building rights management enabled applications for windows "longhorn" steve bourne...
TRANSCRIPT
Building Rights Management Enabled Applications For Windows "Longhorn"
Steve BourneChandramouli VenkateshMicrosoft Corporation
Session Code: CLI372
AgendaAgenda
IntroductionMicrosoft Rights Management TechnologiesThe Rights Management Problem SpaceRMS Fundamentals
Certification/Publishing/Licensing
Windows RMS v2.0 featuresCase Study: Longhorn documents
Demo
Sample Code
IntroductionMicrosoft Rights Management TechnologiesThe Rights Management Problem SpaceRMS Fundamentals
Certification/Publishing/Licensing
Windows RMS v2.0 featuresCase Study: Longhorn documents
Demo
Sample Code
Microsoft Rights ManagementMicrosoft Rights Management
Microsoft has a long history in the rights management space
Digital music, eBooks, video
There are two technologies for “DRM” at Microsoft
Windows Rights Management Services (RMS)Windows Media Rights Manager (WM RM)
Developers should use WM RM for:Video, AudioStreaming content
Developers should use RMS for all other formats of dataDuring this session we will focus on RMS
Microsoft has a long history in the rights management space
Digital music, eBooks, video
There are two technologies for “DRM” at Microsoft
Windows Rights Management Services (RMS)Windows Media Rights Manager (WM RM)
Developers should use WM RM for:Video, AudioStreaming content
Developers should use RMS for all other formats of dataDuring this session we will focus on RMS
Defining The Problem…Have you ever encountered this?Defining The Problem…Have you ever encountered this?
Defining Our SolutionDefining Our Solution
A Rights Management system must…Allow individuals and organizations to project usage policy onto the data that they own
Specify rights and users for digital information of any type
Provide persistent protection for organizational information
Rights Management cannot…Provide unbreakable, hacker-proof security
There is no silver bullet in software
Protect against the analog loopholeSee next slide…
A Rights Management system must…Allow individuals and organizations to project usage policy onto the data that they own
Specify rights and users for digital information of any type
Provide persistent protection for organizational information
Rights Management cannot…Provide unbreakable, hacker-proof security
There is no silver bullet in software
Protect against the analog loopholeSee next slide…
Windows RMS WorkflowWindows RMS Workflow
Information Information AuthorAuthor
The The RecipieRecipientnt
RMS RMS ServerServer
SQL Server
Active Directory
2 3
4
5
2.2. Author defines a set of usage Author defines a set of usage rights and rules for their file; rights and rules for their file; Application creates a Application creates a “publishing license” and “publishing license” and encrypts the fileencrypts the file
3.3. Author distributes fileAuthor distributes file
4.4. Recipient clicks file to open, Recipient clicks file to open, the application calls to the the application calls to the RMS server which validates RMS server which validates the user and issues a “use the user and issues a “use license”license”
5.5. Application renders file and Application renders file and enforces rightsenforces rights
1.1. Author receives an identity Author receives an identity certificate the first time they certificate the first time they rights-protect information rights-protect information
1
RMS 2.0 VisionRMS 2.0 Vision
Flexible, powerful trust modelSeamless inter-organization RMS protected information exchange
Broad ecosystemSearch, antivirus, mail servers, doc libraries
Ease of use Simple and consistent RMS end user experienceSimple RMS deployment and management
Flexible, powerful trust modelSeamless inter-organization RMS protected information exchange
Broad ecosystemSearch, antivirus, mail servers, doc libraries
Ease of use Simple and consistent RMS end user experienceSimple RMS deployment and management
