Security Through DRM In Systems Ms. Shrija Madhu HOD, Assistant Proffesor Sri Guru Harkrishan College Of Management & Technology Patiala Punjab, 147003 (INDIA) Ph: +91-9815652263 e-mail : [email protected]

Ms. Ramandeep Kaur Lecturer Sri Guru Harkrishan College Management & Technology Patiala Punjab, 147003 (INDIA) Ph: +91-9888117337 e-mail: [email protected]

Security Through DRM In Systems ABSTRACT Digital Rights Management (DRM) is a technology that is being developed as a protection against the illegal distribution of copyrighted online material such as music or documents. DRM is a technology that lets rights holders safely distribute and sell their content online in a digital form. Different security mechanisms using DRM are introduced: EMMS by IBM Corp., Rights System by InterTrust Corp., Windows Media Rights Manager by Microsoft Corp., TPM by TCG and DReaM by Sun. Keywords: DRM, EMMS, DReaM, TPM, WMRM, TCG, NEMO, Octopus

1

INTRODUCTION: Digital Rights Management (DRM) involves the description, layering, analysis, evaluation, trading and monitoring of the rights over an enterprise’s assets; both in physical and digital form; and of tangible and intangible value. DRM covers the digital management of rights - be they rights in a physical manifestation of a work (eg a book), or be they rights in a digital manifestation of a work (eg an e-book). Current methods of managing, trading and protecting such assets are inefficient, proprietary, or else often require the information to be wrapped or embedded in a physical format. A key feature of managing online rights will be the substantial increase in re-use of digital material on the Web as well as the increased efficiency for physical material. The pervasive Internet is changing the nature of distribution of digital media from a passive one way flow (from Publisher to the End User) to a much more interactive cycle where creations are re-used, combined and extended and infinitum. At all stages, the Rights need to be managed and honoured with trusted services. Downloading encoded files has gained acceptance among Internet-savvy users because it provides immediate access to content and does not require a trip to a store or reliance on physical media, such as a CD or DVD. However, digital media content that is available for sale on the Internet is still limited, as content owners, artists, and publishers are concerned about protecting their copyrighted works from illegal use. Before owners of premium digital media content will offer their copyrighted works for sale or promotion, a secure E-commerce system that protects digital content from illegal use is needed. The purpose of this seminar paper is to bring forth the usage of DRM systems as major security measure for securing data and other content in transactions. The DRM Systems we are going to discuss in more detail are: WMRM by Microsoft Rights System by InterTrust EMMS by IBM TPM by TCG DReaM by Sun Digital Rights Management Systems WMRM by Microsoft Windows Media Rights Manager (WMRM) lets content providers deliver songs, videos, and other digital media content over the Internet in a protected, encrypted file format. Windows Media Rights Manager helps protect digital media (such as songs and videos) by packaging digital media files. A packaged media file contains a version of a media file that has been encrypted and locked with a "key." This packaged file is also bundled with additional information from the content provider. The result is a packaged media file that can only be played by a person who has obtained a license. The basic Windows Media Rights Manager process is as follows: 1. Packaging Windows Media Rights Manager packages the digital media file. The packaged media file has been encrypted and locked with a "key." This key is stored in an encrypted license, which is distributed separately. Other information is added to the media file, such as the URL where the license can be acquired. This packaged digital media file is saved in Windows Media Audio format (with a .wma file name extension) or Windows Media Video format (with a .wmv file name extension). 2

