thomas s. messerges, ezzat a. dabbish motorola labs shin seung uk
TRANSCRIPT
Digital Rights Management in a 3G Mobile Phone and
Beyond
Thomas S. Messerges, Ezzat A. DabbishMotorola Labs
Shin Seung Uk
Introduction DRM Concepts and Strategies Our DRM System
◦ DRM Manager◦ Trusted Application Agents◦ Security Agent◦ DRM Credential
Security Issues Family Domain Example Use Cases Conclusion
Contents
3G mobile phone◦ High communication rates
144K ~ 2Mbps◦ Personal Area Networking capability
P2P sharing of digital item over short-range networks◦ High Internet Connectivity
Losses from piracy
Digital Rights Management(DRM) will be an important component for future Mobile phone
Introduction
License File◦ Metadata◦ Usage Rules◦ Encrypted Key◦ Hash◦ Signature
Protected Content File◦ Encrypted Content
With key in license file
DRM System◦ Rendering Software◦ DRM Services
DRM Concepts and Strategies- Overview of trusted DRM System
DRM Concepts and Strategies- Open Mobile Alliance DRM
DRM Concepts and Strategies- Open Mobile Alliance DRM
MAC of RO
Protected RO
RO
Rights
Content Encryption Key (CEK)
Permission
Digest of Content
Content ID
Digital Signature of Rights (optional)
Right Encryption Key (REK) and MAC Key
Decr
ypt
How to interface the DRM and security S/W with the phone’s OS and applications◦ Two approaches of Schneck’s paper
Replace the I/O elements of OS with new modules Hyperadvisor
Our approach◦ The OS is extended to support DRM functionality◦ Access these extended system services through API
Our DRM System
Authenticate Licenses and Content◦ Before use protected digital content◦ Need to verify the integrity and
authenticity of the license file Computation of hash in the license file Verifying the signature of the license
Enforce Rights◦ Application can ask the DRM manager
To do Actions like Play, display, copy Actions can be associated with
3 fundamental types of rights Render rights, Transport rights, Derivative work rights
◦ Some additional events Need to use a secure database to track events
◦ Rights to an action are assigned to a device
Decrypt Content
Our DRM System- DRM Manager
Access and manipulate decrypted content
Rendering Agents◦ Provide application to render
the protected content◦ Provide the low-level driver
Convert the digital data◦ The execution of a DRM-protected software
application is categorized as a rendering operation
Transport Agents◦ Provide services that move content from one location to another◦ The establishment of a Secure Authenticated Channel(SAC) with help of security
agent
Derivative Work Agents◦ Used to extract and transform protected content into a different form◦ Installation of DRM-protected software or data
Our DRM System- Trusted Application Agents
Memory and file management◦ Access-controlled file system
Store decrypted digital content Store a secure database
Encrypted private keys and data
◦ Memory separation system Configure a hardware monitor to define
available memory area to task◦ Secure memory system
Prevent critical data from leaking out of the system Linked to tamper detection circuitry
Cryptographic operations◦ Symmetric key◦ Hash◦ Public key
Key/Certificate manager◦ Securely handling a database of the phone’s credentials (keys, certificates, ID)
Our DRM System- Security Agents
Serial number◦ Unchangeable number
that identifies the phone
Model number◦ Number that identifies
HW and SW version
Root key◦ Check the authenticity and
integrity of the credentials
Private keys and Certificates◦ KuPri and UniCert
Used for establishing Secure Authenticate Channel(SAC) to a phone◦ KdPri and DRMCert
Used for assigning content to a device Content encryption key is encrypted with KdPub and decrypted with KdPri
Our DRM System- DRM Credentials
License◦ Four essential items
A hash value that links the license to the digital item The rights allowed for that digital item A key to decrypt the digital item A signature of the license
Integrity and Authenticity◦ Established through a Public-Key Infrastructure(PKI) or a shared secret
Rights Enforcement◦ DRM manager needs to parse the license file and recognize rights expressions◦ DRM manager needs to be able to recognize the version of the license file
Content Protection
Privacy Issues◦ User information and identity in a license must not disclosed without the consent of
the user
Security Issues
Consumers wish to user content on any of their devices
Suitable for devices with limited or no networking ca-pability◦ Device only needs to register with DA once and can access to
all the content in a domain with domain private key
Family Domain
Example Use Cases
Our proposed DRM framework is also appli-cable to other devices◦ PDA, set-top box, automobile, or a PC
Family domain concepts could be make con-tent be more seamlessly shared amongst all devices
Conclusion