Is there an open-source DRM solution? [closed]

drm

Is there some open-sourced, well-documented and used DRM framework/library?

I want to write some framework for buying and selling digital stuff, where I want to implement, somehow, for the seller to have the possibility to lock the files with some sort of DRM, where only authorised computers would be able to open it (something like iTunes FairPlay).

It can, and probably has to, involve contacting my server with some login credentials.

On the other hand, I want the client to be open-sourced, and probably the server too .. is that even possible? Security through obscurity does not work, but DRM is not exactly "security"...

All I was able to find is this discussion on slashdot with the exact same problem, but it ended with "DRM IS BAD", and Sun's DReaM project, but I have no clue how to get to the actual code/usage of the framework on their site.

If you think Open Sourced DRM is not possible, tell me so.


This claims to be an open source implementation of OMA DRM2. I assume it contains the software components needed to build the server and client, leaving the hardware as an exercise for the reader:

http://sourceforge.net/projects/openipmp

License is MPL, which is a non-GPL-compatible FOSS license.

I have no experience of this implementation, but a little of OMA DRM, and it seemed at the time to be a workable DRM scheme, as much as any DRM scheme is workable. The OMA DRM standard is well-documented, and is (or at least has been) widely-used by the mobile phone industry.

The fundamental problem with open-source DRM is that although all of the algorithms and source code can be published without harming the scheme, client devices have to be "trusted" by the rights issuer to respect the rights, i.e. not do anything forbidden. This is incompatible with FOSS, which says that the user of a device should have full control over what it does.

Security through obscurity does not work, but DRM is not exactly "security"

Security through obscurity of algorithms is usually weak. Security through secrecy of information is the only way to do crypto, signing, etc. DRM does not require obscurity of algorithms (which is why OMA DRM is a published standard, and how come the source for an implementation can be published and freely usable), but it does require that the player device have access to information (some kind of key) which the user of the device does not, and which is not part of the algorithm/source.

Normally, security protects the owner/user of a device from a threat model of external attackers. In the DRM threat model, the owner/user of the device is the attacker, and the rights owner is being defended. If the device's user has full control over it, then clearly in principle this is game over.

In practice it may not be quite that immediate, but in the open source case, allowing people to write their own DRM clients which prevent them from copying your rights-protected data would be asking them to be astonishingly honest.

Users can sometimes be persuaded to be law-abiding, in which case DRM takes on the role of reminding them that if they're jumping through hoops to work around the restrictions, then they may be breaking the law.


Open-source DRM is virtually impossible.

The point of DRM is to prevent a user from decrypting some data, while at the same time allowing them to do so under some circumstances. The theoretical framework of encryption makes this absurd - how can the user only have the key to decrypt some data if they're using it for approved purposes?

The solution adopted by existing DRM systems is to go to ridiculous lengths to hide the key - a perfect example of security by obscurity - but if the source code is available it is trivial to simply modify the code to hand the key to the user. At this point it doesn't matter how good your encryption is, the user has everything they need to break it.

One solution to all this is using the Trusted Platform Module on some machines to verify the binary image of all software that might be able to access the key, and ensure the key itself is inaccessible (encrypted by a key derived by a secret burned-into-hardware value). However I'm not sure how common TPMs are, and moreover this is very much defeating the point of open-sourcing the software in the first place, as you would be unable to modify it in any way without losing access to the DRM keys.

Finally, on a more practical note, DRM seems to be on its way out anyway - eg, iTunes has gotten rid of DRM entirely, and the movie industry seems to be moving in that direction as well...

Related

H1-H6 font sizes in HTML
Writing backwards compatible Android code
How can I use Emacs ESS mode with R markdown?
Does Tomcat require JDK or JRE?
Access item in a list of lists
How to extend Java annotation?
Where did CUDA get installed in my computer?
What is the use of @EnableWebSecurity in Spring?
AWS Aurora MySQL serverless: how to connect from MySQL Workbench
How can I disable a browser or element scrollbar, but still allow scrolling with wheel or arrow keys?
How to stop Eclipse from trying to run XML files?
I would like to see a hash_map example in C++