RMS 2.0 Key FeaturesRMS 2.0 Key Features
Inter-organizational collaboration scenariosCross-company delegation of license issuance
Pluggable authentication/identity systemsx.509, 3rd party authentication
Shared RM UX that you can build into your appEasy deployment and management of RMS clients and serversSupport for managed applicationsSupport for trusted server applications
Inter-organizational collaboration scenariosCross-company delegation of license issuance
Pluggable authentication/identity systemsx.509, 3rd party authentication
Shared RM UX that you can build into your appEasy deployment and management of RMS clients and serversSupport for managed applicationsSupport for trusted server applications
Longhorn DocumentsPart oneLonghorn DocumentsPart one
Windows Client Printer Driver - Authoring tool (generates Fixed Format LH Documents)
Exposes rights UI Creates an unsigned Publish License (System.Security.RightsManagement.UnsignedPublishLicense)WCPD builds a project file for MsBuild to use. This project file refers to the unsigned PL file
Windows Client Printer Driver - Authoring tool (generates Fixed Format LH Documents)
Exposes rights UI Creates an unsigned Publish License (System.Security.RightsManagement.UnsignedPublishLicense)WCPD builds a project file for MsBuild to use. This project file refers to the unsigned PL file
Longhorn DocumentsPart twoLonghorn DocumentsPart two
MsBuildMsBuild Containerize Task is invoked to package the document into the Avalon ContainerTask initializes RM environment, requests Signed Publish License and embeds it in the containerTask creates and embeds Use License for authorMsBuild encrypts content of the container using System.IO.CompoundFile.RightsManagementEncryptionTransform
MsBuildMsBuild Containerize Task is invoked to package the document into the Avalon ContainerTask initializes RM environment, requests Signed Publish License and embeds it in the containerTask creates and embeds Use License for authorMsBuild encrypts content of the container using System.IO.CompoundFile.RightsManagementEncryptionTransform
Longhorn DocumentsPart threeLonghorn DocumentsPart three
Consumption in LH browserWindows Client Platform Rights Enforcement Service (ES) initializes RM environment ES looks for a Use License in the file, requests one from the server if neededES binds the Use License and decrypts contentES enumerates the Use License and disables/enables Longhorn Browser menu options
Consumption in LH browserWindows Client Platform Rights Enforcement Service (ES) initializes RM environment ES looks for a Use License in the file, requests one from the server if neededES binds the Use License and decrypts contentES enumerates the Use License and disables/enables Longhorn Browser menu options
Tools
Client Application Model
Avalon Windows Forms
Web & Service Application Model
ASP.NET / Indigo Win FSCompact
FrameworkYukon Mobile PC Optimized
System.HelpSystem.Help
System.DrawingSystem.Drawing
System.NaturalLanguageServicesSystem.NaturalLanguageServices
Data Systems Application Model
Presentation Data
Mobile PC & Devices Application Model
Communication
Command Line
NT Service
DataSetDataSet
MappingMapping
ObjectSpacesObjectSpaces
ObjectSpaceObjectSpace
QueryQuery
SchemaSchema
ItemItem
RelationshipRelationship
MediaMedia
AudioAudio
VideoVideo
ImagesImages
System.MessagingSystem.Messaging System.DiscoverySystem.Discovery
System.DirectoryServicesSystem.DirectoryServices
System.RemotingSystem.Remoting
System.Runtime.RemotingSystem.Runtime.Remoting
ActiveDirectoryActiveDirectory
UddiUddi
System.Web.ServicesSystem.Web.Services
Web.ServiceWeb.Service
DescriptionDescription
DiscoveryDiscovery
ProtocolsProtocols
System.MessageBusSystem.MessageBus
TransportTransport
PortPort
ChannelChannel
ServiceService
QueueQueue
PubSubPubSub
RouterRouter
System.TimersSystem.Timers
System.GlobalizationSystem.Globalization
System.SerializationSystem.Serialization
System.ThreadingSystem.Threading
