ebook img

Digital Rights Management for Personal - Department of Mathematics PDF

262 Pages·2008·6.56 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Digital Rights Management for Personal - Department of Mathematics

Digital Rights Management for Personal Networks Imad Mahmoud Aref Abbadi Technical Report RHUL–MA–2008–17 4 June 2008 Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports Royal Holloway University of London Digital Rights Management for Personal Networks by Imad Mahmoud Aref Abbadi Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Royal Holloway, University of London 2008 Declaration These doctoral studies were conducted under the supervision of Prof. Chris Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Information Security Group as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Imad Mahmoud Aref Abbadi 2 Jun 2008 2 Abstract The thesis is concerned with Digital Rights Management (DRM), and in particu- lar with DRM for networks of devices owned by a single individual. This thesis focuses on the problem of preventing illegal copying of digital assets without jeopardising the right of legitimate licence holders to transfer content between their own devices, which collectively make up what we refer to as an authorised domain. An ideal list of DRM requirements is specified, which takes into account the points of view of users, content providers and copyright law. An approach is then developed for assessing DRM systems based on the defined DRM require- ments; the most widely discussed DRM schemes are then analysed and assessed, where the main focus is on schemes which address the concept of an authorised domain. Based on this analysis we isolate the issues underlying the content piracy problem, and then provide a generic framework for a DRM system ad- dressing the identified content piracy issues. The defined generic framework has been designed to avoid the weaknesses found in other schemes. The main contributions of this thesis include developing four new approaches that can be used to implement the proposed generic framework for managing an authorised domain. The four novel solutions all involve secure means for cre- ating, managing and using a secure domain, which consists of all devices owned by a single owner. The schemes allow secure content sharing between devices in a domain, and prevent the illegal copying of content to devices outside the domain. In addition, each solution incorporates a method for binding a domain to a single owner, ensuring that only a single consumer owns and manages a domain. This enables binding of content licences to a single owner, thereby limiting illicit content proliferation. In the first solution, domain owners are authenticated using two-factor authenti- cation, which involves “something the domain owner has”, i.e. a master control device that controls and manages consumers domains, and binds devices joining a domain to itself, and “something the domain owner is or knows”, i.e. a bio- metric or password/PIN authentication mechanism that is implemented by the master control device. In the second solution, domain owners are authenticated using their payment cards, building on existing electronic payment systems by ensuring that the name and the date of birth of a domain creator are the same for all devices joining a domain. In addition, this solution helps to protect con- sumers’ privacy; unlike in existing electronic payment systems, payment card details are not exposed to third parties. The third solution involves the use of a domain-specific mobile phone and the mobile phone network operator to 3 authenticate a domain owner before devices can join a domain. The fourth so- lution involves the use of location-based services, ensuring that devices joining a consumer domain are located in physical proximity to the addresses registered for this domain. This restricts domain membership to devices in predefined geo- graphical locations, helping to ensure that a single consumer owns and manages each domain. 4 Acknowledgements I would like to thank my supervisor Prof. Chris Mitchell for his supervision, help, support, and encouragement. I am grateful to Prof. Ahmad-Reza Sadeghi, Dr. Jason Crampton and Prof. Peter Wild for their useful discussion and comments. I would also like to thank Associated Newspapers for partially funding my re- search, and providing me with all the required resources, flexible working pat- terns, and time off to study that has enabled me to have a full time job and simultaneously complete a research degree. I would like to thank my parents, who have always encouraged and supported me. Finally, I want to thank my wife for her support and patience throughout the time I have worked on this thesis, as it would have been impossible, without her help, to have a family, a full time job, and engage in full time study at the same time. 5 Contents 1 Introduction 18 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.3 Organisation of the Thesis . . . . . . . . . . . . . . . . . . . . . . 21 2 Security Services and Mechanisms 23 2.1 Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2 Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3 Security Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.1 Cryptographic Hash Function . . . . . . . . . . . . . . . . 25 2.3.2 Symmetric Cryptography . . . . . . . . . . . . . . . . . . 26 2.3.3 Asymmetric Cryptography . . . . . . . . . . . . . . . . . 27 2.3.4 Nonces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.3.5 Process Isolation . . . . . . . . . . . . . . . . . . . . . . . 29 2.4 Public Key Infrastructures . . . . . . . . . . . . . . . . . . . . . . 