1 / 18

Digital Rights Management in a 3G Mobile Phone and Beyond

Digital Rights Management in a 3G Mobile Phone and Beyond. Thomas S.Messerges, Ezzat A. Dabbish Motorola Labs Young Sub Ko. Contents. Introduction DRM Concepts and strategies Our DRM system Security issues Family Domain Example use cases Conclusion. Introduction. 3G Mobile Phone

dinh
Download Presentation

Digital Rights Management in a 3G Mobile Phone and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Digital Rights Management in a 3G Mobile Phone and Beyond Thomas S.Messerges, Ezzat A. Dabbish Motorola Labs Young Sub Ko

  2. Contents • Introduction • DRM Concepts and strategies • Our DRM system • Security issues • Family Domain • Example use cases • Conclusion

  3. Introduction • 3G Mobile Phone • High commmunication rates • 144 Kbps, 384 Kbps, 2 Mbps depending on the mode of operation • Personal Area Networking capability • Peer-to-Peer sharing of digital items over short-range networks will be possible • High Internet Connectivity • More mobile phones than desktop computers connected to the Internet, soon • Business opportunities for digital contents are attracting much interest • Losses from piracy will mount • Digital Items can be copied or shared at no cost • Digital Rights Management(DRM) will be an essential component for in future mobile phones

  4. DRM CONCEPTS AND STRATEGIES - Overview of Trusted DRM System • License File • Metadata • Usage Rules • How to deal with the content in DRM system • Rights for content • Content Encryption Key(CEK) • Encrypt and decrypt the content • Hash • Link between the content and license • Digital Signature • For authenticity and integrity • Protected Content File • Encrypted Content • Encrypted with key in the license File • DRM System(When content is rendered) • Rendering Software • Pass the protected content file and License file to DRM Services software • DRM Service • Verify the signature of the license • Verify the hash of content • Decrypt the content and send it to the rendering software in the system

  5. RI Cert Device Cert DRM CONCEPTS AND STRATEGIES - Open Mobile Alliance DRM(OMA) Issue Certificate Mutual Authentication Using ROAP (RO Acquisition Protocol) Issue Certificate Generate RO (Rights Object) Generate DCF (DRM Content Format) KPRIV: Private Key KCEK: Content Encryption Key KREK: Rights Encryption Key KMAC: Message Authentication Code Key

  6. DRM CONCEPTS AND STRATEGIES - Open Mobile Alliance DRM(OMA) Protected RO RO Encrypted Using REK (Symmetric Key) Rights Content Encryption Key (CEK) Permission Integrity for DCF Digest of Content Content ID Authentication, Non-Repudiation, and Integrity for Rights (Domain RO Only) Digital Signature of Rights (Optional) Encrypted Using Device’s Public Key Rights Encryption Key (REK) and MAC Key Authentication, Non-Repudiation, and Integrity for RO (Including REK; Device RO) MAC of RO

  7. DRM CONCEPTS AND STRATEGIES - Message Authentication Code(MAC)

  8. OUR DRM SYSTEM - Interface for DRM • Two approach noted in Schneck’s paper • Replace the I/O elements of OS with new modules • Monitor all requests for I/O operations and inform a user if a proper license is not available • Hyperadvisor • Located between the OS and the hardware • When an application requests access to a protected file, it would invoke the DRM system • Our Approach • OS is extended to support DRM functionality • Access these extended system through API • A header in a particular file indicates that it is protected • If file is protected, extended API will be called

  9. OUR DRM SYSTEM - DRM manager • Authenticate Licenses and Content • Cryptographic hash of the content • Verified by comparing computed hash based on the content with a hash in a license file • For a mobile phone, the hash value are computed in a piecemeal fasion and form a hash table ▶ The hash table is verified incrementally as each portion of content is rendered • Digital signature • Verified using a public key of signer • Security Agents will help cryptographic operations • Enforce Rights • Actions can be associated with three fundamental types of rights • Render rights ,Transport rights, Derivative work rights • The license have an additional event for performing an action • Payments needs to be made or a play count needs to be decremented • Secure database needed to track these events • Rights to an action are assigned to a device • DRM manager needs to have access to device’s credentials(e.g., keys, certificates, IDs) • A key/certificate manger is responsible for these credentials • Decrypt Content • Decrypt the content using key and route it to a trusted application

