NEW YORK A group of university researchers claims to have cracked the watermarking technology of the Secure Digital Music Initiative, which could force the SDMI to rethink its solution for a secure digital music distribution system, security experts said.
Nine researchers from Princeton University (Princeton, N.J.), Rice University (Houston) and Xerox Corp.'s Palo Alto Research Center posted a claim on the Internet on Oct. 24 stating that they had successfully defeated all four watermarking schemes presented by SDMI, which had challenged hackers in September to crack the technology.
The university group, made up of researchers who study watermarking and computer security, claimed they had rendered the watermarks "undetectable" without significantly degrading the audio quality of the samples and that SDMI's e-mail server had confirmed their success.
The group didn't reveal how they had cracked the watermarks, but said they plan to issue a report on their work in mid-November.
An spokeswoman for the Secure Digital Music Initiative called the group's claim "premature" and said the organization will release results of the hacker contest after an SDMI meeting Nov. 8.
But experts maintain that if the researchers' claim is true, it illustrates how vulnerable and immature the state of watermarking technology is and why it should not be applied to the kind of application envisioned by SDMI.
"You can't develop a watermark that can't be removed, and you don't need skill to do it," said Bruce Schneier, computer security expert and chief technology officer of Counterpane Internet Security Inc. (San Jose, Calif.).
Cryptographic security expert William P. Crowell, president and chief executive officer of Cylink Corp. (Santa Clara, Calif), agreed. A watermark created purely in software is "by definition hackable," he said.
A combined hardware/software solution such as Cylink's MiniKey could provide better security, Crowell said. MiniKey, a USB plug with a smart-card-like hardware token attached, is a portable, tamper-resistant security device that can be used to control access to PCs and laptops, and could be adapted for digital music players, he said.
Schneier said the recording industry's problem with digital rights goes beyond technology. "What it comes down to is that there is nothing that solves the digital rights problem, and the recording industry must realize that 'selling the each' model doesn't work over the Internet," Schneier told EE Times.
SDMI is in the second year of a mission to hash out a framework for the secure distribution of digital music. The cross-industry organization, founded in December 1998 by recording, consumer electronics and computer industry participants, wants consumers to be able to access, play and purchase digital music files from legitimate sources, but in a manner that protects the rights of content owners and prevents the mass distribution of pirated music. SDMI has defined a phase-one specification for portable devices to handle new or legacy music content securely. The organization is in the process of choosing a phase-two spec that would filter out pirated content.
Since SDMI began its work on a phase-two spec, concern has been building that the technology it chooses may not be resistant to hackers.
SDMI had issued its public challenge to hackers in September to head off those concerns in the process of choosing a robust technology.
Edward W. Felten, a professor in the Computer Science Department at Princeton, who served as spokesman for the university group participating in the public challenge, said the group believed "it's important to have a public discussion of the status of such a technology before it's deployed. "
Verance Corp. (San Diego) took issue with the university group's claim. The company submitted technology for SDMI's phase-two spec and its watermark technology was chosen by SDMI for the phase-one spec.
Verance chairman David Leibowitz told EE Times that a preliminary report he received from SDMI indicated that none of the 153 attacks recorded in the challenge against the company's technology met the organization's criteria for success.
Felten admitted he isn't sure what SDMI considers a successful attack, but said that he and his colleagues believe watermarking does not make sense for digital music. "We're convinced our results show it's not effective in practice," he said.
While Felten and his group don't have a solution to offer SDMI, he called SDMI's dilemma of trying to protect music "a difficult technological problem." He said the researchers hope to address it as they advance the state-of-the-art in watermarking , the Internet and computer security.