The Journal of Systems and Software 83 (2010) 24312440
Contents lists available at ScienceDirect
The Journal of Systems and Software
journa l homepage: www.e lsev ier .c
A robu t s
Heeyoula Kyonggi Univb Department o ac Hanyang Univ
a r t i c l
Article history:Received 17 NReceived in reAccepted 7 ApAvailable onlin
Keywords:Authorized doDigital rights mHome networkProxy certicaRight delegatio
nagees itslocaticaandof c
l of pr
Digital rights management (DRM) refers to technologies thatenforce pre-dened policies to control the access of digital media,such as digital movies and digital music. Since the advent of per-sonal computers and Internet le-sharing tools, it has become easyto make ancontentswirized use anthe benetsbecome ess
In homeas PCs andchases DRMfreely on anattention inconcept of a2002; Kim e2004; Smar2002). Accoa domain, abestowed obership of a(IBM Corpo
er inSmartRight, 2003), and the homedevices in a domain share a secretdomain key to render the content. This concept may be extendedto assign different access privileges to different devices in a homenetwork by establishing multiple domains having different privi-leges. However, this approach supports dynamic access control in
0164-1212/$ doi:10.1016/j.d distribute an unlimited number of copies of digitalthout any quality degradation. To prevent the unautho-d propagation of commercial content and to preserveof digital content providers, robust DRM systems haveential.network environments, where electronic devices suchdigital TVs are interconnected, if a consumer pur-content he or she will want to render the content
y of his or her home devices. This point has receivedthe literature, and many DRM systems based on then authorized domain (AD) have been proposed (Holtz,t al., 2006; Open Mobile Alliance, 2004; Popescu et al.,tRight, 2003; Sovio et al., 2003; van den Heuval et al.,rding to AD concept, home devices are registered innd the access permissions to render DRM content aren the domain instead of on a single device. The mem-domain is managed by either a centralized authority
ration, 2001; Open Mobile Alliance, 2004), or a local
ding author. Tel.: +82 53 810 3092.resses: firstname.lastname@example.org (H. Kim), email@example.com (Y. Lee),ng.ac.kr (Y. Park).
a very limited fashion and increases the cost of managing domains.For example, in an OMA DRM (Open Mobile Alliance, 2004) sys-tem, each device in a home network has to interactwith the centralauthority whenever it joins a domain.
In this paper, a robust and exible DRM system for homenetworks is presented that considers various scenarios that canoccur in home network environments. The term robust meansthat the system protects unauthorized consumption of digital con-tents for the benet of content providers, and the term exiblemeans that the system provides more ne-grained access con-trol for home devices. To provide compatibility with OMA DRM(Open Mobile Alliance, 2004), the proposed system assumes thesame environment as the OMA DRM, except for inside the homenetwork.
In the proposed system, the central authority delegates itsauthorization right to localmanagers located in the homenetworksby issuing proxy certicates that explicitly guarantee delegatedrights. Since a proxy key, which is associated to the correspond-ing proxy certicate, is assigned per each of the bestowed rightsseparately, a ne-grained control of delegated authorization rightsis possible. Based on the delegated rights, a local manager can pre-cisely control the access permissions of the DRM contents in thehome network. The proposed system also supports a temporary
see front matter 2010 Elsevier Inc. All rights reserved.jss.2010.04.064st and exible digital rights managemen
Kima, Younho Leeb,, Yongsu Parkc
ersity, Republic of Koreaf Information and Communication Engineering, Yeungnam University, Republic of Koreersity, Republic of Korea
e i n f o
ovember 2008vised form 1 March 2010ril 2010e 15 June 2010
a b s t r a c t
A robust and exible Digital RightsMasystem, the central authority delegatby issuing a proxy certicate, and theon digital contents with its proxy ceraccessing facility for external devicesof delegated rights and the revocationOCSP validation and periodic renewa
ction managom/ locate / j ss
ystem for home networks
ment system for home networks is presented. In the proposedauthorization right to the local manager in a home networkl manager exibly controls the access rights of home deviceste. Furthermore, the proposed system provides a temporaryachieves strong privacy for home devices. For the validationompromised local managers, a hybrid mechanism combiningoxy certicates is also presented.