2. Distribution The packaged file can be placed on a Web site for download, placed on a media server for streaming, distributed on a CD, or e-mailed to consumers. Windows Media Rights Manager permits consumers to send copy-protected digital media files to their friends, as well. 3. Establishing a License Server The content provider chooses a license clearing house that stores the specific rights or rules of the license and implements the Windows Media Rights Manager license services. The role of the clearing house is to authenticate the consumer's request for a license. Digital media files and licenses are distributed and stored separately, making it easier to manage the entire system. 4. License Acquisition To play a packaged digital media file, the consumer must first acquire a license key to unlock the file. The process of acquiring a license begins automatically when the consumer attempts to acquire the protected content, acquires a predelivered license, or plays the file for the first time. Windows Media Rights Manager either sends the consumer to a registration page where information is requested or payment is required, or "silently" retrieves a license from a clearing house. 5. Playing the Media File To play the digital media file, the consumer needs a media player that supports Windows Media Rights Manager. The consumer can then play the digital media file according to the rules or rights that are included in the license. Licenses can have different rights, such as start times and dates, duration, and counted operations. For instance, default rights may allow the consumer to play the digital media file on a specific computer and copy the file to a portable device. Licenses, however, are not transferable. If a consumer sends a packaged digital media file to a friend, this friend must acquire his or her own license to play the file. This PC-by-PC licensing scheme ensures that the packaged digital media file can only be played by the computer that has been granted the license key for that file. Rights System by InterTrust InterTrust Technologies Corporation is a leading provider of digital rights management (DRM). InterTrust has developed a general purpose DRM platform that serves as a foundation for providers of digital information, technology, and commerce services to participate in a global system for digital commerce. Its product is called Rights System. It is a general-purpose DRM platform that spans multiple devices and operating systems. InterTrust licenses its DRM platform as software and tools to partners. Collectively, these partners will offer digital commerce services and applications that form a global commerce system branded the "MetaTrust Utility."

Services Provided By Right System Management of web services: Protecting and managing digital applications and content wherever they travel, reside, or are used. Executable software integrity: Enabling an operating system to authenticate software components and allowing them to run based on adherence to integrity and reliability rules. Credentials/driver signing: Enabling platform operating systems to authenticate the integrity of executables, such as device driver software to ensure proper driver behavior. Supply chain management through independent delivery of rules: Allowing enterprises to implement and enforce rules, or policies, relating to digital information access and use across widely distributed computing environments; allowing enterprises to change policies for already delivered digital information by delivering new policies; enabling secure peer-to-peer and pass-along sharing of information among users in accordance with specified policies. 3

Managing media content or enterprise information: Enabling companies or content publishers to implement and enforce usage policies wherever content, company information, or applications travel - both inside and across firewalls and virtual private networks. Enterprise-to-enterprise transactions: Enabling companies to automate enterprise transactions according to enterprise policies, including the authorization, purchasing, auditing, reporting, and clearing of supplies and inventory. Compliance: Secure, automated auditing and reporting of transaction or use data that is based on enterprise policies and regulatory compliance requirements. Portability of rules: Allowing users to loan or move content to other users or other machines enabling for example enterprise portals allowing employees to acquire access rights to use enterprise information at multiple locations. Nested policies within a single item: Allowing users to associate multiple rule sets with different portions of information, such as a medical record having certain portions editable by a doctor, and different portions editable by administrators. Silicon protective measures: Technologies for hardware security tamper resistance as an integrated component of a distributed trusted computing network. Currently two reference enviornment are used by InterTrust: NEMO Octopus NEMO NEMO, or Networked Environment for Media Orchestration, is InterTrust's reference technology environment for interoperability between different DRM systems. As people build diverse proprietary DRM functionality into devices and services, the problem of transferring content from one to the other becomes significant. DRM systems are typically very protective of their content, and resist transferring that content to other DRM systems. Traditional approaches to DRM interoperability have either required universal use of the same DRM system or for DRM systems to be connected to each other in a bilateral agreement. The former eliminates freedom of choice and creates dependencies on a single platform that can limit device and service performance. The latter does not scale and again limits the market to a small number of options. NEMO resolves the issue of incompatible DRM technologies by leveraging service-oriented architectures (SOAs) to create a secure medium through which DRM systems can communicate dynamically. In this sense, NEMO is to DRM systems what TCP/IP is to computers – a way of networking processors to exchange information. Of course, with DRM systems, secure networking is essential, and NEMO offers ways to achieve this. Using SOAs, NEMO provides proprietary DRM services with a way in which to communicate and request each other's operations, without needing to know anything about the proprietary workings of the services. Octopus Octopus is a toolkit for building DRM engines. In a market where true DRM interoperability is present, people will be free to build their own DRM systems for a given application. Unlike traditional DRM technologies, it is, by design, an open specification for enabling implementers to DRM-enhance their systems, applications, and devices without giving up control of their platforms. By being an open specification rather than a black-box implementation, Octopus leaves the choice of cryptography, operating system, software vendor, implementation, and business model in the hands of the adopters. Octopus is made up of a simple and powerful architecture consisting of basic building blocks. These basic building blocks provide ways of protecting digital content, 4

