It's been a tough summer for data security

Those of you working in media encryption and identification might be looking back with fondness at last year, when the DeCSS DVD-Video security-circumventing scheme was the worst thing you had to worry about (see "Media security thwarts temptation, permits prosecution," EDN, June 22, 2000, pg 101). In the past few months alone:

• Edward Felton, a professor at Princeton University, and his associates successfully attacked four audio-watermarking proposals that the SDMI (Secure Digital Media Initiative) were considering. The researchers received a letter from legal representatives of the Recording Industry Association of America threatening prosecution under the DMCA (Digital Millennium Copyright Act). As a result, the researchers did not publish and present their results, as they originally planned, at the April 25 to 27 Information Hiding Workshop in Pittsburgh. However, after months of negotiation, they presented the paper on Aug 15 at the Usenix Security Conference. You can download the paper, presentation, and legal documents at www.cs.princeton.edu/sip/sdmi.
• Charlie Pride released his latest album, A Tribute to Jim Reeves, with anticopying technology that SunnComm (www.sunncomm.com) developed. Hackers promptly circumvented it with the aid of bit-accurate CD-"ripping" and -duplicating, such as CDFS.VXD and Exact Audio Copy (see "Software delivers the sound of savings,"EDN, Sept 1, 2000, pg 24). Why anyone would want to copy a Charlie Pride album remains unclear.
• Students at the University of California—Berkeley successfully, in a few minutes, and "using only inexpensive" off-the-shelf equipment, defeated the WEP (wired-equivalent-privacy) security algorithm built into the IEEE 802.11 wireless-networking standard. Read all about their results at www.isaac.cs.berkeley.edu/isaac/wep-faq.html.
• Russian computer programmer Dmitry Sklyarov surmounted the media security built into Adobe's Acrobat ebook format and was promptly jailed under the DMCA. Although Sklyarov has since been released, the FBI is still investigating the case.
• An anonymous programmer has, according to a recent article inTechnology Review, also broken the encryption in Microsoft's e-book-security scheme, and researchers have also discovered vulnerabilities in Microsoft's Passport user-identification protocol.
• Dutch cryptographer Niels Ferguson discovered "fatal flaws" in the Intel HDCP (High Bandwidth Digital Content Protection) algorithm, the security scheme at the heart of Secure DVI (Digital Video Interface). Ferguson refuses to publish his results, saying he fears prosecution under the DMCA.

Given enough time and processing horsepower, a determined attacker can use brute force to crack any encrypted data set. With processing power on an exponentially increasing trend, which 2-GHz, software-based Pentium 4 processors and hardware-based FPGAs exemplify, cunning individuals and groups are rapidly obsoleting security algorithms.

"Ultimately, if it is possible for a consumer to hear or see protected content," says Felton, "then it will be technically possible for the consumer to copy that content."