Jon, To give you some background about me so you can understand that I'm not just shooting in the breeze here, one of the companies I am director of sells a piece of software I designed which securely stores information using cryptography, the piece of software in question has been tested and bought by a large number organisations including the US Federal Aviation Authority, Boeing, Fujitsu, Unisys, and several governmental organisations around the world. Don't take this as an "I know everything" statement, I'm offering this up so that you're aware I'm not basing my viewpoints on a quick scan of Wikipedia.
Cryptography inherently has nothing to do with transmission, it is purely about securing information. That secured information can then be stored or transmitted, but cryptography and the use of cryptographically secured information are two separate things. There are a number of protocols outside of cryptography which ensure secure transit (Diffie-Hellman key exchange for example), but the use of Cryptography is not inextricably tied to information transmission. DRM is Digital Rights Management. It's not about securing applications in transit (although copy-protection systems sometimes are labelled DRM), it's aboute ensuring an what a user wants to do with some content is an approved usage in the context in which they are operating. This isn't neccessarily about encrypting applications, in fact the system at AndAppStore[1] doesn't rely on encrypting the application, it purely relies on using an encrypted piece of data which thae application uses to determine what rights a user has available to them. One time pads are "breakable", all that needs to happen is you need to obtain a copy of the pad. Brute force and key guessing is not the only way to get around cryptography. RSA encryption has been shown to be vulnerable with the RSA Technologies $10,000 prize for decrypting a message secured with RSA-576 being claimed in 2003[2], and the once lauded DES encryption system has been shown to be vulnerable with data encrypted using a 56 bit key being "cracked" in 22 mins[3]. Quantum cryptography is still a long way from being a practicality for daily use and is in it's infancy. Many crypto systems have claimed to required hundreds or thousands of years to crack, many have be broken either by methods not considered by the original inventors or by more powerful machines. As I said originally "the aim of it is to ensure the information is worthless by the time it's broken". "Fair use" is a legal concept which DRM mechanism should take into account. In many parts of the EU there is no concept of "Fair use" allowing even a single backup copy let alone transferring content into a different format. DRM can't stop a determined attacker, but good DRM makes the content worthless by the time it's been cracked, and the current Android Copy Protection system isn't a good DRM implementation because a casual attacker can follow a simple set of instructions to by-pass it. Al. [1] http://andappstore.com/AndroidPhoneApplications/licensing.jsp [2] http://www.rsa.com/rsalabs/node.asp?id=2096 [3] http://www.theregister.co.uk/2001/07/25/rsa_poses_200_000_crypto/ Jon Colverson wrote: > On Feb 27, 10:12 pm, Al Sutton <a...@funkyandroid.com> wrote: > >> DRM tends to be based on Cryptography and yes, all cryptography is >> breakable >> > > NO, NO, NO, NO, NO, NO, NO! > > Cryptography is intended to be used for, and effective at, > transmitting a message secretly between two parties (A -> B) without a > third-party (E, for eavesdropper) being able to intercept it. The goal > of DRM is transmit a message (in this case, the application) to the > user's device, without the user being able to get access to it. > Unfortunately the user owns the device and can do whatever they like > with it, so B is the same person as E, and cryptography cannot solve > this problem. If you encrypt the software then you simply move the > problem. You can then put the encrypted software in plain sight, but > you have to hide the keys and the temporarily unencrypted software on > the device. You can try and make it difficult to find the keys, but > major players have spent millions of dollars trying to do this and > failed. It may take a substantial amount of effort and/or special > equipment to break the DRM, but once it is broken the unencrypted > software can be as freely distributed as anything else and the whole > system is worthless. > > Also, the statement "all cryptography is breakable" is false. One-time > pad cryptography is provably unbreakable and quantum cryptography is > provably unbreakable according to known physics. More practically, RSA > cryptography is effective and not proven to be breakable unless you > have a quantum computer lying around or you're sitting on a proof of > P=NP that you haven't gotten around to publishing yet. > > All DRM is breakable, and not because of the strength of any > cryptography used with it. > > >> Most DRM doesn't cause anyone any pain when the content is used in the >> manner for which a license has been purchased, the "pain" tends to come >> when people want to use content in ways they may not have a license for >> (e.g. ripping a movie to a hard disk in a different format, moving >> software between machines). >> > > Or, "Fair use" as it is referred to in some jurisdictions. > > >> I'd happily accept measures to allow content >> providers (such as developers) to protect themselves against the >> minority of users who rip them off by freely handing out copies of >> applications because at the level we're dealing with sales of 10 or 20 >> > > No DRM can stop a determined attacker. The Android DRM stops the un- > determined one. Therefore the Android DRM is as good as any DRM can > be. Stop complaining about it as if Google engineers are all amateurs > and you're the world's greatest computer security expert. The > AndAppStore DRM is as trivial to break as any other. It wouldn't even > require an unlocked device or an ADP1 to break it. > > -- > Jon > > > > -- * Written an Android App? - List it at http://andappstore.com/ * ====== Funky Android Limited is registered in England & Wales with the company number 6741909. The registered head office is Kemp House, 152-160 City Road, London, EC1V 2NX, UK. The views expressed in this email are those of the author and not necessarily those of Funky Android Limited, it's associates, or it's subsidiaries. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
