[Matroska-devel] Re: Re: Compromise Encryption Proposal
ashwood at msn.com
Sat Jan 28 01:00:41 CET 2006
"Paul Bryson" <paul at msn.com> wrote in message
news:drea7u$vb1$1 at sea.gmane.org...
> "Joseph Ashwood" wrote...
>> Actually, most of this is to push from auth^2 required for DRM, to auth^3
>> required for auditing. This move is useful in only limited context, and
>> is why I implied, but did not state openly as I am now, that only very
>> high end splitters/decoders would need to be able to handle the
>> reinterpretation portion. Such splitters would only be necesary for audit
>> viewing purposes, and the ability to use a standard format with public
>> analysis of the security makes this far more usable. As a major side
>> benefit, the auth^3 model can actually prevent attacks on the splitter,
>> as the splitter can be written to only process authenticated files.
> If the primary purpose it to authenticate the file, why not just sign the
> product file and verify the signing before playback?
For the same reason that IT audit logs aren't built that way. If you wait
until the file is completed then the window of opportunity to alter the file
undetectably is the entire creation time. In the case of say a video from a
bank it is entirely conceivable that same file could be for an entire month,
this would represent an enormous security risk. Instead the file is signed
in smaller pieces, perhaps per second or minute. Done properly it becomes
impossible to edit the past without detection.
Before it is asked, a later unification signature is not functionable
either, because it extends the window of exposure until the unification
signature is performed.
More information about the Matroska-devel