Convergence is a cool concept. As embedded systems designers, once we’ve got a versatile computing platform constructed inside a mobile device, it’s exciting to think of all the plus-ones we can add by including plug-in software modules, small incremental pieces of hardware, or plug-and-play peripherals through standardized interfaces. The conceptual leap from mobile phone to PDA to media player is pretty small once you start down the path.
Unfortunately, slapping on the cool new features isn’t always the tricky part. Before your customers can lounge out listening to their favorite tunes, tune-in the latest video feed, or feed their curiosity with megabytes of proprietary data, you’ll need to convince the content providers that your device isn’t just a highly portable hole in their copyright protection scheme.
Digital Rights Management (DRM) is becoming an increasingly important issue for developers of mobile devices. The embedded device environment, however, isn’t always completely security-friendly. We often craft our creations by sticking together hardware-IP, software, middleware, and other components from a variety of sources into Franken-systems that make a unified security scheme challenging to deliver. Often, the biggest security holes of all are in the glue that binds these disparate parts together.
California-based Discretix has built a business selling a comprehensive suite of security solutions for our real-world, cobbled-together, mobile computing platforms. Their solutions begin at the hardware core and extend through middleware into software applications, addressing the wide range of potential vulnerabilities in the embedded computing chain and providing a consistent security architecture throughout the system for a wide variety of purposes including DRM, Firmware over-the-air updates (FOTA), IMSI/IMEA protection for SIM data, IPSec for mobile TCP-based applications, and even financial cryptography for mobile e-commerce applications.
Discretix solution begins with what the company calls “CryptoCell,” which is a hardware/software system that is integrated into the handset, providing the security framework. The hardware components are delivered as IP that accomplish core security tasks like random number generation, asymmetric and symmetric cryptography, and hash integrity verification. At a hardware level, these components include a bus interface, a secure DMA module, and hardware crypto engines.
On top of the hardware core is a middleware layer. The middleware provides programmatic, secure access to the hardware cores and adds services such as software crypto, secure storage, secure boot, and key and certificate management. The middleware layer adapts for a variety of hardware and processing platforms as well as a wide variety of popular operating systems.
Above the middleware layer sits a collection of applications and application-development toolkits. These enable specific security schemes to be implemented such as Discretix Multi-Scheme DRM client, Device management for features like FOTA, SIM Lock protection for IMSI/IMEA identities, IPSec for VPN and TCP-IP security, and Java security. Discretix sells the various components a-la-carte so you can configure your system with only the security schemes you require.
In embedded design, there is always a build/buy tradeoff to be made on what parts of your system to design in-house from scratch and what to buy from third-party suppliers. Security is almost always most attractive on the “buy” side of that equation. The techniques, algorithms and standards involved in security systems are career-complex – best implemented by engineers whose career is focused on security. The subtleties and techniques of the attack versus countermeasure world of cryptography and system-security are exciting for your James Bond fantasies, but impractical to manage responsibly as a dabbling electronics or software engineer. When it comes to security, it’s usually best to go to the professionals.
One of the things you get by going with an established, bundled solution is a pre-engineered range of standards support. Discretix’s offering supports a wide range of public key algorithms including RSA, DSA, ECC and DH, Symmetric encryption algorithms including AES, DES & triple-DES, and RC4, and hash algorithms including SHA-1/2, MD5, and HMAC.
Often, your mobile device will have a flash memory slot (if you’ve designed a system like this without one lately, e-mail me… we need to talk.) The problem is that flash is even more portable and could fall out of your customer’s unit at any time and into the unit of an unscrupulous party. (If articles had a soundtrack, this is where the low-frequency notes would start to get louder.) Here, instead of protecting third-party data from your system’s end-user, you’re often protecting your end-users’ data from unscrupulous third parties. Discretix has a specialized offering for flash memory security that can make securing data on flash cards pretty much a non-event from an embedded engineering standpoint.
On to the DRM problem, Discretix offers what they call a “Multi-Scheme DRM” software solution. This solution works with the underlying security platform to provide a robust solution for DRM protection. Here, it is worth mentioning that there are two classes of system houses when it comes to DRM implementation. On one hand, there are the “letter of the law” designers that want to be able to say they integrated an industry-standard DRM solution. Actual security is not a priority as long as they can check the box and qualify for the content. The existence of well-known hacks is not a problem for them. Happily, Discretix solution is not that type – in addition to checking the box, they actually provide a robust DRM solution that isn’t widely defeated.
Discretix’s DRM solution supports OMA DRM v1.0 and v2.0 and Microsoft WV-DRM 10 and CPRM, and its architecture supports the addition of new schemes as they are required. Working with the rest of Discretix security framework, implementation is straightforward using a single API that connects to the application layer. The underlying middleware and hardware layers provide deep security and multi-platform processor and OS compatibility, so application writers don’t have to know the specifics of the underlying device.
All of these solutions are designed and tested with the idea of several typical “bad guys” in mind. In DRM, the primary threat is the typical user – the Napster-bred music lover that wants free access to all music regardless of copyright laws. The art of DRM is to keep this user as a happy customer while firmly protecting the rights of the content owners and protecting a viable and rightful revenue stream. At the same time, a well-designed DRM scheme can turn into a marketing opportunity with advanced features like previewing, renting, purchasing, and subscription models.
If your design is expanding into the realm where you’re dealing with content that needs protecting, look at a specialized supplier like Discretix. The effort and ramp-up required for implementing a home-grown security scheme far exceed the cost of purchasing a commercial solution, and chances are, you won’t come up with anything that is nearly as secure.