Mobile DRM in Ubiquitous Environments

© 2005 ORGA Systems | All rights reserved | www.orga-systems.com

ORGA Systems We know how.

Dr. Stephan Flake Research & Development


Creation/Revision Date: 23.03.2005

Mobile DRM in Ubiquitous Environments Stephan Flake, Matthias Runowski, Jürgen Tacken ORGA Systems enabling services GmbH Motivation OMA DRM Version 2.0 Mobile DRM Approach Conclusion and Outlook 9. Deutscher IT-Sicherheitskongress Bonn-Bad Godesberg, 10.05.2005 © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

Content Protection in Mobile Networks 1. High bandwidth cellular networks 2. Mobile devices with large screens  Enable downloading and streaming of high value media Essential Content Protection Requirement (Provider View) : Enhanced Security and Trust Management 1. Enhanced security to prevent unauthorized access 2. Target device must be trusted for keeping secrets safe

 Mobile Digital Rights Management, i.e.: secured access to high value media through wireless networks at arbitrary locations © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

Ubiquitous Environments and DRM “Ubiquitous Computing” Vision (M. Weiser, 1993): Ubiquitous computing has as its goal the enhancing computer use by making many computers available throughout the physical environment, but making them effectively invisible to the user.

Mobile DRM in Ubiquitous Environments Essential DRM Requirement (Consumer View): Allow using any appropriate target device for the consumption of protected high value media © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

Mobile DRM in Ubiquitous Environments Motivation OMA DRM Version 2.0 M-DRM Approach Conclusion and Outlook


DRM Standard of the Open Mobile Alliance 

OMA DRM Version 1.0 for protection of “light” media content



Three kinds of content protection 

Forward Lock prevents content from leaving device



Combined Delivery of encrypted content and right



Separate Delivery of encrypted content and right



Official specification in September 2002



OMA DRM 1.0 lacks mechanisms for, e.g.,





secure delivery of rights



authentication of devices and rights issuers



revocation of devices/DRM agents/Rights Issuers

Draft OMA DRM Version 2.0, December 2004 © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

Important Notions DRM Agent 

A trusted entity in a device responsible for  enforcing permissions and constraints associated with DRM Content,  controlling access to DRM Content, etc.



Must have a public/private key pair and a certificate.

Rights Object (RO) 

An XML document expressing permissions and constraints



associated with a piece of DRM Content



DRM Content can only be used with an associated Rights Object and only as specified by that Rights Object © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

OMA DRM Version 2.0 (still draft) New Security and Trust Enabling Elements 

Public/private key encryption for protecting symmetric keys (the latter are used to encrypt content)



Digital signatures for ensuring integrity of content, rights, and exchanged messages



Authentication protocols for registration and rights acquisition

New Features (Consumer View) 

Domains

Sharing rights among multiple end devices



Unconnected devices

Use of intermediary device + ROAP protocol



Preview functionality

Optionally offered by content providers



Export to other copy protection schemes

Centralized approach over RI


OMA DRM 2.0 Content Provider View Enhanced Security 

Individually encrypted rights objects using public keys of end devices



Integrity protection for content, rights objects, and ROAP messages

Trust Mechanisms 

Mutual Authentication between end devices and Rights Issuers



Revocation 

Rights Issuer can check device revocation status



Devices can check Rights Issuer revocation status


OMA DRM Content Usage Application Flow Content Provider

Rights Issuer

2. Transfer Content Encryption key

3. Purchase right and establish trust

1. Browse to website and download protected content Domain of user devices

Share content within your domain

6. Establish trust; purchase 4. Deliver and deliver protected rights object rights object

5. Super-distribute content to a friend

[Buhse,02/2004]


Other user’s device

OMA DRM Content Usage Application Flow Content Provider

Rights Issuer

2. Transfer Content Encryption key

Finding

OMA DRM Domain Concept not appropriate Purchase right Environments for application in 3.Ubiquitous 1. Browse to website and establish trust

and download protected content

Domain of user devices

Share content within your domain

6. Establish trust; purchase 4. Deliver and deliver protected rights object rights object

5. Super-distribute content to a friend

[Buhse,02/2004]


Other user’s device

Mobile DRM in Ubiquitous Environments Motivation OMA DRM Version 2.0 Proposed Mobile DRM Approach for Ubiquitous Environments Conclusion and Outlook


Proposed Mobile DRM Approach End-to-end realization of OMA DRM 2.0 Extensions and adjustments: 

Server-Side Components: Protocols to securely exchange rights and related information



Client-Side Components: User Interaction, e.g., provide selection among different usage options and charges



Charging 

Prices are essential information when purchasing rights  combine with OMA DRM Rights Expression Language



Extension of ROAP protocols: billing information sent to a clearing house © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

Proposed Mobile DRM Approach (cont’d) End-to-end realization of OMA DRM 2.0 Extensions and adjustments: 

Apply target devices with secure hardware: Mobile phones with (U)SIM card  already widely in use,  easy to adopt for mobile DRM  allows to easily integrate billing



Distributed DRM Agent Functionality 

DRM Secure Device Agent: obtained rights are always kept on mobile phones



DRM Consumer Agents: other end devices request decryption keys, but must not distribute decryption key/decrypted content © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

Mobile DRM Architecture Content Provider

Rights Issuer

Certification Authority

Content Management

Rights Management

Certification Management I_CA

I_DRM_RM Web Server I_DRM_RI

Mobile Network Operator

I_DRM_CNT «device» Client Device «executable» Browser

Communication Management

«device» Secure Mobile Device «executable» DRM SD Agent I_KT

I_DRM_RAQ

File System «executable» DRM CNS Agent


Billing

Proposed Mobile DRM Approach (cont’d) Mutual authentication among DRM SD Agent and Consumer Agent 

Re-use OMA DRM 2.0 elements (ROAP, OMA REL) where possible



Definition of 2-pass key acquisition protocol DRM CNS Agent

DRM SD Agent



Request Parameters Device ID Device Nonce Request Time  Context Permission Certificate Chain Signature

Key Request

Key Response


Response Parameters Status Device ID Device Nonce Certificate Chain Protected CEK Signature

Mobile DRM in Ubiquitous Environments Motivation OMA DRM Version 2.0 M-DRM Approach Conclusion and Outlook


Conclusion and Outlook 

Extension of OMA DRM Version 2.0 for ubiquitous environments



Proof-of-Concept Implementation for our Mobile DRM approach





Consider new Java APIs for Mobile Phones and Java Cards (MIDP 2.0, JCRMI, JSR 177)



Explore different communication channels (e.g., IrDA, Bluetooth) to connect mobile phones and various end devices

Integration of enhanced PKI and trust solutions 

Establish trust among DRM agents even in “disconnected mode” (i.e., when no online Certification Authority is accessible)


Thank You for Your Attention!

Acknowledgement: ORGA Systems Am Hoppenhof 33 33104 Paderborn

IST FP6 Project http://www.ubisec.org © 2005 ORGA Systems | All rights reserved | www.orga-systems.com

Tel: +49 (0) 52 51 889-0 Fax: +49 (0) 52 51 889-3707

[email protected] www.orga-systems.com Creation/Revision Date: 23.03.2005