Title: Cobalt: Separating content distribution from authorization in distributed file systems
1Cobalt Separating content distribution from
authorization in distributed file systems
- Kaushik Veeraraghavan
- Andrew Myrick
- Jason Flinn
- University of Michigan
2Accessing protected content is hard!
- Many opportunities to use ad hoc clients
- Client I dont own or regularly use
- Play my songs at a friends party
- To access content from an ad hoc client, I
- locate content
- fetch content
- DRM do I trust the ad hoc client?
- Simplify access without sacrificing security
3 4What makes protected content special?
- Users and content providers have opposing goals!
- User goal
- Display content to friends and family
- Pervasive access content anytime, anywhere!
- Provider goal
- Restrict access to paying users
5Problem with current systems
Provider
- Provider authorizes clients for playback
- Model breaks down for ad hoc clients
- User privacy loss, login credential abuse
- Provider revocation, impersonation
6What should we authorize instead?
Provider
- Provider should authorize people not clients
- Hard how can we detect and authorize people?
- Leverage small, personal mobile devices cell, PDA
7Cobalt proximity-based access
- Physical proximity-based access client on
wireless network - We build on ideas introduced in ZIA Corner 02
- Challenge/response heartbeat ensures proximity
- When user departs, playback stops
8Cobalt goals
- Better usability
- Improved privacy
- Improved content protection
9Separate distribution from authorization
- User goal pervasive access to content
- Store content in distributed storage
- Provider goal Restrict access to paying users
- Encrypt content
- Release key to phone
- Playback requires phone
- Separate distribution authorization channels
10Store content in distributed storage
- Implemented on Blue File System
- Ensemblue Peek 06
- Usable with other distributed storage
BlueFS Server
11Cobalt trust model
- What does the provider need to trust?
- Users cell phone and the ad hoc media player
- Rely on Trusted Computing to verify trust
12Trusted Platform Module (TPM)
- Tamper resistant chip w/ crypto support
- Software attestation
- Signed hash of loaded software
- Verify against policy
- Sealed storage
- Protects data
- Detect tampering
- Entities can leverage TPM to verify client
13Outline
- Motivation
- Background
- Implementation
- Evaluation
- Conclusion
14Implementation
- Acquisition
- Provider sends encrypted content to user
- Phone approved as a proxy after verification
- Playback
- Media player discovery
- Provide access to selected content
- Phone authorizes player after verification
15Content Acquisition
Provider
Content Request
Policy
HPolicy
Policy
BlueFS Server
- Phone delegated authorization responsibility
16File system layout
Encrypted with Phones KEK
Encrypted with content key
17Restrict playback to trusted clients
Media Player 1
Media Player 2
- Verify media player before sharing content
18Provide access to selected content
BlueFS Server
Media Player 1
Song_1.mp3 Song_2.mp3
Song_1.mp3 Song_2.mp3
Query .mp3
BlueFS IP address
- Improve usability semantically specify content
- Query result updated dynamically as content
changes - Phone restricts playback to specified content
19Playback
BlueFS Server
Media Player 1
Song_1.mp3 Song_2.mp3
BlueFS IP address
Policy
Policy
- Authorization succeeds if phone is in proximity
- Policy match ensures player wont leak content
20Outline
- Motivation
- Background
- Implementation
- Evaluation
- Conclusion
21Evaluation goals
- Overhead of Cobalt for content acquisition
- Overhead of Cobalt for content playback
- Can Cobalt enable new applications?
22Evaluation setup
- Token Motorola E680i cell phone
- BlueFS server Dell GX620 desktop
- Acquisition
- Provider IBM X40 laptop
- Playback
- Ad hoc client IBM X40 laptop
23Content acquisition time
- 10.1 seconds to acquire 1.8MB mp3
- Cobalt adds less than 9 seconds of overhead
- STS on cell phone 7.56sec, laptop 0.51sec
24Playback startup time
- One time cost 12.4 seconds
- Query creation, path resolution 4sec (1500 mp3s)
25Context-sensitive adaptive playlist
Media Player
Song_2.mp3 Song_3.mp3 Song_4.mp3
Song_1.mp3 Song_2.mp3 Song_3.mp3
Adaptive Playlist Song_2.mp3 Song_3.mp3
- Cobalt enables new context-sensitive apps
- Playlist adapts as users leave players vicinity
- 1500 mp3s, 650 matches adds 1 second
26Conclusion
- Cobalt authorize people not clients
- Better usability
- Improved privacy
- Improved content protection
- Reasonable overhead
- Enables new applications
- Questions?