expressing usage rules for the content, evaluating usage rules, and binding content, encryption and usage rules with a variety of models. When combined with other technologies (i.e., cryptographic ciphers, multimedia file formats and codecs, application user interfaces, and web services) developers can design and implement complete DRM systems rapidly. Octopus initially targets the protection and consumption of digital multimedia, but can be used for any type of digital content. Octopus was designed to be implemented in systems as small as smartcards and as large as enterprise servers that power e-commerce back-end systems. Octopus runs on a variety of different operating systems and a wide range of hardware platforms. EMMS by IBM IBM has developed a DRM platform, entitled Electronic Media Management System (EMMS), which provides extensive functionality to content owners, distributors and consumers. EMMS is really a set of components which can be mixed and matched to make up a full DRM solution to suit a particular environment or application. By creating the software as a set of components, which interact with each other, IBM has provided content owners, businesses, retailers and consumers with a group of solutions to meet their digital distribution and consumption needs. The components of the EMMS suite comprise the following modules: Content Preparation – enables content owners to encode their content (using encryption techniques), set the rules under which it can be accessed and distribute it, either directly to consumers or through distribution partners. Peer-to-peer distribution is also enabled. Content Mastering – enables music content owners to enforce rights, which can be flexibly set. The software enables compression of the source material, which can be economically batch handled, and the inclusion of metadata. Content can be either streamed or downloaded. Web Commerce Enabler – enables the integration DRM based services into web applications, including the presentation of metadata in user-friendly form. Enables tracking, rule based usage to provide for rich business models. Clearinghouse program – enables the logging and reporting of all licensing transactions based on secure encryption and enforcement of rules. Content Hosting Service – enables the secure hosting of prepared content. Content is distributed on request from a customer and reports back to the rights controller. Multi-device server – enables the distribution of secured content to intelligent devices, such as kiosks. The software converts content into the format appropriate to the requesting device. The software is capable of delivering secure content to the wireless environment. Client software development kit – enables software developers and device manufacturers to create client software specific to user environments and devices can be used in peer to peer client environments without risk of content being released from secure environment. TPM by TCG The Trusted Computing Group (TCG) has developed a comprehensive model for such trusted devices should function. The Group has produced specifications for architecture as well as a set of software functions and programming interfaces that can work for a wide range of computing platforms. According to the TCG, trust is "...the expectation that a device will behave in a particular manner for a specific purpose.” To qualify as a trusted platform, a system should provide at least three basic features: protected capabilities, integrity measurement and integrity reporting. These same three features are fundamental to digital rights management 5

