Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Icete Secrypt2007 Presentation
1. Secure License Management
Management of digital object licenses in a DRM environment
*Carlos Serrão, *Miguel Dias and **Jaime Delgado
carlos.serrao, miguel.dias {@iscte.pt}, jaime.delgado@ac.upc.edu
*ISCTE/DCTI/ADETTI **UPC/AC/DMAG
Lisboa, Portugal Barcelona, Spain
2. Summary
Digital Rights Management
What is DRM?
Rights, Rights Expression, Rights Expression Languages
Licenses
Licenses typology
Secure License Management
SLM Use-case
Conclusions and Future work
3. DRM concepts
DRM involves the:
description, layering, analysis, valuation, trading and monitoring of
rights over an individual or organization's assets, in digital format;
DRM is:
the chain of hardware and software services and technologies
governing the authorized use of digital objects and managing any
consequences of that use throughout the entire life cycle of the
object.
4. DRM concepts
DRM is not (only) Copy-Protection
DRM is used to manage and enforce rights
Copy-protection is used to prevent unauthorised copies
Actual commercial DRM (such as WMRM or Fairplay use
both) to (try) to be more effective
5. DRM concepts
Modern DRM involves several security technologies, such
as:
Public-key cryptography
Secret-key cryptography
Digital signatures
Digital certificates
... and others.
All this keying material should be properly managed, to
avoid security breaches...
... and this brings us to Key Management.
6. Key Management
What is Key Management?
Key Management is the set of techniques and procedures
supporting the establishment and maintenance of keying
relationships between authorized parties.
Key Management encompasses techniques and procedures
supporting:
Initialization of system users within a domain;
Generation, distribution and installation of keying material;
Controlling the use of keying material;
Update, revocation and destruction of keying material;
Storage, backup/recovery and archival of keying material.
7. Key Management in DRM
Key Management and DRM
DRM uses keying material in several situations:
Entities (content providers, users, ...) registration and management
Software applications and components registration and management
Content security
Rights management and enforcement (licenses)
8. Rights, RM and REL
Rights
[...] a right is the legal or moral entitlement to do or refrain
from doing something or to obtain or refrain from obtaining an
action, thing or recognition in civil society [...]
[...] Rights serve as rules of interaction between people, and, as
such, they place constraints and obligations upon the actions of
individuals or groups [...]
Rights management
The ability to manage rights
9. Rights, RM and REL
Rights Expression Languages (REL)
Allow the expression of copyright
Allow the expression of contracts or license agreements
Allow to control over access and/or use
Mostly used to express DRM-governed content licenses
Licenses express how a governed-content can be used
Expressed in a specific format/notation (XML, Text,Graff theory,...)
XrML and ODRL are two of the most used
May contain protected keying material information to be used with the
protected digital content
10. Licenses
Depending on the DRM scenario and implementation
licenses can be used or not
This gives 6 different scenarios:
Licenses are used in DRM
License contains CEK
License is inside digital content
License is outside the digital content
License don't have CEK
License is inside digital content
License is outside the digital content
Licenses are not used in DRM
CEK is inside digital content
CEK is not inside the digital content
12. Licenses and DRM
Typical license format:
License = SignLicenseIssuer [UserID,DeviceID,DomainID,ContentID,
Rights, Restrictions, CipherUserPKey{CEK}, Validity,...]
The License is signed by the License Issuer to prevent the license
modification and tampering
The Content Encryption Keys (CEK) are ciphered with the
recipient Public-key – it could even be the combination of
multiple keys (user,device, domain) – depends on implementation
13. Licenses and DRM
Two basic processes involved:
License definition and creation
License download and enforcement
19. Conclusions and Future Work
The goal of the work was to analyse how the different
existing DRM solutions handle and manage rights
The different typical rights management scenarios were
identified (license management)
Establish a common generic model for secure license
management (fitting to the requirements of the different
platforms)
A scenario was choose and instanciated on the model
This global license management model, will allow
interoperability at this level, between different DRM
solutions
Future: instanciate the remaining scenarios on the model.