PKI as a way to leverage
DRM interoperability
*Carlos Serrão, *Miguel Dias and **Jaime Delgado
carlos.serrao, miguel.dias {@iscte.pt}, jaime.delgado@ac.upc.edu
*ISCTE/DCTI/ADETTI **UPC/AC/DMAG
Lisboa, Portugal Barcelona, Spain

Summa ry
(DRM)Interoperability
●
PKI and the PKIX model
●
PKIX and DRM interoperability
●
Conclusions
●
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

Digital Rights Management
DRM involves the:
●
description, layering, analysis, valuation, trading and
–
monitoring of the rights over an individual or organization's
assets, in digital format;
DRM is:
●
the chain of hardware and software services and technologies
–
governing the authorized use of digital objects and managing
any consequences of that use throughout the entire life cycle
of the object.
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

Digital Rights Management
From a security point of view, two major aspects need to
●
be considered in any DRM solution:
the digital object protection, in which the digital object is
–
packaged in a specific container that is locked, preventing non-
authorized copies or modifications, making usage of strong
cryptographic algorithms.
and the fact that through the entire object life cycle a
–
trustworthy environment must be established between the
different actors, devices and software components.
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

Digital Rights Management
Trust Environment
●
In a common DRM system, trust must be established between
–
the different elements
The way this trust environment is accomplished differs from
–
DRM implementation to implementation
There is no common trust system
–
This creates interoperability problems
–
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

DRM and int eroper ability
Users Users Users Users
Content Content Content Content
DRM A DRM B DRM C DRM D
Trust Trust Trust Trust
Mechanism A Mechanism B Mechanism C Mechanism D
Non-Interoperability points
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

DRM and int eroper ability
Public-Key Infrastructures (PKI) are important for trust
●
environment establishment
PKIX (PKI for X.509) is currently one of the most
●
deployed PKI technologies, present in many security
solutions
PKI offers functions/services that are crucial to the
●
establishment of trust environments:
Certification Authority
–
Registration Authority
–
Repository
–
Archive
–
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

DRM and int eroper ability
PKIX supports most of the security and trust functions
●
that DRM needs
DRM systems can “deliver” their security and trust
●
requirements “in the hands” of an underlying PKIX
system
This would simplify the task of DRM interoperability
●
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
Two approaches for DRM interoperability through PKI:
●
Use a single PKI service shared by all DRM systems;
–
Each DRM use their own PKI service, and brokering
–
mechanisms are used between them
They both have their points, but...
●
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
All the different DRM systems
use the same PKI solution, to
establish the necessary trust
environment between the
different actors, devices or
software components.
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
The different DRM systems have
their own PKI, and a PKI broker
is used to build interoperable
trust environments between the
different actors, devices and
software components of the
different DRM systems.
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
1st Scenario
●
The same PKI offers to the different DRM components, trust
–
credentials, that can be immediately trusted between different
DRM systems
This is however a low probability scenario. DRM systems will
–
adopt their own PKI solutions
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
2nd Scenario
●
Reflects what is happening now – each DRM chooses its own
–
PKI solution
“Local” and “External” interoperability
–
“Local” - the internal components of a DRM system rely on the trust
●
provided by their own PKI
“External” - the components of different DRM systems, have to build
●
trust relationships using a PKI broker
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
2nd Scenario
●
DRM A DRM B
“Local” PKI “Local” PKI
PKI broker
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
Assumptions:
●
1.DRM1 Device has a key pair: KpubDevice, KprivDevice;
2.DRM2 License Issuer has a key pair: KpubLicIssuer, KprivLicIssuer ;
3.DRM1 Device has a certificate issued by the DRM1 PKI:
CertDRM1PKI(KpubDevice);
4.DRM2 License Issuer has a certificate issued by the DRM2 PKI:
CertDRM2PKI(KpubLicIssuer);
5.All the PKI are PKIX-based and use X.509 digital certificates;
6.PKI Broker has a key pair: KpubPKIBroker, KprivPKIBroker;
7.DRM1 PKI and DRM2 PKI are registered at the PKI Broker;
8.DRM1 PKI has to have a certificate from the PKI Broker:
CertDRMBroker(KpubDRM1PKI);
9.DRM2 PKI has to have a certificate from the PKI Broker:
CertDRMBroker(KpubDRM2PKI).
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
Protocol
●
1.The DRM1 Device has acquired some digital object which is not
governed by the same DRM;
2.DRM1 Device sends a message to DRM2 License Issuer to download
the license for the digital object and their credentials:
licenseDownload(contentID, CertDRM1PKI(KpubDevice));
3.DRM2 License Issuer sends the DRM1 Device credentials to the DRM2
PKI for validation;
4.DRM2 PKI has no way to validate the request, because the credential
has been issued by other PKI. Therefore the DRM2 PKI asks to the
DRM Broker to try to validate the credential:
validateCredentials(CertDRMBroker(KpubDRM2PKI), CertDRM1PKI(KpubDevice));
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
Protocol
●
5.The DRM Broker validates the requesting PKI credentials, and checks
the credentials sent by the device, checking the issuer PKI. It resolves
the location of this PKI (DRM1 PKI) and sends it a validation request:
validateRequest(CertDRM1PKI(KpubDevice));
6.DRM1 PKI receives the request and then validates it, returning an
answer to the PKI Broker;
7.PKI Broker receives the answer and sends the result to the requesting
PKI (DRM2 PKI);
8.DRM2 PKI receives the answer from the PKI Broker asserting that
DRM1 Device can be trusted;
9.DRM2 License Issuer generates the license and returns it to the DRM1
Device.
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

PKIX and DRM inter oper ability
Interoperable scenario (license production)
●
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

Conc lus ions
PKI is an important part of DRM (fulfil DRM
●
requirements)
Currently, most of the DRM solutions do not rely on
●
already existing PKI services or vendors, implementing
their own mechanisms – interoperability problems
Two approaches for DRM interoperability based on PKI
●
services
An approach based on a broker is more viable
●
DRM interoperability problems are not entirely solver by
●
this – this is just the tip of the iceberg!!!
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems

Ques tions
Thank you!
●
Any question?
●
IADIS Multi Conference on Computer Science and Information Systems 2007 – Telecommunications, Networks and Systems