(DRM) in an embedded system. For maximum security, the functions should be performed as part of the boot process -- because it is during boot-up that rogue software can most readily hijack control and compromise system integrity. In embedded devices that receive content over a network, such malicious software could be masked as a firmware upgrade, downloaded from any number of sources and installed, then take over the next time the system boots. To prevent such hijacking, devices should be built with the capability to self-check new software coming into the system. The device needs to verify that software originates with a known, secure source, bears an authentic certificate, and has a valid digital signature. In addition to this real-time download check, every time the device powers on a secure boot process should reconfirm the integrity of all new software. Functionally, this confirmation process begins with protected ROM, which is known to be secure .The process then incrementally validates each flash firmware image using their digital signatures. Once the confirmation is done and all is clear, the operating system loader can engage and the boot process proceeds as normal. Implementing this process requires a combination of hardware and software. On-chip, tamper-proof secure storage holds all crypto keys needed in the validation process, following the model of the TCG's Trusted Platform Module (TPM). Unfortunately, the TPM as presently defined is not ideal for embedded systems with their constraints on size, power, and processing capability. For embedded devices, an optimized Trusted Platform Module (TPM) derivative is ideal, providing the same functionality as a conventional TPM but embedded in silicon, eliminating board real estate consumption, reducing power, and providing a higher level of security because it is embedded and hidden in hardware. Such optimized modules are available from companies like Intel, which offers the Intel Wireless Trusted Platform, supported with software from companies like Certicom, which offers its Security Architecture code. The verification software behaves in an embedded TPM varies with the type of operating system in use. In a complex but not fully open embedded device (e.g. a realtime operating system, RTOS) an Authentication Entity or Trust Agent application that is stored with the secure boot code manages firmware verification and software updates. In an open application environment such as Windows CE, Symbian, or Linux, the authenticator may need to be part of the kernel, helping manage restricted access to kernel resources that are typically controlled by user privilege levels. The optimum implementation for a given module ultimately depends on the level of security desired and the magnitude of the threat faced. DReaM by Sun Sun Microsystems has launched an ambitious community project aimed at building a universal system of digital rights management based on "open source" software. The company has seeded its Open Media Commons (OMC) initiative by releasing Sun Labs Project DReaM (DRM/everywhere available) software under the CDDL (Common Development and Distribution License). Project DReaM software released and slated for release includes: DRM-Opera -- A DRM architecture implementing standardized interfaces and processes for the interoperability of DRM systems, independent of hardware, OS, and media formats.

6

Java Stream Assembly -- A cross-vendor plug-in architecture for broadcast, and ondemand media servers, JSA will be based on the Java Stream Assembly,, and licensed under the CDDL. Sun Streaming Server (SSS) -- Based on obsequium a GPL-licensed software packaged targeting distributed radio stations. Obsequium supports multicast protocols including RTP and RTSP (which can be used with the Zinf player), as well as normal icecast streams. Sun says SSS complies with specifications defined by the 3GPP (ThirdGeneration Partner Program), an industry group promoting GSM/GPRS mobile phone interoperability, and ISMA (Internet Streaming Media Alliance), a group promoting Internet radio and TV. CONCLUSION Security provision through DRM systems is a common trend nowadays. Although various security techniques are being used by DRM systems and being researched for use in DRM systems, there seems to be little research into evaluating the security of an entire DRM system. As security of the individual components of a system does not guarantee security of the system as a whole, this means that currently it is hard to understand what level of security is offered by a DRM system. The issue is not solvable, i.e. there is not one definite technical solution that satisfies all security needs - amongst other reasons, the contexts in which DRM systems operate varies too greatly. Therefore, it is crucial to understand the security a DRM system offers. Unfortunately, current evaluation methods are ill-equipped to produce consistent and reciprocally comparable evaluations of DRM systems. Therefore, more research into this topic is needed. Only good point in using DRM is that we are on the right track. REFERENCES [1] H.L. Jonker. Security of Digital Rights Management systems. Master's thesis, Technische Universiteit Eindhoven, August 2004. [2] H.L. Jonker, S. Mauw, J.H.S. Verschuren:SECURITY ASPECTS OF DRM SYSTEMS [3]CERT. http://www.cert.org/octave/. [4] TNO ITSEF. http://www.commoncriteria.nl/. [5] B. Schneier. http://www.schneier.com/paper-attacktrees-ddj-ft.html. [6] W. Shapiro and R. Vingralek. How to manage persistent state in DRM systems.In Digital Rights Management Workshop, pages 176{191, 2001.

7

8