iadis tns2007 presentation

*Carlos Serrão, *Miguel Dias and **Jaime Delgadocarlos.serrao,miguel.dias {@iscte.pt}, [email protected]

PKI as a way to leverageDRM interoperability

*ISCTE/DCTI/ADETTILisboa, Portugal

**UPC/AC/DMAGBarcelona, Spain

IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

Summary● (DRM)Interoperability● PKI and the PKIX model● PKIX and DRM interoperability● Conclusions


Digi tal Rights Management● DRM involves the:

– description, layering, analysis, valuation, trading andmonitoring of the rights over an individual or organization'sassets, in digital format;

● DRM is:– the chain of hardware and software services and technologiesgoverning the authorized use of digital objects and managingany consequences of that use throughout the entire life cycleof the object.


Digi tal Rights Management● From a security point of view, two major aspects need tobe considered in any DRM solution:– the digital object protection, in which the digital object ispackaged in a specific container that is locked, preventing non-authorized copies or modifications, making usage of strongcryptographic algorithms.

– and the fact that through the entire object life cycle atrustworthy environment must be established between thedifferent actors, devices and software components.


Digi tal Rights Management● Trust Environment

– In a common DRM system, trust must be established betweenthe different elements

– The way this trust environment is accomplished differs fromDRM implementation to implementation

– There is no common trust system– This creates interoperability problems


TrustMechanism A

TrustMechanism B

TrustMechanism C

TrustMechanism D

DRM and interoperability

DRM A DRM B DRM C DRM D

Non-Interoperability points

Users Content Users Content Users Content Users Content


DRM and interoperability● Public-Key Infrastructures (PKI) are important for trustenvironment establishment

● PKIX (PKI for X.509) is currently one of the mostdeployed PKI technologies, present in many securitysolutions

● PKI offers functions/services that are crucial to theestablishment of trust environments:– Certification Authority– Registration Authority– Repository– Archive


DRM and interoperability● PKIX supports most of the security and trust functionsthat DRM needs

● DRM systems can “deliver” their security and trustrequirements “in the hands” of an underlying PKIXsystem

● This would simplify the task of DRM interoperability


PKIX and DRM interoperability● Two approaches for DRM interoperability through PKI:

– Use a single PKI service shared by all DRM systems;– Each DRM use their own PKI service, and brokeringmechanisms are used between them

● They both have their points, but...


PKIX and DRM interoperabilityAll the different DRM systemsuse the same PKI solution, toestablish the necessary trustenvironment between thedifferent actors, devices orsoftware components.


PKIX and DRM interoperabilityThe different DRM systems havetheir own PKI, and a PKI brokeris used to build interoperabletrust environments between thedifferent actors, devices andsoftware components of thedifferent DRM systems.


PKIX and DRM interoperability● 1st Scenario

– The same PKI offers to the different DRM components, trustcredentials, that can be immediately trusted between differentDRM systems

– This is however a low probability scenario. DRM systems willadopt their own PKI solutions


PKIX and DRM interoperability● 2nd Scenario

– Reflects what is happening now – each DRM chooses its ownPKI solution

– “Local” and “External” interoperability● “Local” - the internal components of a DRM system rely on the trustprovided by their own PKI

● “External” - the components of different DRM systems, have to buildtrust relationships using a PKI broker


PKIX and DRM interoperability● 2nd Scenario

“Local” PKI

DRM A

PKI broker

“Local” PKI

DRM B


PKIX and DRM interoperability● Assumptions:

1.DRM1 Device has a key pair: KpubDevice

, KprivDevice

;

2.DRM2 License Issuer has a key pair: KpubLicIssuer

, KprivLicIssuer

;

3.DRM1 Device has a certificate issued by the DRM1 PKI:CertDRM1PKI(K

pubDevice);

4.DRM2 License Issuer has a certificate issued by the DRM2 PKI:CertDRM2PKI(K

pubLicIssuer);

5.All the PKI are PKIX-based and use X.509 digital certificates;6.PKI Broker has a key pair: K

pubPKIBroker, K

privPKIBroker;

7.DRM1 PKI and DRM2 PKI are registered at the PKI Broker;8.DRM1 PKI has to have a certificate from the PKI Broker:CertDRMBroker(K

pubDRM1PKI);

9.DRM2 PKI has to have a certificate from the PKI Broker:CertDRMBroker(K

pubDRM2PKI).


PKIX and DRM interoperability● Protocol

1.The DRM1 Device has acquired some digital object which is notgoverned by the same DRM;

2.DRM1 Device sends a message to DRM2 License Issuer to downloadthe license for the digital object and their credentials:licenseDownload(contentID, CertDRM1PKI(K

pubDevice));

3.DRM2 License Issuer sends the DRM1 Device credentials to the DRM2PKI for validation;

4.DRM2 PKI has no way to validate the request, because the credentialhas been issued by other PKI. Therefore the DRM2 PKI asks to theDRM Broker to try to validate the credential:validateCredentials(CertDRMBroker(K

pubDRM2PKI), CertDRM1PKI(K

pubDevice));


PKIX and DRM interoperability● Protocol

5.The DRM Broker validates the requesting PKI credentials, and checksthe credentials sent by the device, checking the issuer PKI. It resolvesthe location of this PKI (DRM1 PKI) and sends it a validation request:validateRequest(CertDRM1PKI(K

pubDevice));

6.DRM1 PKI receives the request and then validates it, returning ananswer to the PKI Broker;

7.PKI Broker receives the answer and sends the result to the requestingPKI (DRM2 PKI);

8.DRM2 PKI receives the answer from the PKI Broker asserting thatDRM1 Device can be trusted;

9.DRM2 License Issuer generates the license and returns it to the DRM1Device.


PKIX and DRM interoperability● Interoperable scenario (license production)


Conclusions● PKI is an important part of DRM (fulfil DRMrequirements)

● Currently, most of the DRM solutions do not rely onalready existing PKI services or vendors, implementingtheir own mechanisms – interoperability problems

● Two approaches for DRM interoperability based on PKIservices

● An approach based on a broker is more viable● DRM interoperability problems are not entirely solver bythis – this is just the tip of the iceberg!!!


Questions● Thank you!

● Any question?

iadis tns2007 presentation

Economy & Finance

drm needs drm systems

information systems

drm solution

drm implementation

different drm components

different drm systemsuse

different drm systemsthis

digital format drm