System.TextSystem.Text
System.DesignSystem.Design
Base & Application Services
Fundamentals
System.ComponentModelSystem.ComponentModel
System.CodeDomSystem.CodeDom
System.ReflectionSystem.Reflection
System.EnterpriseServicesSystem.EnterpriseServices
System.TransactionsSystem.Transactions
Security
System.Windows.TrustManagementSystem.Windows.TrustManagement
System.Web.SecuritySystem.Web.Security
System.MessageBus.SecuritySystem.MessageBus.Security
AuthorizationAuthorization
AccessControlAccessControl
CredentialsCredentials
RightsManagementRightsManagement
System.Web.ConfigurationSystem.Web.Configuration
System.MessageBus.ConfigurationSystem.MessageBus.Configuration
System.ConfigurationSystem.Configuration
System.ResourcesSystem.ResourcesSystem.ManagementSystem.Management
System.DeploymentSystem.Deployment
System.DiagnosticsSystem.Diagnostics
Configuration Deployment/Management
System.WindowsSystem.Windows System.WindowsSystem.WindowsSystem.Windows.FormsSystem.Windows.Forms
System.ConsoleSystem.Console
System.ServiceProcessSystem.ServiceProcess
System.Windows.FormsSystem.Windows.Forms System.WebSystem.Web System.StorageSystem.Storage System.Data.SqlServ
erSystem.Data.SqlServer
AnimationAnimation
ControlsControls
ControlControl
DesignDesign
PanelPanel
ControlsControls
DialogsDialogs
SideBarSideBar
NotificationNotification
System.WindowsSystem.Windows
DocumentsDocuments
Text ElementText Element
ShapesShapes
ShapeShape
InkInk
UI ElementUI Element ExplorerExplorer MediaMedia
System.Windows.FormsSystem.Windows.Forms
FormsForms
ControlControl
Print DialogPrint Dialog
DesignDesign
System.Web.UISystem.Web.UI
PagePage
ControlControl
HtmlControlsHtmlControls
MobileControlsMobileControls
WebControlsWebControls
AdaptorsAdaptors
DesignDesign
PortsPorts
InteropServicesInteropServices
System.RuntimeSystem.Runtime
System.IOSystem.IO
System.CollectionsSystem.Collections
GenericGeneric
System.SearchSystem.Search
AnnotationsAnnotations
MonitoringMonitoring
LoggingLogging
RelevanceRelevance
System.DataSystem.Data
SqlClientSqlClient
SqlTypesSqlTypes
SqlXMLSqlXML
OdbcClientOdbcClient
OleDbClientOleDbClient
OracleClientOracleClient
CoreCore
ContactContact
LocationLocation
MessageMessage
DocumentDocument
EventEvent
System.StorageSystem.Storage
System.WebSystem.Web
PersonalizationPersonalization
CachingCaching
SessionStateSessionState
System.XmlSystem.Xml
SchemaSchema
SerializationSerialization
XpathXpath
QueryQuery
PermissionsPermissions
PolicyPolicy
PrincipalPrincipal
TokenToken
System.SecuritySystem.Security
System.CollaborationSystem.Collaboration
RealTimeEndpointRealTimeEndpoint
TransientDataSessionTransientDataSession
SignalingSessionSignalingSession
MediaMedia
ActivitiesActivities
HttpWebRequestHttpWebRequest
FtpWebListenerFtpWebListener
SslClientStreamSslClientStream
WebClientWebClient
System.NetSystem.Net
NetworkInformationNetworkInformation
SocketsSockets
CacheCache
System.WebSystem.Web
AdministrationAdministration
ManagementManagement
NavigationNavigation
Peer GroupPeer Group
PolicyPolicy
SerializationSerialization
CompilerServicesCompilerServices
RecognitionRecognition
System.SpeechSystem.Speech
SynthesisSynthesis
RM API BasicsRM API Basics
Namespaces to includeSystem.Security.RightsManagement
Contains RM License services, RM License objects
System.Security.SecurePlatformCore RM services, Content consumption classes
Assembly to referenceMicrosoft.RightsManagement.Rmclient.dllIn the GAC
Namespaces to includeSystem.Security.RightsManagement
Contains RM License services, RM License objects
System.Security.SecurePlatformCore RM services, Content consumption classes
Assembly to referenceMicrosoft.RightsManagement.Rmclient.dllIn the GAC
RMS Enabled App OutlineRMS Enabled App Outline
Publishing PhaseContent is being RM protected and distributed
Consumption PhaseRM protected content is obtained and consumed
Publishing PhaseContent is being RM protected and distributed
Consumption PhaseRM protected content is obtained and consumed
