ERM

Enterprise Rights Management (ERM) is the adoption of Digital Rights Management (DRM) technologies for the enterprise. Sensitive documents are encrypted and accompanied with a special license, which contains a description of access rights and an encrypted document key. Special viewers, called ERM clients, allow to access protected documents while enforcing the access and usage restrictions imposed in the license: the ERM client checks the conditions of the license, decrypts the document key contained in the license using some private viewer key, and finally decrypts the document using the document key. The possibility of implementing fine-grained access and usage control of documents makes ERM the prime candidate for the protection of data in business environments.

An important aspect of the holistic approach of ERM is Secure Printing. Enterprise Rights Management provides persistent protection of sensitive content throughout its entire life-cycle, however, printing ERM protected data violates the protection chain. Today’s printing protocols usually use cleartext transmission of print data and therefore are susceptible to security breaches. Confidentiality and integrity of transmitted data cannot be assured.

ERM Client Security

Problem

  • The protection of the private viewer key in an untrustworthy environment (client machine) is a challenging and complex task.
  • The client has to withstand attacks in a White-Box context. Today’s cryptographic algorithms are designed for Black-Box scenarios.
  • Even a single unauthorized copy of sensitive data could lead to massive losses for a company. Therefore requirements to client security are significantly higher compared to Digital Rights Management.

Enterprise Rights Management

Software Obfuscation

  • Software Obfuscation protects code from Reverse Engineering. It hides the control flow and data structures of software.
  • Obfuscation transformation: P -> P’, where P and P’ have the same observable behavior (Collberg et al.).
  • P’ acts like a virtual black-box (Barak et al.), which means that nothing can be computed from the obfuscated program P’ that would not be computable by just observing the input and the output of the black box (P’).

Software Obfuscation

White-Box Cryptography

  • White-Box implementations of cryptographic algorithms are designed to withstand attacks in a White-Box context, where an attacker has full control of the host and total visibility into the software implementation of the algorithm and its execution.
  • Idea: Merge the algorithm and the cryptographic key into a network of lookup-tables by pre-calculating parts of the algorithm, if input values are known in advance.

Value

  • Both techniques can make the process of reverse engineering harder and more time consuming, but do not guarantee a well-defined level of security.

Secure Printing with PostScript

Problem

  • Most printing protocols (e.g. LPD, SMB) do not support encrypted transmission to remote printers (exception: Internet Printing Protocol IPP).
  • Unencrypted print data transmission conflicts with the holistic security approach of Enterprise Rights Management.

LPD

Approach

  • PostScript is a page description and turing-complete programming language. Most of today‘s printers are able interpret PostScript code.
  • Idea: Self-decrypting PostScript code that contains both the encrypted print data as well as the program logic for automatic decryption (implemented in PostScript).
  • Client (implementation for the Common Unix Printing System CUPS): The encryption is performed by an additional filter in the filter chain of CUPS.
  • Encryption in the Printer: The PostScript program reads the cryptographic key from the printer memory and decrypts the print data to a variable. After decryption, the variable is converted to an executable variable and its content, the unencrypted PostScript code (print data), is interpreted.

CUPS Filter Chain

Value

  • End-to-end encryption: The approach guarantees secure print data transmission, if the end points (client machine and printer) are trusted (Black-Box context).
  • Binding to a specific printer: Print data is not readable without having access to the printer that stores the cryptographic key.

Contact Person:
Sebastian Schrittwieser