A Security Analysis of My.MP3.com and the Beam-it Protocol

Authors

Adam B. Stubblefield
Dan S. Wallach

Abstract

My.MP3.com is a service that streams audio in the MP3 format to its users. In order to resolve copyright concerns, the service first requires that a user prove he or she owns the right to listen to a particular CD. The mechanism used for the verification is a program called Beam-it which reads a random subset of an audio CD and interacts with the My.MP3.com servers using a proprietary protocol. This paper presents a reverse-engineering of the protocol and the client-side code which implements it. An analysis of Beam-it's security implications and speculations as to the Beam-it server architecture are also presented. We found the protocol to provide strong protection against a user pretending to have a music CD without actually possessing it, however we found the protocol to be unnecessarily verbose and includes information that some users may prefer to keep private.

Published

Tech report TR-00-353, Department of Computer Science, Rice University, February 2000.

Text

PostScript (64 kbytes)
PDF (32 kbytes)