Publishing PhasePublishing Phase
1. Initialize RMS Environment
2. Encrypt content with symmetric key & Author publish license
3. Publish Content
4. Distribute RMS-Protected content
1. Initialize RMS Environment
2. Encrypt content with symmetric key & Author publish license
3. Publish Content
4. Distribute RMS-Protected content
Information Information AuthorAuthor
The RecipientThe Recipient
RMS ServerRMS Server
SQL Server Active Directory
2
3
1
RM API
App
3
4
Publishing Authoring publish licensePublishing Authoring publish license
1. Describe the content you are RM protecting:
UnsignedPublishLicense unsignedPublishLicense = new UnsignedPublishLicense();
//set the resource id Resource resource = new Resource(); resource.ID = “My Confidential IPO Memo"; resource.IDType = “Title"; //create a symmetric key to encrypt content with DESCryptoServiceProvider desCSP = new
DESCryptoServiceProvider(); desCSP.GenerateKey(); //encrypt content with the above key; ”Hello World” !@##$$
%^()*&^ EncryptMyContent(“Hello World”, desCSP ); //set the key resource.ContentKey = desCSP ;
1. Describe the content you are RM protecting:
UnsignedPublishLicense unsignedPublishLicense = new UnsignedPublishLicense();
//set the resource id Resource resource = new Resource(); resource.ID = “My Confidential IPO Memo"; resource.IDType = “Title"; //create a symmetric key to encrypt content with DESCryptoServiceProvider desCSP = new
DESCryptoServiceProvider(); desCSP.GenerateKey(); //encrypt content with the above key; ”Hello World” !@##$$
%^()*&^ EncryptMyContent(“Hello World”, desCSP ); //set the key resource.ContentKey = desCSP ;
Publishing Authoring publish licensePublishing Authoring publish license2. Setting Users and User Rights for this content:
//create a grant and tie it to the content/resource being protected usignedPublishLicense.Grants.Add(new Grant()); usignedPublishLicense.Grants[0].Resource = resource; //add a new right and describe it unsignedPublishLicense.Grants[0].Right.Name = Right.WellKnownRightNames.EDIT; //add and describe the user being granted the right unsignedPublishLicense.Grants[0].User. SecurityIdentities[0].AuthenticationType = SecurityIdentity.WellKnownAuthenticationTypes.EMAIL; unsignedPublishLicense. Grants[0]. User. SecurityIdentities[0].Name = “[email protected]”; return upl;
2. Setting Users and User Rights for this content:
//create a grant and tie it to the content/resource being protected usignedPublishLicense.Grants.Add(new Grant()); usignedPublishLicense.Grants[0].Resource = resource; //add a new right and describe it unsignedPublishLicense.Grants[0].Right.Name = Right.WellKnownRightNames.EDIT; //add and describe the user being granted the right unsignedPublishLicense.Grants[0].User. SecurityIdentities[0].AuthenticationType = SecurityIdentity.WellKnownAuthenticationTypes.EMAIL; unsignedPublishLicense. Grants[0]. User. SecurityIdentities[0].Name = “[email protected]”; return upl;
PublishingPublishing
//initialize environmentsecurityContext = new
SecurityContext();securityContext.UserIdentity = securityIdentity;securityContext.InitContext();
//create unsigned publish licenseunsignedPublishLicense =
AuthorPublishLicense();
//create PublishService objectPublishService publishService = new
PublishService();
//call PublishPublishLicense publishLicense =
publishService.Publish(unsignedPublishLicense);
//initialize environmentsecurityContext = new
SecurityContext();securityContext.UserIdentity = securityIdentity;securityContext.InitContext();
//create unsigned publish licenseunsignedPublishLicense =
AuthorPublishLicense();
//create PublishService objectPublishService publishService = new
PublishService();
//call PublishPublishLicense publishLicense =
publishService.Publish(unsignedPublishLicense);
Consumption PhaseConsumption Phase
1. Obtain RMS-protected content
2. Initialize RMS Environment
3. Obtain Use License for RMS-protected content
4. Bind to Use License to consume content
