Secure License Management
Management of digital object licenses in a DRM environment
*Carlos Serrão, *Miguel Dias and **Jaime Delgado
carlos.serrao, miguel.dias {@iscte.pt}, jaime.delgado@ac.upc.edu
*ISCTE/DCTI/ADETTI **UPC/AC/DMAG
Lisboa, Portugal Barcelona, Spain

Summary
Digital Rights Management

What is DRM?

Rights, Rights Expression, Rights Expression Languages

Licenses

Licenses typology

Secure License Management

SLM Use-case

Conclusions and Future work


DRM concepts
DRM involves the:

description, layering, analysis, valuation, trading and monitoring of

rights over an individual or organization's assets, in digital format;
DRM is:

the chain of hardware and software services and technologies

governing the authorized use of digital objects and managing any
consequences of that use throughout the entire life cycle of the
object.

DRM concepts
DRM is not (only) Copy-Protection

DRM is used to manage and enforce rights

Copy-protection is used to prevent unauthorised copies

Actual commercial DRM (such as WMRM or Fairplay use

both) to (try) to be more effective

DRM concepts
Modern DRM involves several security technologies, such

as:
Public-key cryptography

Secret-key cryptography

Digital signatures

Digital certificates

... and others.


All this keying material should be properly managed, to

avoid security breaches...
... and this brings us to Key Management.


Key Management
What is Key Management?

Key Management is the set of techniques and procedures

supporting the establishment and maintenance of keying
relationships between authorized parties.
Key Management encompasses techniques and procedures

supporting:
Initialization of system users within a domain;

Generation, distribution and installation of keying material;

Controlling the use of keying material;

Update, revocation and destruction of keying material;

Storage, backup/recovery and archival of keying material.


Key Management in DRM
Key Management and DRM

DRM uses keying material in several situations:

Entities (content providers, users, ...) registration and management

Software applications and components registration and management

Content security

Rights management and enforcement (licenses)



Rights, RM and REL
Rights

[...] a right is the legal or moral entitlement to do or refrain

from doing something or to obtain or refrain from obtaining an
action, thing or recognition in civil society [...]
[...] Rights serve as rules of interaction between people, and, as

such, they place constraints and obligations upon the actions of
individuals or groups [...]
Rights management

The ability to manage rights


Rights, RM and REL
Rights Expression Languages (REL)

Allow the expression of copyright

Allow the expression of contracts or license agreements

Allow to control over access and/or use

Mostly used to express DRM-governed content licenses

Licenses express how a governed-content can be used

Expressed in a specific format/notation (XML, Text,Graff theory,...)

XrML and ODRL are two of the most used

May contain protected keying material information to be used with the

protected digital content

Licenses
Depending on the DRM scenario and implementation

licenses can be used or not
This gives 6 different scenarios:

Licenses are used in DRM

License contains CEK

License is inside digital content

License is outside the digital content

License don't have CEK

License is inside digital content

License is outside the digital content

Licenses are not used in DRM

CEK is inside digital content

CEK is not inside the digital content


License Typology

Licenses and DRM
Typical license format:

License = SignLicenseIssuer [UserID,DeviceID,DomainID,ContentID,

Rights, Restrictions, CipherUserPKey{CEK}, Validity,...]
The License is signed by the License Issuer to prevent the license

modification and tampering
The Content Encryption Keys (CEK) are ciphered with the

recipient Public-key – it could even be the combination of
multiple keys (user,device, domain) – depends on implementation

Licenses and DRM
Two basic processes involved:

License definition and creation

License download and enforcement


Secure License Key Management

Use-case/Scenario
Licenses are used in DRM

License contains CEK

License is outside the digital content


License definition

License creation

License download and enforcement

Conclusions and Future Work
The goal of the work was to analyse how the different

existing DRM solutions handle and manage rights
The different typical rights management scenarios were

identified (license management)
Establish a common generic model for secure license

management (fitting to the requirements of the different
platforms)
A scenario was choose and instanciated on the model

This global license management model, will allow

interoperability at this level, between different DRM
solutions
Future: instanciate the remaining scenarios on the model.


Questions
Thank you...

Any question?
