*Carlos Serrão, *Miguel Dias and **Jaime Delgadocarlos.serrao,miguel.dias {@iscte.pt}, jaime.delgado@ac.upc.edu

Secure License ManagementManagement of digital object licenses in a DRM environment

*ISCTE/DCTI/ADETTILisboa, Portugal

**UPC/AC/DMAGBarcelona, Spain

Summary

Digital Rights Management What is DRM? Rights, Rights Expression, Rights Expression Languages Licenses

Licenses typology Secure License Management SLM Use-case Conclusions and Future work

DRM concepts

DRM involves the: description, layering, analysis, valuation, trading and monitoring ofrights over an individual or organization's assets, in digital format;

DRM is: the chain of hardware and software services and technologiesgoverning the authorized use of digital objects and managing anyconsequences of that use throughout the entire life cycle of theobject.

DRM concepts

DRM is not (only) Copy-Protection DRM is used to manage and enforce rights Copy-protection is used to prevent unauthorised copies

Actual commercial DRM (such as WMRM or Fairplay useboth) to (try) to be more effective

DRM concepts

Modern DRM involves several security technologies, suchas: Public-key cryptography Secret-key cryptography Digital signatures Digital certificates ... and others.

All this keying material should be properly managed, toavoid security breaches...

... and this brings us to Key Management.

Key Management

What is Key Management? Key Management is the set of techniques and proceduressupporting the establishment and maintenance of keyingrelationships between authorized parties.

Key Management encompasses techniques and proceduressupporting: Initialization of system users within a domain; Generation, distribution and installation of keying material; Controlling the use of keying material; Update, revocation and destruction of keying material; Storage, backup/recovery and archival of keying material.

Key Management in DRM

Key Management and DRM DRM uses keying material in several situations:

Entities (content providers, users, ...) registration and management Software applications and components registration and management Content security Rights management and enforcement (licenses)

Rights, RM and REL

Rights [...] a right is the legal or moral entitlement to do or refrainfrom doing something or to obtain or refrain from obtaining anaction, thing or recognition in civil society [...]

[...] Rights serve as rules of interaction between people, and, assuch, they place constraints and obligations upon the actions ofindividuals or groups [...]

Rights management The ability to manage rights

Rights, RM and REL

Rights Expression Languages (REL) Allow the expression of copyright Allow the expression of contracts or license agreements Allow to control over access and/or use

Mostly used to express DRM-governed content licenses

Licenses express how a governed-content can be used Expressed in a specific format/notation (XML, Text,Graff theory, ...)

XrML and ODRL are two of the most used May contain protected keying material information to be used with theprotected digital content

Licenses

Depending on the DRM scenario and implementationlicenses can be used or not

This gives 6 different scenarios: Licenses are used in DRM

License contains CEK License is inside digital content License is outside the digital content

License don't have CEK License is inside digital content License is outside the digital content

Licenses are not used in DRM CEK is inside digital content CEK is not inside the digital content

License Typology

Licenses and DRM

Typical license format:

License = SignLicenseIssuer [UserID,DeviceID,DomainID,ContentID,Rights, Restrictions, Cipher

UserPKey{CEK}, Validity,...]

The License is signed by the License Issuer to prevent the licensemodification and tampering

The Content Encryption Keys (CEK) are ciphered with therecipient Public-key – it could even be the combination ofmultiple keys (user,device, domain) – depends on implementation

Licenses and DRM

Twobasic processes involved: License definition and creation License download and enforcement

Secure License Key Management

Use-case/Scenario

Licenses are used in DRM License contains CEK

License is outside the digital content

License definition

License creation

License download and enforcement

Conclusions and Future Work

The goal of the work was to analyse how the differentexisting DRM solutions handle and manage rights

The different typical rights management scenarios wereidentified (license management)

Establish a common generic model for secure licensemanagement (fitting to the requirements of the differentplatforms)

A scenario was choose and instanciated on the model This global license management model, will allowinteroperability at this level, between different DRMsolutions

Future: instanciate the remaining scenarios on the model.

Questions Thank you...

Any question?