{"id":214,"date":"2008-03-16T21:12:02","date_gmt":"2008-03-17T05:12:02","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/16\/apples-hymnfairplay-drm\/"},"modified":"2008-03-16T21:12:02","modified_gmt":"2008-03-17T05:12:02","slug":"apples-hymnfairplay-drm","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/apples-hymnfairplay-drm\/","title":{"rendered":"Apple&#8217;s Hymn\/FairPlay DRM"},"content":{"rendered":"<p><font face=\"Calibri\"><strong>Summary<\/strong><\/font><\/p>\n<p><font face=\"Calibri\"><a href=\"http:\/\/arstechnica.com\/articles\/culture\/drmhacks.ars\">FairPlay <\/a>is an encryption scheme (DRM) developed by Apple to\u00a0 prevent users from further distributing playable content to other users. It\u00a0 has been cracked numerous times in different ways to create unrestricted\/unencrypted versions of the content. The technology has since\u00a0 been renamed &#8220;Hymn&#8221;.<\/font><!--more--><\/p>\n<p><font face=\"Calibri\"><strong>Assets and Security Goals (from Apple&#8217;s perspective)<br \/>\n<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Maintain sole ownership of content, content-distribution<\/font><\/li>\n<li><font face=\"Calibri\">Control of users&#8217; media-player choices (only works with iTunes)<br \/>\n<\/font><\/li>\n<li><font face=\"Calibri\">Keep customers satisfied with Apple, for sake of reputation and customer-base <\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Adversaries<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Anyone who wants free music\/video<\/font><\/li>\n<li><font face=\"Calibri\">Hackers who dislike DRM restrictions on moral grounds, or just want the recognition for breaking DRM<\/font><\/li>\n<li><font face=\"Calibri\">People hosting any media-distribution network that would benefit from having more content to distribute<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Weaknesses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">The original version of FairPlay would decrypt the song and load it in RAM, which was then readable and could be used to create a non-DRM version. (The user needed to already have the license.) <\/font><\/li>\n<li><font face=\"Calibri\">The song always reaches some unencrypted form, since today&#8217;s hardware needs such a data stream<\/font><\/li>\n<li><font face=\"Calibri\">Songs are encrypted on the client-side, so iTunes simulators allow users to buy the song online, but then fail to encrypt it as iTunes would do <\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Defenses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Encrypt files on the server-side before sending <\/font><\/li>\n<li><font face=\"Calibri\">Obfuscate how iTunes downloading\/buying occurs, so that developers cannot create fake iTunes programs like PyMusique that trick the server into thinking it is iTunes and sending over the unencrypted songs<\/font><\/li>\n<li><font face=\"Calibri\">Update the encryption methods regularly, even before hackers break it, essentially beating hackers to the punch in the cat-and-mouse game being played &#8211; as long as the iTunes dev cycle is faster than the cracker dev-cycle for the corresponding update, Apple wins out<br \/>\n<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Risks<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">If users are able to purchase their music via iTunes or other programs and have it decrypted, they might migrate to other platforms, i.e. users could migrate to other media players. This could result in loss of revenue for Apple and lessen the number or user-computers on which their software is deployed. Furthermore, they could lose revenue if their music is decrypted and then shows up on bittorent sites or other distribution networks. Lastly, if typical computer-users ( which represent the majority of their client-base) become upset with DRM limitations, Apple will lose money as users switch to other technologies. <\/font><\/p>\n<p><font face=\"Calibri\"><strong>Conclusion<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">DRM continues to evolve and is getting more complicated, so that hacks too become more complicated. It is possible that eventually DRM will be unbreakable, particularly if encryption is maintained all the way through to hardware (as was mentioned recently as a possibility by one of our guest speakers). However, Apple and other DRM-developers should be careful not to aggravate their client-base with overly restrictive DRM.<br \/>\n<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary FairPlay is an encryption scheme (DRM) developed by Apple to\u00a0 prevent users from further distributing playable content to other users. It\u00a0 has been cracked numerous times in different ways to create unrestricted\/unencrypted versions of the content. The technology has &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/apples-hymnfairplay-drm\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":45,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-214","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/45"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=214"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/214\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}