2010 Elsevier Inc. All rights reserved.
the domain (Kim et al., 2006; Popescu et al., 2004;
2432 H. Kim et al. / The Journal of Systems and Software 83 (2010) 24312440
accessing facility, a term used here to indicate enabling an externaldevice to have a temporary access right to render specic contentwithin a home network. To efciently validate the delegated rightand to revoke compromised local managers, the system providesa hybrid mvalidation (ticates. Thbetween thsystems. Itvacy for hom
The restprevious DRsumption scare given inwith proxyproposed sproposed sthe certicaa functionadomain-basare made in
To proteauthorized2001; Kampin this areahouseholdvent the deanother hohome netwnetworks osuch as PCVideo Broadauthorizedery architecet al., 2006SmartRightEspecially,requiremenclearly pres
The Smason introduwhich is alssmartcard iand a registlicensing orPPN share aone devicebe changed
Popescufollows thesimilar to timproves thoperations,mechanism
The OpeAlliance, 20lic Key InfraRights Issueance devicethe domainheavy burdthe RI know
The xCP cluster protocol (IBM Corporation, 2001) proposed byIBM is an AD-based architecture where the broadcast encryption isapplied. Since this architecture utilizes only symmetric key encryp-tion, it requires low computational cost compared with others
g puinhees ay devexpDVBanaprodnismsh antistits bois trato erts.n aleent al.ctura sectiosemch isservtheabestgh itliedanwhtiumm wystemted cumere th. Thesup
ce aptioctions purwed
ser mme nbe ao otheviceeviceer th
netwechanism of Online Certicate Status Protocol (OCSP)Myers et al., 1999) and periodic renewal of proxy cer-is paper also presents a functionality comparison resulteproposed systemand thepreviousdomain-basedDRMshows that the proposed system achieves stronger pri-e devices.of the paper is organized as follows. In Section 2,M systems are reviewed. In addition, the expected con-enarios of the DRM contentswith the proposed systemSection 3. In Section 4, a proper delegation strategy
certicate is explained. In Section 5, the design of theystem is shown. Section 6 explains a prototype of theystem. In Section 7, the certicate validity check andte revocation mechanism are discussed. In Section 8,l comparison between the proposed system and othered DRM systems is provided. Lastly, some conclusionsSection 9.
ct DRM content in home networks, the concept of andomain (AD) has been developed (Eskicioglu and Delp,erman et al., 2001; Ripley et al., 2002). The main goalis to devise a mechanism enabling devices in the sameto share content without any restrictions and to pre-vices in one household from accessing the contents inusehold. The domain does not have to be restricted toork environments. It can be extended to personalizedr any networks that have several rendering devices,s, MP3 Players, PDAs, and Video Players. The Digitalcasting (DVB) standard rstly named this concept thedomain; subsequently, many domain content deliv-tures have been proposed (IBMCorporation, 2001; Kim; Open Mobile Alliance, 2004; Popescu et al., 2004;, 2003; Sovio et al., 2003; van den Heuval et al., 2002).in van den Heuval et al. (2002), the basic functionalts and the design guideline of an AD-based system areented.rtRight system (SmartRight, 2003) proposedby Thomp-ces the concept of a Personal Private Network (PPN),o based on the AD concept. Before joining the PPN, thencorporated into a device performs a compliance checkration process with a public key certicate issued by aganization. After joining the PPN, all devices in the samesymmetric domain key that protects digital contents. Ifin the domain is compromised, the domain key should.et al. (2004) proposed an AD security architecture thatspecications in van den Heuval et al. (2002) and ishe abovementioned SmartRight system. Their systeme compliance checking protocol to reduce public keyand it provides an efcient and exible revocationfor compromised devices.n Mobile Alliance (OMA) DRM standard (Open Mobile04) also supports the concept of a domain with a Pub-structure (PKI). However, in this standard, a centralizedr (RI)manages all authorizeddomains, i.e., each compli-joins a domainwith the approval of the RI and receiveskey from the RI. This centralized approach imposes aen on the RI, and domain privacy issues arise, becauses which devices are registered in which domains.
