How iTunes Works

Security in iTunes
Need to catch up on your television shows? You can check them out through iTunes.
Need to catch up on your television shows? You can check them out through iTunes.
Screenshot by

All purchases are accomplished via an SSL (Secure Socket Layer) connection that encrypts the data. Exchanges related to browsing content and sampling songs happens in simple HTTP (hypertext transfer protocol) through a proxy server, which is a lower level server that sits between your computer and the main iTunes Web servers. This cuts down on requests sent to the main system architecture. Here's what else we know about the store's technology infrastructure:

The iTunes Music Store is composed of XML-based pages, lots of them encrypted using 128-bit AES in CBC mode. AES-CBC is a type of symmetric-key encryption. AES ( for advanced encryption standard) basically takes a 128-bit block of code and reorganizes it into a 128-bit block of ciphertext using a particular key (an encryption algorithm). CBC (cipher block chaining) mode is a method of disguising any encryption patterns that might reveal the key. In CBC, what happens is sort of like a double-layer encryption scheme. During the encryption process, each consecutive, 128-bit block of unencrypted text (we'll call this the "original block") is XORed with the previous, already encrypted block of ciphertext to generate a 128-bit block of text that represents the original block. The "XOR" operation is a piece of computer code that returns values based on an "exclusive OR" formula -- for example, an XOR operation might state that if the first bit in the original block OR the first bit in the ciphertext block is "1" (but only one or the other), then the resulting value is "1." This "1" is now the first bit in the new, 128-bit "representational block." It is the representational block that will be encrypted using the key. In this way, if you were encrypting a page that had two consecutive, identical 128-bit blocks of code, they would end up as completely different blocks of ciphertext.

The same key is used to encrypt and decrypt the ciphertext -- that's the "symmetric" part of the process. Once each block is decrypted using the key, the XOR operation is reversed to generate the original block of text. See Cryptographic Algorithms and RFC 3602 to learn more about AES-CBC encryption.

As we already mentioned, the iTunes Store once used a proprietary encryption method called FairPlay for its digital rights management scheme. When you purchased a song, the file was encrypted as part of the download process. Next, we'll take a closer look at FairPlay and the controversy that surrounded it.