spartan 3 Family.
If you have a SRAM-based FPGA, like the Spartan 3, then you have to program it each time it is powered up. The reason for this is that the SRAM which stores the configuration is volatile and loses the programmed configuration after power is switched off.
The Spartan 3 AN is one of few Xilinx FPGAs which offer some amount of internal flash memory, but I can't give any details since I never used this feature myself.
Alternatively, there are purely flash-based FPGAs, which offer non-volatile configuration storage, i.e. you don't have to read in a configuration file each time the FPGA is powered on. You still have to configure it once, but it keeps the configuration after power is switched off. At the next powerup it will already be configured and ready to operate.
It all comes down to whether you have non-volatile memory inside your FPGA or not. Otherwise you need to use external ICs.
As an alternative solution to your custom-password: Many vendors offer tool support to encrypt the configuration bitstream. The configuration logic embedded inside the FPGA is able to decrypt the bitstream on the fly while it is being configured. It will still be possible for everyone to read the bitstream from the configuration PROM but since it is encrypted it will be of little use.
Generally at every powerup FPGA is loaded again from some sort of flash memory, and the bitstream it is loaded with is insecure, i.e. anybody can store it and then reproduce and even, theoretically, reverse-engineer it.
However, some FPGAs could be secured, for example by means of having unique cryptographic write-only key inside it, which the bitstream could be encrypted with. You can then program password inside your verilog code and check it as it is entered.
If your key or password is supposed to change often or should be different within each copy of the device, you should store it in external FLASH/EEPROM memory with the encryption provided by the permanent secret key inside FPGA.
In the past I used a SmartCard to store a randomly generated keyfile, which was used by TrueCrypt to open its volume. TrueCrypt used PKCS#11 to read the SmartCard and access the keyfile.
Now I'd like to do something similar, with EncFS. I wanted to store its xml config in a SmartCard. EncFS xml config has 1KB, so it fits, I can even store a few different config files in one SmartCard.
But EncFS doesn't support PKCS#11, as long as I was able to search for it. So, my idea would be to use the SmartCard as a very small and secure storage pendrive. Its readonly content would be mounted as a normal Windows drive letter, and EncFS would read its files.
Any idea how to achieve that?
This is a very interesting task. PKCS#11 devices usually are capable of holding generic BLOBs, although the size of those blobs is severely limited (usually a few hundred bytes). BLOBs have short text labels, so you can treat them as files.
I know that this task can be accomplished fully user mode with our products (SecureBlackbox for PKCS#11 access and Callback File System to create a virtual drive) and maybe you will alternative options as well. I don't think you'd be able to access PKCS#11 from the pure kernel-mode driver because most PKCS#11 "drivers" are user-mode DLLs.
The only problem with this approach is that common PKCS#11 devices (smartcards, USB tokens) are very slow AND also they require that you login before providing any information.
Another possible problem is when exactly this file is needed to EncFS. If it's to be read after you login, that's ok. But if the file is to be read during system boot, then the task would become much more complicated (if possible at all -- that depends on what exactly stage of system booting the file is read by EncFS).
What are some platform-specific API's that web browsers use to securely save passwords with reversible encryption on local systems?
Since they must be able to reproduce the exact characters to pass up to a web site, the data can't be a one-way hash. My initial thought is there are system methods which utilize your current authentication data to perform encryption/decryption, but do not give access to applications to read it (your system login data) directly. I'm wondering what these are on different platforms (Windows, Linux, OS X) and how well they protect the information if the hard drive is accessed directly; i.e. a stolen laptop hard drive is placed into another computer or analyzed via a Live CD.
Here's how google chrome does it. Looks like they use CryptProtectData on windows.