1. Obtain RMS-protected content
2. Initialize RMS Environment
3. Obtain Use License for RMS-protected content
4. Bind to Use License to consume content
Information Information AuthorAuthor
The RecipientThe Recipient
RMS ServerRMS Server
SQL Server Active Directory
2
3 4
RM API
App
3
1
Consumption Obtain use license from serverConsumption Obtain use license from server
//initialize environmentsecurityContext = new SecurityContext();securityContext.UserIdentity = securityIdentity;securityContext.InitContext();
//create UseLicenseService objectUseLicenseService useLicenseSvc = new UseLicenseService(securityContext);//retrieve publishLicense from RM content
//obtain UseLicense from the serverUseLicense useLicense =
useLicenseSvc .GetUseLicense(publishLicense,null);
//initialize environmentsecurityContext = new SecurityContext();securityContext.UserIdentity = securityIdentity;securityContext.InitContext();
//create UseLicenseService objectUseLicenseService useLicenseSvc = new UseLicenseService(securityContext);//retrieve publishLicense from RM content
//obtain UseLicense from the serverUseLicense useLicense =
useLicenseSvc .GetUseLicense(publishLicense,null);
Consumption Bind to use license and consume content
Consumption Bind to use license and consume content//create a BindRequest object BindRequest bindRequest = new
BindRequest(securityContext);
//bind to the Use License obtained from server GrantCollection grantCollection =
bindRequest.Bind(useLicense);
//commit the bind after examining grants if need be CommittedGrant committedGrant =
bindRequest.Commit(grantCollection[0]);
//decrypt the content. !@##$$%^()*&^ ” Hello World” byte[] decryptedData =
committedGrant .Decrypt(encryptedData);//consume decrypted content
//create a BindRequest object BindRequest bindRequest = new
BindRequest(securityContext);
//bind to the Use License obtained from server GrantCollection grantCollection =
bindRequest.Bind(useLicense);
//commit the bind after examining grants if need be CommittedGrant committedGrant =
bindRequest.Commit(grantCollection[0]);
//decrypt the content. !@##$$%^()*&^ ” Hello World” byte[] decryptedData =
committedGrant .Decrypt(encryptedData);//consume decrypted content
What Is Coming…What Is Coming…
License Store – Better License Management
CertStore.GetUseLicense(Resource);
Publish License Templates – Power, Expressiveness, Convenience
new PublishLicense(Templates[“confidential”]);
Smart RM Id Mgmt – Seamlessly support inter-org collaboration for RM contentCommon UI
License Store – Better License Management
CertStore.GetUseLicense(Resource);
Publish License Templates – Power, Expressiveness, Convenience
new PublishLicense(Templates[“confidential”]);
Smart RM Id Mgmt – Seamlessly support inter-org collaboration for RM contentCommon UI
The Fine Print The Fine Print
Information protected on the PDC build will not be consumable on future buildsDevelopment purposes only
Information protected on the PDC build will not be consumable on future buildsDevelopment purposes only
SummarySummary
Think about how you can enhance your own applications with the information protection and policy made possible with RMSStart building apps with the RMS APIs in the PDC buildPlan for future RM featuresTell us what you think!
Think about how you can enhance your own applications with the information protection and policy made possible with RMSStart building apps with the RMS APIs in the PDC buildPlan for future RM featuresTell us what you think!
Community ResourcesGet Your Questions Answered!Community ResourcesGet Your Questions Answered!
Send us comments and [email protected]@[email protected] WM RM: [email protected]
Send us feedback!What do you like? What’s missing?What did you have problems with?
Send us comments and [email protected]@[email protected] WM RM: [email protected]
Send us feedback!What do you like? What’s missing?What did you have problems with?
© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.