Self-Protecting Digital Content

Self Protecting Digital Content (SPDC), is a copy protection (digital rights management) architecture designed by Cryptography Research, Inc. for Blu-ray discs.

Overview
SPDC executes code from encrypted content on a Blu-ray player. When releasing new discs, content providers can update the code, adding protections against previous circumvention methods. DRM systems in which keys for encryption and decryption do not change can be attacked with one compromised key, allowing decoding of all content using that key. SPDC attempts to keep future content protected by allowing changes to the DRM in new releases when an existing DRM method is circumvented.

Playback method
If a method of playback used in previously released content is revealed to have a weakness, either by review or because it has already been exploited, code embedded into content released in the future will change the method, and any attackers will have to start over and attack it again.

Targeting compromised players
If a certain model of players are compromised, code specific to the model can be activated to verify that the particular player has not been compromised. The player can be "fingerprinted" if found to be compromised and the information can be used later.

Forensic marking
Code can be inserted into content (digital watermarking) to add information to the output that specifically identifies the player, and in a large-scale distribution of the content, can be used to trace the player (traitor tracing). This may include the fingerprint of a specific player.

Weaknesses
If an entire class of players is compromised, it is infeasible to revoke the ability to use the content on the entire class because many customers may have purchased players in the class. A fingerprint may be used to try to work around this limitation, but an attacker with access to multiple sources of video may "scrub" the fingerprint, removing the fingerprint entirely or rendering it useless at the very least.

Because dynamic execution requires a virtual environment, it may be possible to recreate an execution environment on a general purpose computer that feeds the executing code whatever an attacker wants the code to see in terms of digital fingerprints and memory footprints. This allows players running on general purpose computers to emulate any specific model of player, potentially by simply downloading firmware updates for the players being emulated. Once the emulated execution environment has decrypted the content, it can then be stored in decrypted form.

Because the content encryption scheme (such as BD+) is separate from the transport encryption scheme (such as HDCP), digital content is transferred inside the player between circuits in unencrypted form. It is possible to extract digital data directly from circuit traces inside a licensed player before that content has been re-encrypted for transport across the wire, allowing a modified player to be used as a decryption device for protected content. Only one such device must exist for the content to be widely distributed over digital networks such as the Internet.

The final weakness of all DRM schemes for noninteractive works is the ultimate decryption for display to end-users. The content can at that time be re-encoded as a digital file. The presumption is that re-encoding is lossy, but fully digital copies can be made with modified viewing devices. For example, adapters which strip HDCP and output unencrypted DVI can re-encode digital copies without modifying players. Adapters can also split an HDCP-protected stream into non-encrypted DVI and S/PDIF streams, allowing for almost lossless reconstruction of digital copies with complete video and audio streams. Copies can also be made through the analog hole.