Is Microsoft RMS a secure method of protecting documents?
Microsoft has defined RMS policy as a source of weakness in controls rather than a failure of cryptography. This means that letting someone see the document was tantamount to giving it away. So how secure is it for protecting documents?
Rise of Microsoft RMS and the ERM market
DRM has long been used to protect content for consumer consumption as early as 1987 when Sony introduced DAT (Digital Audio Tape). However, it was widely disliked and many successful attempts were made to bypass it. It was therefore viewed negatively as a tool to protect content and ERM (DRM rebranded) was born as an alternative for corporate document protection.
Back in 2008 The Gilbane Group published a report entitled “Enterprise Rights Management Business Imperatives and Implementation Readiness”.
It identified Microsoft as one of the major players and that ERM was becoming important as a tool to protect documents. Microsoft named their ERM system ‘Microsoft RMS’ (Microsoft Rights Management Services).
How secure is Microsoft RMS?
Fast forward to 2016 to ERM (Enterprise Rights Management) and a published paper: “How to Break Microsoft Rights Management Services (Microsoft RMS)” at Usenix 2016 by M Grothe et al which gave a dazzling display of doing just what it said on the tin. (Only be sure always to call it please “research“: Tom Lehrer rather before DMCA!).
What the paper ‘How to break Microsoft RMS’ (correct at the date of writing) does is explain very concisely how to break the security of Microsoft RMS documents and upgrade your legitimate read access authority to any other authority (they used .docx but the method could be applied to any file protected using Microsoft RMS, or any other come to that) into an unprotected document which can then be processed using the normal applications (Microsoft Word in this case). What was more disturbing was that the paper also revealed a process for taking a modified version of the original document and having it processed so that it is accepted by the system as being genuine although it is a forgery.
After the paper’s publication, the researchers have published an .exe file that allows users with write access to remove editing and printing permissions with ease. The bypass reportedly still works despite being published seven years ago.
Is this a serious problem for Microsoft RMS protected documents?
The authors gave a summary of discussions with Microsoft about their findings, which included a key observation from Microsoft: “The type of attack you present falls in the category of policy enforcement limitations. Policy enforcement capabilities, such as the ability to prevent printing or modifying content to which the user has legitimate access, are not guaranteed by cryptography or other hard technical means.“
This is a significant observation which is often forgotten by evaluators. To paraphrase William of Occam, “once you have found the simplest way in then you need go no further.” – William of Occam is credited as having said, “Entia non sunt multiplicanda praeter necessitatem,” although it may have been John Punch back in 1639. So much for Copyright.
As far as the Microsoft argument is concerned, if you have read access to a document, then given enough time and money you can reproduce it by hand and nobody can stop you. So if you have an RMS policy that says you want to forbid copying, then you have to ban any form of access in order to be certain your policy is effective. Encryption may help you enforce that policy.
The problem is that policy is often about ideals that can’t be achieved.
A common policy request is to prevent the copying of files. The film and music industries will tell you that it is nigh on impossible to do that. Once you have a file you can copy it, and can guarantee to get a perfect copy – nothing sub-standard. CDs have never had anything realistic protecting content, and DVDs started with a system that was fairly easy to brute force attack. The Blu-Ray implementation AACS 2.0 has proved harder to crack, although in June 2018 Arusoft announced it was broken, and although AACS 2.1 has been introduced it is also believed to be cracked – AACS 2.1 cracked.
If the policy was to “prevent copies of files from unauthorized use”, as it is with the Locklizard document DRM systems, then cryptography does guarantee that the encrypted file cannot be used without authority.
So Microsoft are correct in saying that if you have read access you can reproduce what is on the screen simply because you can read it, and so can a camera. Your policy cannot be to stop these activities, but to make them difficult and expensive. So a better policy is to “make screen copying difficult and ineffective”. But how do you stop users copying content easily?
Below are just some of the methods an effective document rights management system should use:
Make screen copying difficult and ineffective
The first thing to consider is preventing use of features like the Print Screen key on the PC. This can be done programmatically, as can examining memory, looking for known screen grabbing applications and having them removed. This provides one level of policy, but you have to go further to stop browser hosted programs from doing screen capture since they have been developed to copy screen content to remote locations that are most likely out of direct control.
Make screen copying unattractive
The next step is to add watermarking that puts maybe the name and email address of the authorized user on to the screen. This does not violate their personal privacy as they are the user of the machine. This doesn’t stop them taking photos. But unless the authorized user want’s their name on every copy they give away they have got some work to do to remove it from every single photo. And it can be merged in with the image so simple photo editing is very hard to do.
Taking the policy to be making it difficult, you can also extend the difficulty in a number of ways that don’t rely on cryptography at all, apart from adding watermarks. All screen copying systems treat the displayed page as a graphic image (which is what it is). Thus, if your documents rely extensively on links for good operation ordinary copying will not break your policy and the attacker will have to manually process the document with a significant amount of man-effort to re-build all the links and references.
Make content difficult to reproduce
Also you can include pictures and diagrams as part of the document (where relevant) because if you cannot screen grab them they are much more difficult to reproduce manually, and cell-phone pictures of monitors tend to be poorer quality than originals. Embedding pictures in the document rather than providing links to pictures on a web site makes for bigger documents but makes the pictures harder to download and steal.
Policies concerning printing tend to be confused. A policy that says no printing is simpler to implement than one that tries to control printing. Locklizard stops printing by stopping access to the print function. Knowing which controls to enforce requires cryptography and the technical means to ensure printing cannot take place.
The problem is what to do if you must allow printing (some documents have to be printable for technical or legal reasons). This is more difficult because although you can try to detect if a real printer is being used, and not a file driver that outputs a PDF file from the printout, the operating system may not tell you. Even if you can detect it is a real printer it may be intelligent enough to allow several copies to made offline and the controlling application is unable to detect this.
So if you must allow printing you need to consider a policy that makes use of the printout to make other copies unattractive as an approach. Here you need a system of using watermarks to achieve a number of objectives:
- To link the identity of the authorised user to the printout so it is difficult to remove it. This makes the printed copy fine for personal study but unattractive for general distribution
- To authenticate the copy so that users are able to detect forgeries
Policies on the life of documents can vary. Books never go out of date, but training courses may have a life of as little as 6 months before they are out of date. Accounting documents may be controlled by regulation rather than internal policy. Documents may cease to be available if they go out of date (product repair manuals, staff manuals, market analyses). All of these ‘policies’ need to be available to deliver an effective DRM or ERM enforcing system, and must be enforced by cryptography.
Setting document security policies
There is a lot of difference between setting policies that are purely for corporate internal controls and policies when documents go outside, whether accidentally or because there is a requirement to distribute them. Corporate policies are usually set by senior management and cannot be altered. This is particularly important where documents are intended to go outside, where the recipient should not be in a position to define policies if they distribute the document. Authentic documents are distributed from a central point. Setting local policy definition is weaker because it allows local users to downgrade controls. Allowing users to redefine policies is not advised.
Microsoft RMS and other ERM systems require policies to identify the controls that need to be applied to documents. It is quite correct to say that policies may create weaknesses in a control system. But, as Locklizard demonstrate with their own document DRM systems, it is possible to take steps to remedy those weaknesses. This is not the same situation as where a control system has been broken (as in Microsoft RMS) and the recipient is able to define their own authorities and forge what should be secure documents.
Cryptography is an essential tool in transmitting securely the controls that must be enforced although it is only one element in achieving an effective document control system.