  10. OUR DRM SYSTEM - Trusted Application Agents • Access and manipulate decrypted content • Organized according to the type of action they perform • Rendering agents, Transport agents, Derivative work agents • Rendering Agents • Provide the ability to render DRM-protected content • e.g., a music player, a picture viewer • The execution of a DRM-protected application is also rendering operation • e.g., an application loader • Transport Agents • Provide services that move content from one location to another • e.g., email attachments, messaging services, streaming • Establish a Secure Authenticate Channel(SAC) with the receiving device • Derivative Work Agents • Extract and transform protected content or license into a different form • Installation of DRM-protected software or data • For fast execution, installed software and data is decrypted and this makes it vulnerable to copying • Place the decrypted data into an access-controlled file system maintained by security agents

  11. OUR DRM SYSTEM - Security Agents • Handle the security-related functions in DRM system • Secure Memory and File management, Cryptographic operations, Key management • Secure Memory and File management • Access-controlled file system • The storage of digital content that is no longer encrypted and a secure database • Only trusted agents will be allowed to access • Memory separation system • Protect the memory being used by trusted agents from untrusted agent • A memory separation manager configure a hardware monitor to define available memory area to task • Secure memory system • Protectes critical data that should never be allowed to leak out the system(e.g,. private keys) • This memory is linked to tamper detection circuitry • If suspicious events happen, this memory is immediately cleared

  12. OUR DRM SYSTEM - Security Agents • Cryptographic Operations • Symmetric key • Protected content is encrypted using a symmetric-key algorithm such as AES • Hash • The binding between content and licenses is done with a hash algorithm such as SHA-1 • Public key(RSA, ECC) • Content key encryption and decryption • Digital signature verification and generation • Secure networking protocols such as TLS or WTLS • Key/certificate Manager • Securely handle a database of the phone’s credentials(keys, certificates, IDs) • Installation of credentials • Updates or Removal of credentials • Parse and verifying the certificates

  13. OUR DRM SYSTEM - DRM Credentials • Serial and Model numbers • Serial Numbers • SN is a number that identifies the phone • Rights can be enforced by matching SN in license and in device • Model Numbers • MN is a number that identified the hardware and soft ware version of a phone • Content provider knows how to package the digital content for particular phones • Root key • Check the authenticity and integrity of the credentials of other devices, servers, or licences • Private Keys and Certificates(Public key) • KuPri and UniCert • Used for establishing secure authenticate channel(SAC) to a phone • KdPri and DRMCert • Used for assigning content to a device • Content encryption key is encrypted with KdPub in DRMCert and decrypted with KdPri

  14. SECURITY ISSUES • License • Hash value that links the license to the digital item • The Rights allowed for that digital item • A key to decrypt the digital item • A signature of the license • Integrity and Authenticity • Verification of the license file signature (Public Key Infrastructure) • A symmetric key is preprogrammed into each device or securely established(shared secret) • Rights Enforcement • DRM manager parse the license file and recognize the rights expression • If a conflicting expression or one that can’t be understood are found, it must fail in a secure manner • Content Protection • Content is protected with encryption up • Streaming the content(decrypted) is protected via SAC • Privacy Issues • User information and identity in a license must not disclosed without the consent of the user

  15. FAMILY DOMAIN • The consumers wish to used their content on any of their devices • Some proposed DRM systems provide this with Public Key Infrastructure(PKI) and a centralized locker approach • This is not suitable for devices such as mobile phone which may not have permanent networking capabilities • FAMILY DOMAIN Approach • Trusted Server referred to as a Domain Authority(DA) installs a domain private key in each of devices in a domain • A Device needs to only register with a DA once and could access to all the content in a domain with domain private key

  16. EXAMPLE USE CASES Content Content License file License file

  17. Conclusion • Our DRM framework is applicable to other devices such as PDA, set-top box, automobile, or a PC • Content could be seamlessly shared amongst all devices through family domain • There are many areas need to be complete before our DRM system becomes a reality • Many use cases need to be explored • The Software block need to be more thoroughly described • Secure mechanism to extend the OS need to be developed • Hardware support to enable a trusted computing platform needs to be deployed

  18. Thank you

More Related