utilizinhas anincreasif manbe very
TheCopy Msumermechaestablially stacontensecretforcedconten
In ahave b(Nair earchiteaccessthe funand aapproatrusted(2005)tion toAlthoube app
MeConsorprobleDRM sproteca consconsumsystemture toand cotranspDRM s
Sinconsumthis sedeviceare allo
A uthe hoshouldthem teach drized dto rendhomeblic key operations. However, the broadcast encryptionrent limitation in that the size of the broadcast messages the total number of revoked devices increases. Thus,ices are compromised, this revocationmechanismmayensive.-CPCM (2009) is a system for Content Protection andgement of commercial digital content delivered to con-ucts. It provides the Authorized Domain Managementthat allows the devices belonging to a household tod join an AD. When a new AD is created, a new glob-
cally unique AD secret is generated to protected digitalund to that AD. If a new device joins the AD the ADnsmitted securely. And if the device leaves the AD it isase the AD secret to disable consumption of AD-bound
ternative research direction, a few DRM architecturesproposed supporting the delegation of authorization, 2005; Sovio et al., 2003). In Sovio et al. (2003), thee deals with delegating the right of authorization tocret key. To implement authorized domains, it utilizesn sharing technique between a device in the domaini-trusted network server. The main drawback of thisthat it always requires the cooperation of the semi-er to exercise the right. On the other hand, in Nair et al.rchitecturedealswithdelegating the right of authoriza-ow the access rights of DRM content on other entities.is proposed for content redistribution, this concept canto home networks as in Kim et al. (2006).ile, the Coral Interoperability Framework (CoralWhitepaper, 2006) tries to solve the interoperability
hich is another important issue in DRM systems. Mosts aremonolithic in the sense that they support a single
ontent format and system for enforcing access rights, sohaving a device that supports one DRM system cannote contentswithotherdevice that supports anotherDRMCoral framework is based on service-oriented architec-port interoperability between different DRM systemst formats with the goal of providing an intuitive andconsumer experience. The framework itself is not abut a mediator between different DRM systems.
ption scenarios of DRM contents for home
home network can include many home devices, then of DRM content can occur in a variety of ways. In, we provide various scenarios that describe whichchase and distribute DRM contents, and which devicesto access the contents.
sing and consuming contents within the home
ay want to consume DRM content via all devices inetwork. Thus, any device registered in a home networkble to purchase the contents and efciently distributeer devices in the home network, instead of requiringto contact the content provider separately. Only autho-s that are registered in a home network should be ablee purchased content. This case is a typical scenario inorks.
H. Kim et al. / The Journal of Systems and Software 83 (2010) 24312440 2433
3.2. Purchasing contents through a device residing out of thehome network
UsersmaypurchaseDRMcontent via amobile devicewhen theyare far awalike to purcor her ofcea connectioily wants toThen, oncetent with osatised in
Home dthey are in tbe dependeor may beadult conteaccess cont
Althoughthan thoseDRM systemple, a userwith a friethe user almay feel innal devicescan be anottomers. Howthe temporrestrictions
4. Right de
To suppdescribed acontents tocentral authexternal uscentral authcontent forwill bear awill arise idecentralizare handledsystem theright to issudomain meefciency a
To verifymanager anegated righwhich is a wment (Houskeypair andthe authoriticate signcerticate, tprivate keydevice with
The most important feature of the proxy certicate related tothe proposed system is that the proxy certicate makes it pos-sible to transform the rights management problem into a proxykey management problem. The proxy key is different from the
key that is used for identity authentication. Since the entityate is not relevant to the proxy certicate, the entity certi-ed not be reissued even if the proxy certicate is revoked.he use of the proxy certicate makes rights managementand can provide an efcient and exible way for rights
s section describes the detailed design of the proposed sys-he proposed system has been designed based on the OMAtandard, and it provides the rights delegation facility byying the proxy certicate. The main characteristic of theed system is that the authorization right to issue accessto DRM content is delegated from a centralized server toe network manager. Thus, the proposed system can locallyt the scenarios of Section 3 without the help of an outside
rk to-linecludeuppolize tthorie denameure aty. Me isshe hpose. Ba
Fy from the home network. For example, a user mayhase music content via a cellular phone while in his. In this case, the device cannot be guaranteed to haven with the home network. However, a user ordinar-consume the content immediately after purchasing it.home, a user may want to share the purchased con-ther home devices. These two requirements should bea non-conicting way.
lling access privileges of home devices
evices may have different access privileges althoughhe same home network. The privileges of a device maynt on the device owner, e.g., the host versus the guest,dependent on the content, e.g., music content versusnt. Since the access privileges can be altered, a dynamicrol mechanism should be provided.
g temporary access rights to external devices
consuming DRM content with external devices otherowned by the content owner violates the concept ofs, it is sometimes required in the real world. For exam-may want to render legally p...