29 3 Trusted Computing and DRM 31 3.1 The Importance of Trusted Computing . . . . . . . . . . . . . . . 32 3.2 Trusted Computing and DRM . . . . . . . . . . . . . . . . . . . . 33 3.3 Trusted Computing Group . . . . . . . . . . . . . . . . . . . . . . 34 3.4 Trusted Platform Module . . . . . . . . . . . . . . . . . . . . . . 35 6 CONTENTS 3.5 Establishment of Trust . . . . . . . . . . . . . . . . . . . . . . . . 38 3.6 Roots of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.7 Integrity Reporting and Verification . . . . . . . . . . . . . . . . 40 3.8 Challenges in TCG Specifications . . . . . . . . . . . . . . . . . . 42 3.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 4 Fundamentals of Digital Rights Management 45 4.1 What is DRM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.2 DRM Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 4.3 DRM Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.4 Rights Expression Languages . . . . . . . . . . . . . . . . . . . . 51 4.5 DRM System Requirements . . . . . . . . . . . . . . . . . . . . . 52 4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 5 Authorised Domain Content Protection Systems 57 5.1 Analysis of Existing Schemes . . . . . . . . . . . . . . . . . . . . 58 5.1.1 OMA DRM . . . . . . . . . . . . . . . . . . . . . . . . . . 58 5.1.2 eXtensible Content Protection (xCP) . . . . . . . . . . . . 63 5.1.3 SmartRight . . . . . . . . . . . . . . . . . . . . . . . . . . 67 5.1.4 Apple Fairplay . . . . . . . . . . . . . . . . . . . . . . . . 73 5.1.5 DRM in a 3G Mobile Phone and Beyond . . . . . . . . . 77 5.1.6 DRM Security Architecture for Home Networks . . . . . . 81 5.2 Content Piracy Problem Definition . . . . . . . . . . . . . . . . . 87 5.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 6 Authorised Domain Management Framework 91 6.1 Authorised Domain Concept . . . . . . . . . . . . . . . . . . . . . 92 6.2 Domain Device Requirements . . . . . . . . . . . . . . . . . . . . 93 6.3 Using TCG-conformant Devices . . . . . . . . . . . . . . . . . . . 96 7 CONTENTS 6.4 Role Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 6.5 General Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 101 6.5.1 Domain Establishment . . . . . . . . . . . . . . . . . . . . 102 6.5.2 Adding a Device to a Domain . . . . . . . . . . . . . . . . 102 6.5.3 Removing a Device from a Domain . . . . . . . . . . . . . 103 6.5.4 Exchanging Content . . . . . . . . . . . . . . . . . . . . . 104 6.5.5 Backup and Recovery . . . . . . . . . . . . . . . . . . . . 107 6.6 Discussion and Analysis . . . . . . . . . . . . . . . . . . . . . . . 107 6.6.1 Controlling Content Sharing . . . . . . . . . . . . . . . . . 107 6.6.2 Controlling Domain Membership . . . . . . . . . . . . . . 109 6.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 7 Authorised Domain Management using a Master Control De- vice 111 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 7.2 The Master Control Device . . . . . . . . . . . . . . . . . . . . . 113 7.3 Process Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 7.3.1 Domain Establishment . . . . . . . . . . . . . . . . . . . . 114 7.3.2 Adding a Device to a Domain . . . . . . . . . . . . . . . . 115 7.3.3 Removing a Device from a Domain . . . . . . . . . . . . . 119 7.3.4 Exchanging Content . . . . . . . . . . . . . . . . . . . . . 120 7.3.5 Backup and Recovery Procedure . . . . . . . . . . . . . . 122 7.4 Controlling Domain Membership . . . . . . . . . . . . . . . . . . 128 7.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 7.5.1 Security Threats . . . . . . . . . . . . . . . . . . . . . . . 129 7.5.2 Security Services and Mechanisms . . . . . . . . . . . . . 131 7.6 Implementing the Protocols Using Trusted Computing . . . . . . 134 7.7 Methods of User Authentication . . . . . . . . . . . . . . . . . . 136 8 CONTENTS 7.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 8 Authorised Domain Management Using an Electronic Payment System 141 8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 8.2 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 8.2.1 Trusted Authority . . . . . . . . . . . . . . . . . . . . . . 144 8.2.2 Payment Cards and Banks . . . . . . . . . . . . . . . . . 145 8.3 Process Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 8.3.1 Domain Establishment . . . . . . . . . . . . . . . . . . . . 147 8.3.2 Adding a Device to a Domain . . . . . . . . . . . . . . . . 150 8.3.3 Removing a Device from a Domain . . . . . . . . . . . . . 153 8.3.4 Exchanging Content . . . . . . . . . . . . . . . . . . . . . 154 8.3.5 Backup and Recovery Procedure . . . . . . . . . . . . . . 154 8.4 Controlling Domain Membership . . . . . . . . . . . . . . . . . . 154 8.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 8.5.1 Security Threats . . . . . . . . . . . . . . . . . . . . . . . 156 8.5.2 Security Services and Mechanisms . . . . . . . . . . . . . 157 8.6 Implementing the Protocols Using Trusted Computing . . . . . . 159 8.7 Alternative Implementations . . . . . . . . . . . . . . . . . . . . 159 8.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 8.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 9 Authorised Domain Management Using a Mobile Phone 162 9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 9.2 General Authentication Architecture . . . . . . . . . . . . . . . . 165 9.3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 9.4 Process Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 9.4.1 Initialisation Procedure . . . . . . . . . . . . . . . . . . . 169 9

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.