<http://www.forbes.com/forbes/2005/0131/096_print.html> Forbes Security Hanging the Pirates 01.31.05 Paul Kocher has a way to save Hollywood from illegal copying. Over the past few months top brass from Hollywood and Japan's consumer electronics giants have been hashing out their futures in hotel meeting rooms in Tokyo and Los Angeles. Topic A is the politically charged debate over the standard for the new high-definition DVDs, which the film industry hopes will swell the current $24 billion DVD market, as hi-def becomes the norm. Most of the players want to get something decided on within a year. But, as big as the stakes are in those discussions, the movie studios are even more keen on the outcome of the talks on the 39th floor of Toshiba's Tokyo headquarters. By the Numbers Price of Piracy Illegal file-sharing hits music far harder than film--for now. $21 billion n DVD sales in U.S. in 2004, a 200% increase since 2000. $12 billion CD sales in U.S., a 17% decline since 2000. $3 billion Amount movie studios lose to piracy each year. $4 billion Amount music publishers lose to piracy each year. Sources: Adams Media Research; RIAA; MPAA. There, a select security committee representing both hardware and film makers has an extremely rare opportunity to stop digital piracy from doing to movies what it did to music. Napster and its ilk have helped knock 17% off of record label sales in the past three years. With DVD's basic encryption already cracked and one-quarter of American homes now capable of broadband-speed downloads, it's inevitable that one day the latest Harry Potter film will be swapped as easily as U2's new hit. "This is the number one priority at the highest levels," says Thomas Lesinski, president of Paramount Home Entertainment. "The studios want to have more control over protecting our content." One of the most important people involved in that discussion is Paul Kocher, the 31-year-old president of Cryptography Research, a tiny San Francisco consulting and licensing firm that brought in $6 million last year. Kocher is soft-spoken, young and obscure, but his credibility in the encryption business is sterling. Eight years ago, fresh out of Stanford, Kocher cowrote Secure Sockets Layer (SSL), the protocol that secures the vast majority of commerce on the Internet. What Kocher is pushing is the concept of renewable security. Any attempt to erect a one-time, rigid barrier between thieves and content, he says, is useless, including the current method pushed through by the Japanese consumer electronics companies. "With very few exceptions, all the major security systems being used by the studios today are either broken and can't be fixed, or they're not deployed widely enough to be worth hacking," says Kocher. Under the existing Content Scrambling System, electronics makers install the exact same encryption code into nearly every DVD player. But that was broken by European hackers in 1999 and the trick disseminated widely on the Internet. Even the least sophisticated user can now download a program that easily copies protected movies. Kocher's alternative is to allow for constant change. His system, called self-protecting digital content, places the security on the disc instead of in the player. A software "recipe" running into the millions of steps is burned onto every new movie disc. Each DVD player would contain a small chip costing only a few extra cents that would follow the recipe faithfully. If the DVD player decides the disc is secure, it will decode it and play the movie. But each film could have a different recipe. So if a pirate breaks the code on Spider-Man 2, he wouldn't necessarily be able to break the code on Elf. The studios would always be one step ahead of the thieves; at the very least it would take pirates more time to break each film. Not a big deal: Studios make most of their money from DVDs in the first three months, anyway. "A lot of security systems are hard and brittle," says Robert Baldwin, head of the security firm Plus Five Consulting. "Paul's is more like a willow tree. It bends and recovers." No studio executive contacted would comment on Kocher's scheme on the record, but it looks likely to be the backbone of any eventual security standard. A group including IBM, Toshiba, Time Warner and Microsoft is also angling to get a complementary encryption scheme called AACS into every future player. It will likely be written to work with Kocher's idea. Consumer electronics firms, which dictated the last encryption format, never had much to lose from security leaks. Film executives like the fact that Kocher's scheme gives them a stronger hand. Now they will be able to decide how much security they want on each disc and when it needs to be updated. Kocher, son of a physics professor at Oregon State University in Corvallis, says he learned about computing because he stayed home a lot, too lazy to bike the two miles into town. He initially wanted to be a veterinarian. "It's not a good job from a financial perspective, but it includes the interesting parts of medicine, and if you make a mistake you haven't done in someone's grandma," says Kocher. He ran out of money while at Stanford, so he started doing security consulting for Microsoft and RSA Security. By the time Kocher graduated from Stanford, he was already well-known as a protigi of Martin Hellman, the co-inventor of public key encryption, the most widely used security technique on the Internet. A year after college Netscape asked Kocher to redesign from scratch the security behind e-commerce. On the old version thieves could intervene in a transaction, weaken the encryption and steal information. Kocher redesigned the system to ensure that seller and buyer are working off of the strongest encryption possible, and that if someone interferes, the sale fails. "With all the problems on the Internet, SSL has stood as an industrial-strength protocol," says Taher Elgamal, who worked with Kocher on SSL. With SSL Kocher had full control over how the protocol would turn out. Things aren't so straightforward with the new DVD standards. Kocher is in the middle of a battle between Sony and Toshiba to define the new standards. Both sides are in favor of renewable security, but they haven't decided how to get it. For example, downloading fixes over an Internet connection is one idea that has been floated by Microsoft and others. With players like Sony, Microsoft and Intel all trying to impose their own agendas, there's a risk the compromises could result in a less secure standard. For the most part Kocher has avoided political battles, sitting through the endless, heated standards meetings and tapping on his Treo from the side of the room, interrupting quietly now and then to endorse his fix. There's money in this for him, just not that much--given that he's looking at only several cents per disc for his firm if Cryptography's solution is ultimately used. That could eventually work out to $75 million based on the current 1.5 billion copies sold worldwide. More lucrative would be the consulting fees from the studios when they eventually start deciding what kind of security they want on each title. That's unlikely to happen until high-definition DVDs get traction, sometime around 2007. "The formats have to decide to build in a system that will make it possible to fix problems later," says Kocher. "When you have the tools to handle security risks, they'll inevitably get used." -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'