News Stay informed about the latest enterprise technology news and product updates.

New algorithm promises to secure P2P content

Three cryptographers have developed a secure P2P content distribution method without creating bottlenecks, and it could prove to be a significant breakthrough in the encryption arena.

Editor's Note: This is the first in an ongoing series of articles on security projects from academia and the nation's research labs with real-world implications.

Three cryptographers have developed a secure method to help content publishers make money via P2P content distribution without creating bottlenecks. The trio's key-storage system could prove a significant edition in the encryption arena, given how much content is expected to traverse public pipes in the coming year.

Scholarly Security
A paper entitled "Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage" details a provably secure method of distributing a large number of encryption keys over a peer-to-peer network. It will be presented at a security symposium in February by Kevin Fu from the University of Massachusetts, Seny Samara from Johns Hopkins University and Tadayoshi Kohno from University of California, San Diego.

For instance, content providers who do not wish to manage their own Web servers now can encrypt and publish content on a peer-to-peer network such as Gnutella. Those wishing to subscribe to the provider's content can then purchase a key from the provider's Website. But if the provider is offering an entire year's worth of audio or video content to a large number of users, the demand for keys to decrypt the files could become overwhelming.

To remedy this, Fu took an existing key distribution method, called the S-key algorithm, and altered it so that a content subscriber could be issued a key that would unlock the content for that day and all previous days, but not provide access to any future content.

The beauty of the system is that the subscriber need only come to the provider once to obtain a key, thus avoiding network bottlenecks.

"There was a security problem," said Kohno, a computer science doctoral student at UCSD, who ran into Fu after his presentation at the Network and Distributed System Security Symposium in San Diego last year. "There was a subtle mathematical flaw that made the output (or the number generated by the key) to be not completely random."

For more information

Get expert advice on P2P availability, confidentiality and authentication vulnerabilities.

Read our exclusive: IM/P2P threats surge ahead.

That meant a user could cancel his or her subscription and use an old key to decrypt content encrypted with tomorrow's keys, enabling access to future content. Since that method could be cracked, it wasn't going to work.

Kohno worked with Fu and Samara to develop a stronger method, called Key Regression. This algorithm produces a public key to decrypt today's content, and secondary piece of code called "the member state." Combining the previous "member state" with the current key can decrypt scrambled information the day before yesterday and so on. The predictability is completely removed, so the system is more secure.

While the encryption itself is highly mathematical, it does have plenty of real-world applications. In an Internet environment where an increasing amount of multimedia content is distributed among an ever-growing number of peer-to-peer networks, such encryption techniques can be used to build efficient, low-cost content subscription models.

Modified versions could also be used for other applications, such as time-based password mechanisms or as s way to unlock subscription-based software. For example, a software provider could use this system as a licensing method for desktop applications. Cellular providers could use it to distribute multimedia content such as the daily news.

"What we're doing is creating the tool that the carpenter can use to build a house," says Kohno. "It is very likely that somebody will take these tools and use them to create products that we have not even thought of yet."

That said, the key regression algorithm is not patented. The researchers are content to solve the problems and let others build business models and product lines around what the trio dreams up. "Solving interesting problems is as satisfying watching a beautiful sunset," says Kohno.

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.